DNS-BH – Malware Domain Blocklist

New domains associated with asprox, zlob, and Storm Worm.
Many are being used in the latest SQL IFrame injection attacks:

1ive .net	musiconelove .com
asp63 .com	nationwide2u .cn
bestlovelyric .com	makeloveforever .com
canclvr .com	shelovehimtoo .com
cnzuma .cn	spywareonlinescanner .com
cont67 .com	lovekingonline .com
form43 .com	superlovelyric .com
foursn .cn	testwvr .com
gonelovelife .com	theplaylove .com
greatadore .com	ucomddv .com
knowholove .com	makingadore .com
ktrcom .com	makingloveworld .com
likethisone1 .com	user1 .zhong262 .cn
lokriet .com	wantcherish .com
stiwdd .com	whoisknowlove .com
upcomd .com	wholovedirect .com
portwbr .com	wholoveguide .com
loveoursite .com	loveisknowlege .com
mainbvd .com	lovemarkonline .com
urs .axa-axa .cn

Sources: infosec20.blogspot.com, blog.scansafe.com, sudosecure.net, and others. Check the latest updates file for the original reference.

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Important domains to consider filtering or blocking immediately. These domains include Bobax trojan domains, zlob trojans, new storm worm domains with active exploits, in-the-wild exploit attempts  targeting a GDI vulnerability patched by Microsoft on April 8, 2008  and more. As noted earlier, some dynamic dns domains were reluctantly added due to an abundance of caution, due to the recent large increase in kraken domains. Remove them if you wish.

3traff..com	kowaru..cn
7traff..com	limpodrift..cn
xhost..ro	loveinlive..cn
amrc..com..tw	mega911..com
mmcodecs..com	ad..goog1e..googlepages..com
biggetonething..cn	newoneforyou..cn
dns4biz..org	no-ip..info
fireoniraw..com	orthelike..com
Flwsolution..com	radioks..net
gasperoblue..cn	stat-diagnostic-imaging..net
giftapplys..cn	supersameas..com
gribontruck..cn	Swfinstrument..com
igloofamily..com	thingforyoutoo..cn
kingmaxone..com	waytotheprofit..com
koplemetation..net	antispywaremaster..com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

The interesting thing about Kraken is that the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. ” (Source: DarkReading)

Some Kraken domains from ThreatExpert:

dyndns.org:	dynserv.com:	mooo.com:	yi.org:
adrcgmzrm	anrgxq	cmviueadnal	bpdyttrlp
atgoycu	aqtxloupefy	csukibyyt	cdggua
bylkpy	bodrxb	dauhiasf	dstgrg
ckwklamspio	cazrsihs	dcdkfq	dvbutsrzrgw
dkbjzbq	cbcmbxvbsrh	evudfvve	gdrlhg
ebbnzqx	cfcsndquwjc	ftytgfehixd	gviailawmc
fvecgexi	cqdzsbdy	fxmbsrue	gwyziux
iskqszufrft	cwrrdxye	iwstwvw	hrhfevkmkun
jnetgzttxsk	ddrqyggw	kbblmkbe	hzmwxlmu
lfiavsbyntu	dljemwae	krjkfnsqsh	iqwifsunu
lmfbjndkqd	ebksscgdcc	ovsddwubkz	itifvo
mszbnhwzhvv	eihasibowm	oycruzxouli	klofmvcx
nckndnu	eoiovsv	qfrgvbmowr	muodaclf
nmuzqnexl	gqybspk	quowesuqbbb	ngbmfsbuql
novbsmekge	gvgqpueeq	rjxnpjf	njjiwilpnt
qtexhg	koaqnn	rzdpmgfwoh	pcajqcaof
srusvher	pspypf	sfsocnwdnw	qpyosxkmcc
szbagncpev	rcruohsseib	smgojbhuyw	qwzsprieo
tkmhpnthfsz	tkoappwny	tjetqly	tqrvhfsdlup
vsdzee	uaqjtycx	videfgkn	udtwirqzhdm
xnzkdos	urgfiluop	xyqpaw	wyudom
xzpknuvovk	vcpcnqi	ycjesqgj	xlfstaxlrui
ycofnn	vtdddxys	ykrzcragnnu	zssdxcq
zkfxpvc	vvjfsoj	znkhrtojwx	zvfctvkdng
zsakypru	yivdetzgvs	zxglzfhu	zxkcat
		zztsqfzsbdb

yi.org and mooo.com are already included in the dns-bh list due to large number of subdomains involved with malware.

Dyndns and dynserv will be added in the next update until more information about Kraken is published.

Is Kraken is bigger and scarier than Storm, infiltrating more than fifty fortune-500 companies, containing over 400,000 compromised hosts? Or is it an established botnet which is was discovered last year?

No matter what, it seems to be using about 100 hostnames from dynamic dns services from dyndns and yi.org.

No word yet on the exact hostnames. If your corporate policy allows, you should consider blocking these (and other) dynamic dns services which do not have a business reason for your users to get to

Added 65 new domains, phishing/botnet domains from Dancho Danchev’s blog as well as malware caught in the Emerging Threats Honeypot:

522love (dot) cn	7abeeb (dot) net
88huang (dot) cn	969222 (dot) com
alimama (dot) com	arab-hacker (dot) org
asp29 (dot) com	asp63 (dot) net
aspx77 (dot) in	aspx83 (dot) in
aspx94 (dot) in	bank45 (dot) us
bao01 (dot) com	boa23 (dot) com
boomlance (dot) com	buyaoni (dot) com
ccpoweri (dot) com	cfm83 (dot) net
com94 (dot) net	discount-pharmacy-online-e (dot) com
h3ll (dot) org	herekittykittykitty (dot) info
hexun (dot) com	housechat (dot) org
icpcn (dot) com	imergeyou (dot) com
info23 (dot) in	ireckless (dot) com
lovemmll (dot) cn	mainfeedhere (dot) com
me2grovana (dot) info	mecander.ccddeeffgghh (dot) com
meusarkivosjonas.kit (dot) net	meza69 (dot) com
minhascoisas2oo8.kit (dot) net	mircogrov2pay (dot) info
monalisa2008.kit (dot) net	moscow-students (dot) ru
motor.rwi (dot) pl	msfds (dot) com
mufangjie.oicp (dot) net	mvl0an7 (dot) com
mynaagencies (dot) com	nagitiriheiwu (dot) net
naizi68 (dot) com	net18 (dot) in
net73 (dot) net	net94 (dot) us
pid83 (dot) net	ref34 (dot) us
sec26 (dot) net	sec94 (dot) in
setx (dot) info	sid45 (dot) com
site17 (dot) in	site37 (dot) in
ssd47 (dot) com	ssl18 (dot) net
ssl19 (dot) com	ssl62 (dot) net
web42 (dot) in	web59 (dot) net
web636 (dot) com	www84 (dot) in

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

From Misc Sources:

032439 (dot) com	11990 (dot) com
40ch (dot) com	ads555 (dot) com
blockdelete (dot) com	deluxnote (dot) com
flyvideonetwork (dot) com	free-games-online (dot) com
msnliststatus (dot) com	pay-per-traff (dot) in
shredder-scanner (dot) com	toneandpulse (dot) com
vertuslkj (dot) com	zzgzs (dot) cn
yutunrz (dot) 1dumb (dot) com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Removed hopto.org. You may wish to add it yourself since there have been several instances of malware utilizing on dynamic DNS services

Added several rogue antivirus as well as bots:

3xmaster.com	spyshredderscanner.com
racrew.us	malwarealarms.com
sajin88.com	winerrorfixer.com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

The Internet Storm Center reports that the Storm Botnet was sending out another wave of attempts to enlist new members by directing victims to merrychristmasdude.com.

Add to blocklists immediately. Since this Botnet is hosted on a fast-flux network of at least 1000 nodes, it’s impossible to block by ip address.

DNS-Blackhole blocklist has been updated.