Feed

spyware, malware, botnet domains

Posted on March 1st, 2009 in Domain News,New Domains,rogue antivirus by dglosser

Domains associated with spyware, botnets, and malware. Sources include blackip.ustc.edu.cn, bharath-m-narayan.blogspot.com, www.malwaredomainlist.com, and others:

2020wyt .com banknetworks .net
373 .la chinesedoublec .com
63d4 .cn fizplauno .commalware
942dnf .cn google-anlabc .cn
cqfywg .cn google-anlacc .cn
dddddsaa .cn gt-websoft .com
ddddsss123 .cn gt-websoftcodec .com
ddos .tyd8 .com online-nude-videos .com
dhxjkbdve .com qclangroup .com
dstsettx .cn servicedirwelt .biz
emralauno .com spaceindustrial .cn
enejkbdve .com spywareremover2009plus .com
igjplauno .com stabilityinternetglobalonline .com
indexaa .com stabilityonline .com
jdhvhevg .com sweetblondies .com
jjjaaa1 .cn sylicomservicious .com
lhjfxwanj .com sysprotect .net
microsomt .biz teploplast-nn .ru
tihvin .tu2 .ru test .bboys .tu2 .ru
titmix .net thebestworldparty .cn
toureg-cwo .ch thelogofpinch .freehostia .com
tuning063 .ru tlovechina .tcn
tyd8 .com topbannersystem .com
u097 .cn txt .mojwq .com
ukboox .cn update .qvod988 .cn
ut99889 .com update .ut-com .cn
vwwx17 .cn updater .sumy .ua
w3og .cn usbanknetwork .com
wopxs .com ustreasury .usbanknet .net
wuc8 .com windowsvistasp1 .com .cn
w-x-y .cn worldcommercialbusiness .cn
yavlarag .cn ykosty .freehostia .com
zetross .com yourownplanet .cn
zogmirow .cn zus .seobash .org

Note: We’ve received reports that users of Microsoft DNS have had problems loading up the BOOT file due to comments within the file. Please let us know if you are using the Microsoft DNS version and whether you have this problem.


New Asprox, zlob, Storm Worm Domains to block

Posted on July 6th, 2008 in iframes,New Domains,sql injection,Storm Worm,zlob by dglosser

New domains associated with asprox, zlob, and Storm Worm.
Many are being used in the latest SQL IFrame injection attacks:

1ive .net musiconelove .com
asp63 .com nationwide2u .cn
bestlovelyric .com makeloveforever .com
canclvr .com shelovehimtoo .com
cnzuma .cn spywareonlinescanner .com
cont67 .com lovekingonline .com
form43 .com superlovelyric .com
foursn .cn testwvr .com
gonelovelife .com theplaylove .com
greatadore .com ucomddv .com
knowholove .com makingadore .com
ktrcom .com makingloveworld .com
likethisone1 .com user1 .zhong262 .cn
lokriet .com wantcherish .com
stiwdd .com whoisknowlove .com
upcomd .com wholovedirect .com
portwbr .com wholoveguide .com
loveoursite .com loveisknowlege .com
mainbvd .com lovemarkonline .com
urs .axa-axa .cn

Sources: infosec20.blogspot.com, blog.scansafe.com, sudosecure.net, and others. Check the latest updates file for the original reference.

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Important – new domains to immediately block

Posted on April 11th, 2008 in fake codecs,rogue antivirus,Storm Worm by dglosser

Important domains to consider filtering or blocking immediately. These domains include Bobax trojan domains, zlob trojans, new storm worm domains with active exploits, in-the-wild exploit attempts  targeting a GDI vulnerability patched by Microsoft on April 8, 2008  and more. As noted earlier, some dynamic dns domains were reluctantly added due to an abundance of caution, due to the recent large increase in kraken domains. Remove them if you wish.

3traff..com kowaru..cn
7traff..com limpodrift..cn
xhost..ro loveinlive..cn
amrc..com..tw mega911..com
mmcodecs..com ad..goog1e..googlepages..com
biggetonething..cn newoneforyou..cn
dns4biz..org no-ip..info
fireoniraw..com orthelike..com
Flwsolution..com radioks..net
gasperoblue..cn stat-diagnostic-imaging..net
giftapplys..cn supersameas..com
gribontruck..cn Swfinstrument..com
igloofamily..com thingforyoutoo..cn
kingmaxone..com waytotheprofit..com
koplemetation..net antispywaremaster..com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

Kraken Domains

Posted on April 8th, 2008 in Domain News by dglosser

The interesting thing about Kraken is that the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. ” (Source: DarkReading)

Some Kraken domains from ThreatExpert:

dyndns.org: dynserv.com: mooo.com: yi.org:
adrcgmzrm anrgxq cmviueadnal bpdyttrlp
atgoycu aqtxloupefy csukibyyt cdggua
bylkpy bodrxb dauhiasf dstgrg
ckwklamspio cazrsihs dcdkfq dvbutsrzrgw
dkbjzbq cbcmbxvbsrh evudfvve gdrlhg
ebbnzqx cfcsndquwjc ftytgfehixd gviailawmc
fvecgexi cqdzsbdy fxmbsrue gwyziux
iskqszufrft cwrrdxye iwstwvw hrhfevkmkun
jnetgzttxsk ddrqyggw kbblmkbe hzmwxlmu
lfiavsbyntu dljemwae krjkfnsqsh iqwifsunu
lmfbjndkqd ebksscgdcc ovsddwubkz itifvo
mszbnhwzhvv eihasibowm oycruzxouli klofmvcx
nckndnu eoiovsv qfrgvbmowr muodaclf
nmuzqnexl gqybspk quowesuqbbb ngbmfsbuql
novbsmekge gvgqpueeq rjxnpjf njjiwilpnt
qtexhg koaqnn rzdpmgfwoh pcajqcaof
srusvher pspypf sfsocnwdnw qpyosxkmcc
szbagncpev rcruohsseib smgojbhuyw qwzsprieo
tkmhpnthfsz tkoappwny tjetqly tqrvhfsdlup
vsdzee uaqjtycx videfgkn udtwirqzhdm
xnzkdos urgfiluop xyqpaw wyudom
xzpknuvovk vcpcnqi ycjesqgj xlfstaxlrui
ycofnn vtdddxys ykrzcragnnu zssdxcq
zkfxpvc vvjfsoj znkhrtojwx zvfctvkdng
zsakypru yivdetzgvs zxglzfhu zxkcat
zztsqfzsbdb

yi.org and mooo.com are already included in the dns-bh list due to large number of subdomains involved with malware.

Dyndns and dynserv will be added in the next update until more information about Kraken is published.

Kraken domains

Posted on April 7th, 2008 in Domain News by dglosser

Is Kraken is bigger and scarier than Storm, infiltrating more than fifty fortune-500 companies, containing over 400,000 compromised hosts? Or is it an established botnet which is was discovered last year?

No matter what, it seems to be using about 100 hostnames from dynamic dns services from dyndns and yi.org.

No word yet on the exact hostnames. If your corporate policy allows, you should consider blocking these (and other) dynamic dns services which do not have a business reason for your users to get to

DNS-BH Update: Malicious Phishing Domains and More

Posted on February 26th, 2008 in New Domains,Phishing by dglosser

Added 65 new domains, phishing/botnet domains from Dancho Danchev’s blog as well as malware caught in the Emerging Threats Honeypot:

522love (dot) cn 7abeeb (dot) net
88huang (dot) cn 969222 (dot) com
alimama (dot) com arab-hacker (dot) org
asp29 (dot) com asp63 (dot) net
aspx77 (dot) in aspx83 (dot) in
aspx94 (dot) in bank45 (dot) us
bao01 (dot) com boa23 (dot) com
boomlance (dot) com buyaoni (dot) com
ccpoweri (dot) com cfm83 (dot) net
com94 (dot) net discount-pharmacy-online-e (dot) com
h3ll (dot) org herekittykittykitty (dot) info
hexun (dot) com housechat (dot) org
icpcn (dot) com imergeyou (dot) com
info23 (dot) in ireckless (dot) com
lovemmll (dot) cn mainfeedhere (dot) com
me2grovana (dot) info mecander.ccddeeffgghh (dot) com
meusarkivosjonas.kit (dot) net meza69 (dot) com
minhascoisas2oo8.kit (dot) net mircogrov2pay (dot) info
monalisa2008.kit (dot) net moscow-students (dot) ru
motor.rwi (dot) pl msfds (dot) com
mufangjie.oicp (dot) net mvl0an7 (dot) com
mynaagencies (dot) com nagitiriheiwu (dot) net
naizi68 (dot) com net18 (dot) in
net73 (dot) net net94 (dot) us
pid83 (dot) net ref34 (dot) us
sec26 (dot) net sec94 (dot) in
setx (dot) info sid45 (dot) com
site17 (dot) in site37 (dot) in
ssd47 (dot) com ssl18 (dot) net
ssl19 (dot) com ssl62 (dot) net
web42 (dot) in web59 (dot) net
web636 (dot) com www84 (dot) in

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Presidents Day BH-DNS Blocklist Additions

Posted on February 18th, 2008 in New Domains by dglosser

From Misc Sources:

032439 (dot) com 11990 (dot) com
40ch (dot) com ads555 (dot) com
blockdelete (dot) com deluxnote (dot) com
flyvideonetwork (dot) com free-games-online (dot) com
msnliststatus (dot) com pay-per-traff (dot) in
shredder-scanner (dot) com toneandpulse (dot) com
vertuslkj (dot) com zzgzs (dot) cn
yutunrz (dot) 1dumb (dot) com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Malware Blocking DNS-BH Update 01/13

Posted on January 13th, 2008 in fake codecs,New Domains,Removed Domains,rogue antivirus by dglosser

Removed hopto.org. You may wish to add it yourself since there have been several instances of malware utilizing on dynamic DNS services

Added several rogue antivirus as well as bots:

3xmaster.com spyshredderscanner.com
racrew.us malwarealarms.com
sajin88.com winerrorfixer.com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

New Storm-Botnet Attack

Posted on December 24th, 2007 in New Domains by dglosser

The Internet Storm Center reports that the Storm Botnet was sending out another wave of attempts to enlist new members by directing victims to merrychristmasdude.com.

Add to blocklists immediately. Since this Botnet is hosted on a fast-flux network of at least 1000 nodes, it’s impossible to block by ip address.

DNS-Blackhole blocklist has been updated.