Feed

Urgent Block: BlackHole Exploit Kit redret Spam Domains

Posted on December 6th, 2011 in 0day,Domain News,malspam by dglosser

From the Internet Storm Center, please block the following domains:

  • czredret . ru
  • curedret . ru
  • ctredret . ru
  • crredret . ru
  • bzredret . ru
  • byredret . ru
  • bxredret . ru
  • bwredret . ru
  • bvredret . ru
  • bsredret . ru
  • bpredret . ru
  • boredret . ru
  • blredret . ru
  • bkredret . ru
  • biredret . ru
  • bhredret . ru
  • bgredret . ru
  • bfredret . ru,
  • beredret . ru
  • bdredret . ru
  • bcredret . ru
  • bbredret . ru
  • aredret . ru
  • apredret . ru
  • amredret . ru
  • alredret . ru
  • akredret . ru
  • ajredret . ru
  • airedret . ru
  • ahredret . ru
  • agredret . ru
  • afredret . ru
  • aeredret . ru
  • adredret . ru
  • acredret . ru
  • abredret . ru
  • aaredret . ru

and be on the lookout for more domains containing the string “redret” (hmmm I wonder if adbblock or mywot can handle regex..).

IP addresses to block are also in the article.  Also see this article.  Will be added here but you shouldn’t wait.

Immortal Domains

Posted on November 14th, 2011 in Domain News,immortal,New Domains by dglosser

We just finished recertification of 237 long-lived, “immortal” malware domains.

These are domains which continue to actively serve malware for months if not years.
Some of these domains have been active here for more than two years.

Of those 237 domains, 34, or less than 15% were removed.

That means that over 85% of these long-lived domains are truly “bulletproof”, and  have remained  actively malicious for over two years.

The list of those few removed domains is here: removed-domains-20111112.txt

List of these “immortals”  is here: immortal_domains.txt

Dynamic DNS

Posted on November 4th, 2011 in Domain News,dynamic dns by dglosser

We’ve updated our list of Dynamic DNS Providers.    This is for information  purposes only and is not part of our blocklists. ..

The list is here or here.

Clarifications, updates, corrections appreciated as always

List Recert: 653 Domains Removed

Posted on November 1st, 2011 in Domain News by dglosser

Of the 740 domains which were re-certified,  653 Domains have been removed.

88 of those domains, which were originally listed over six months ago, were STILL actively associated with malware.

These domains were added to our list of long-lived, “immortal” malware domains.

List of removed domains is available here:

http://mirror1.malwaredomains.com/files/removed-domains-20111031.txt

List of “immortal domains” here.

Also,  a clearification – permission is granted if you wish to use these lists for INTERNAL use only at your organization or company.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need. – abusers will be banned!

We also have a mirror with compressed files dedicated for academic research, people who contribute and support malwaredomains,  other non-profit activities.  Please contact us for details.

Bulk Registrars, URL Shorteners, Dynamic DNS Providers

Posted on October 27th, 2011 in Domain News by dglosser

We’ve been maintaining  lists of Bulk Registrars, Dynamic DNS Providers, and URL Shorteners..

http://www.malwaredomains.com/wordpress/?p=1991

We just added a new list of “unverified” URL Shorteners here: url_shorteners-unverified.txt

We’ll be going through the URLs and adding them to the main list once they have been verified. If anyone wishes to help in this effort, please let us know :)

Malware Defense

Posted on October 18th, 2011 in Domain News by dglosser

Nice mention of this list as part of the Internet Storm Center’s Critical Controls #12  – Malware Defense.

DNS Sinkhole Parser Script Update

Posted on October 16th, 2011 in Domain News by dglosser

DNS Sinkhole Parser Script Update

For those using Guy Bruneau’s DNS Sinkhole ISO, there’s a new sinkhole parser script available.

The new script contains new lists which were not part of the original list.

More information:
http://isc.sans.org/diary/DNS+Sinkhole+Parser+Script+Update/11818

http://www.whitehats.ca/main/index.html

Compressed Files for Downloads

Posted on September 24th, 2011 in Domain News by dglosser

A few people have mentioned that we should consider compressing the files on our servers and have the end-user uncompress them

If you are willing to test this, please contact us and we’ll point you to a dedicated server.  The files will be in zip format. Thanks.

New Mirror: mirror2.malwaredomains.com

Posted on September 22nd, 2011 in Domain News by dglosser

The fine folks at it-mate.co.uk have set up a new mirror for us.

mirror2.malwaredomains.com

Please test. Also, please remember to use the datestamp or timestamp files to check  if there’s a new file BEFORE downloading any other files.

Here is a shell script someone has written to do just that: update-blackhole.sh. Please test it, improve upon it, etc.

We are also discussing internally options like bittorrent, jigdo, serving info via DNS, serving only the updates,  compressing the files via gzip or bz2, etc.

We are truly appreciative and humbled by the support we’ve received. (Except for the one site which was using our files as part of a “speed test” – no thanks for you) …

Download Abuse

Posted on September 21st, 2011 in Domain News by dglosser

How can a single ip address download 100 MB in a 24 hour period??

How come we have dozens of ip addresses doing this??

These ip addresses have been blocked.

The files datestamp and timestamp were set up to increment whenever a new file is loaded.   Please use them.

Again, p-l-e-a-s-e limit your downloads to once every 12 hours or your ip address will be banned.

« Previous PageNext Page »