Important update — koobface, exploit domains

Posted on July 15th, 2010 in 0day,exploit,koobface,New Domains by dglosser

source include isc.sans.org, ddanchev.blogspot.com,x.maldb.com, blog.unmaskparasites.com:

abrie .in oserr .in
agros .in osmac .in
alldh .in ospor .in
alodh .in ossce .in
anrio .in ossio .in
antsd .in ostab .in
aoxtv .in ostac .in
appsd .in ostio .in
aquui .in ostom .in
arrie .in ouned .in
balsd .in purnv .in
barui .in pxdmx .in
bikey .in ragew .in
bkpuo .in rekey .in
bleui .in saled .in
brayx .in sated .in
broyx .in scoos .in
bryhw .in sdali .in
butui .in sdall .in
butuo .in sdayb .in
butyx .in sdaye .in
cated .in sdayo .in
cedhw .in sdene .in
chrie .in sdich .in
chrio .in sdome .in
cirui .in seedw .in
clrio .in smoed .in
cogoo .in soted .in
conuo .in spios .in
conyx .in spkey .in
corie .in sunyx .in
curie .in sydos .in
cusnv .in teaed .in
czkey .in thynv .in
degoo .in ugiyx .in
dennv .in uinei .in
dugoo .in uinge .in
eagoo .in uiren .in
eboyx .in uirin .in
ecrio .in uisap .in
ectuo .in uisee .in
edbal .in uisma .in
edban .in uitem .in
ederc .in uithi .in
ederm .in uityp .in
edger .in uityr .in
edimp .in varyx .in
edois .in veged .in
elrio .in wakey .in
enguo .in whasd .in
eprio .in wimed .in
eqrio .in woonv .in
fakey .in yokey .in
fibnv .in yxial .in
foryx .in yxiam .in
franv .in allxt .com
fraos .in stteop .in
garie .in coparli .com
glouo .in gutyeaz .com
guinv .in hitinto .com
habsd .in pantscow .ru
hecuo .in bizenable .com
hekey .in dyayxsgsv .net
humos .in ktkelzrwqgq .com
hygos .in s3xme1fucan .com
hyrie .in myantivirsplus .org
imbos .in my-antivirsplus .org
ionnv .in rooty .crabdance .com
jamsd .in my-protectonline .org
kykey .in sysprotectonline .org
latuo .in my-antivirus-plus .org
leunv .in my-protect-online .org
linuo .in sys-protectonline .org
liuyx .in fastscanner-online .org
makey .in ilio01ili1 .comappsd .in
moosd .in sandra .prichaonica .com

urgent block: imagehut4 .cn, allxt .com, hitinto .com, 173. 204. 119 . 122

Posted on July 15th, 2010 in 0day,exploit,New Domains by dglosser

From SANs:

We have received some information from one of our readers that the zip file that he received contained a multiple exploit-kit downloader.  He indicated that there are over 120,000 successful downloads of the exe file. They have discovered that IP address 173. 204. 119 . 122 is where the file appears to be hosted at and is being updated with new binaries consistently. The downloader appears to grab a few files with random file names and  have been observed connecting too imagehut4 .cn, allxt .com, hitinto .com.  … all files appear  to run fully under Windows VMWARE and are resistant to detection by many of the common threat programs.

These domains will be added on the next update but you shouldn’t wait..