437 replies to this topic

[AplusWebMaster]

FYI...

zeroaccess, malspam, blackhole exploit domains
- http://www.malwaredo...rdpress/?p=2735
June 17th, 2012 - "Added domains associated with bh exploits, malicious spam, zeroaccess and other trojans. Sources include labs.sucuri.net, hosts-file.net, blog.dynamoo.com..."

[AplusWebMaster]

FYI...

runforestrun, iceix, rogues, malvertising, malspam domains...
- http://www.malwaredo...rdpress/?p=2749
June 25th, 2012 - "Two recent updates, adding over 230 domains associated with “RunForestRun, IceIX, Malicious Spam, Malicious Advertising, etc. Sources include malwaredomainlist.com, isc.sans.org, hosts-file.net and many more..."

[AplusWebMaster]

FYI...

Runforestrun update
- http://www.malwaredo...rdpress/?p=2758
June 26th, 2012 - "Old versions of Plesk store passwords in clear text
-> http://blog.unmaskpa...in-plesk-panel/
There is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.
-> http://kb.parallels.com/en/113321
Combine these two together and what do you get, malware of course.
Plesk Vulnerability Leading to Malware
>> http://blog.sucuri.n...to-malware.html
Runforestrun and Pseudo Random Domains
- http://blog.unmaskpa...random-domains/
Run, Forest! (Update) – block 95.211.27.206
- https://isc.sans.edu...t Update /13561
We’ve added a bunch of these domains but you should check the resources above, as well as new IP addresses to block."

[AplusWebMaster]

FYI...

BH Exploit Kit, Run Forest Run, fariet domains
- http://www.malwaredo...rdpress/?p=2760
June 28th, 2012 - "A small but important update with some fariet, run forest run, bh exploit kit domains. Sources include blog.eset.com, microsoft.com, blog.urlvoid.com and others..."

[AplusWebMaster]

FYI...

iframes, Pontoeb, scam domains
- http://www.malwaredo...rdpress/?p=2771
July 4th, 2012 - "Added over 100 domains associated with Pontoeb, scams, malicious iframes, etc. Sources: spamhaus.org, vxvault.siri-urz.net, sucuri.net and others..."

[AplusWebMaster]

FYI...

246 malicious domains added...
- http://www.malwaredo...rdpress/?p=2783
July 10th, 2012 - "A very large update consisting of 246 domains associated with malvertising, iframes, black hole exploits, etc. Sources include malwaredomainlist.com, sucuri.net, dynamoo.com..."

[AplusWebMaster]

FYI...

RunForestRun, malspam, malvertising Domains
- http://www.malwaredo...rdpress/?p=2788
July 12th, 2012 - "Added 150 domains (runforestrun, malspam, malvertising)."

[AplusWebMaster]

FYI...

Relisted Domains ...
- http://www.malwaredo...rdpress/?p=2791
July 16th, 2012 - "Just went through a bunch of older domains and relisted almost 50 of them. Or do the bad guys wait and “lay low” with their domain until “the coast is clear” and once google safebrowsing delists them, they once again use the domain to serve up malware (Whack-a-Mole)? Do they have google APIs and check daily to see if their domain is delisted?... It’s like fast-flux except the time frame is months instead of minutes.:

[AplusWebMaster]

FYI...

DNS-BH Updates: 7.19 and 7.21
- http://www.malwaredo...rdpress/?p=2794
July 22nd, 2012 - "Been remiss about mentioning updates on 7.19 and 7.21. Please update your blocklists/sinkhole..."

[AplusWebMaster]

FYI...

IntelliDownload (stopmalvertising.com)
- http://www.malwaredo...rdpress/?p=2797
July 23rd, 2012 - "... article about IntelliDownload*...
* http://stopmalvertis...t-browsing.html
Jul 20, 2012 - "... it doesn’t disclose that it will hijack advertisements on several major websites and replace them with ads from oadsrv .com, scrape your Facebook data, spy on your browser session and report every move you make on the web back to chango .com ..."

Please study the domains listed in the article and take appropriate action (the domains have -not- yet been added to this blocklist)."

[AplusWebMaster]

FYI...

Java Exploit domains, trojans, rogues
- http://www.malwaredo...rdpress/?p=2800
July 25th, 2012 - "A small but important update containing domains associated with Java exploits, rogue antivirus, trojans, and other malicious domains you don’t want visiting your computer or network. Sources include mwis.ru, malwaredomainlist.com, and urlquery.net..."
___

- https://blogs.techne...Redirected=true
25 Jul 2012 - "The last few months we have seen a drastic increase in Java-based malware abusing the CVE-2012-0507* AtomicReferenceArray type-confusion vulnerability. In addition to that, a few weeks ago, a new Java vulnerability was found (CVE-2012-1723)**; it is also a type-confusion vulnerability. The attack abusing this new vulnerability is also very active... The most effective measure against these vulnerabilities is -updating- your Java installation. To check the version of JRE your browser is running, visit following link:
http://www.java.com/...d/installed.jsp ..."

* http://web.nvd.nist....d=CVE-2012-0507 - 10.0 (HIGH)
** http://web.nvd.nist....d=CVE-2012-1723 - 10.0 (HIGH)

Edited by AplusWebMaster, 26 July 2012 - 06:40 AM.

[AplusWebMaster]

FYI...

RunForestRun DGA Update (update your Domain Blocklist) ...
- http://www.malwaredo...rdpress/?p=2805
July 26th, 2012 in 0day, New Domains
> http://blog.unmaskpa...imate-js-files/
26 Jul 12 - "... a quick recap of the RunForestRun attack: It began in mid-June and infected many servers with Plesk Panel since then. Hackers used Plesk’s File Manager to inject malicious code (mainly) at the bottom of .js files..."

"RunForestRun has changed the domain generating algorithm (DGA), and now uses waw.pl subdomains (instead of .ru) in malicious URLs."

[AplusWebMaster]

FYI...

RunForestRun DGA Domains
- http://www.malwaredo...rdpress/?p=2811
July 28th, 2012 - "Added over 200 RunForestRun Domains listed at blog.unmaskparasites.com."

[AplusWebMaster]

FYI...

DNS-BH Aug3 Update – relisted domains
- http://www.malwaredo...rdpress/?p=2813
August 3rd, 2012 - "Added 203 domains – domains were at one time delisted but are once again associated with malware..."

[AplusWebMaster]

FYI...

Domains and IPs to Block ASAP
- http://www.malwaredo...rdpress/?p=2825
August 9th, 2012 in 0day, sql injection - "Two posts from the Internet Storm Center:
> https://isc.sans.edu...l?storyid=13864
SQL Injection Lilupophilupop style – Lists about a dozen domains you should immediately add to your blocklists plus more in Dynamoos blog*.
> https://isc.sans.edu...l?storyid=13861
Zeus/Citadel variant causing issues in the Netherlands – Follow the links and block those IP addresses ..."

* http://blog.dynamoo....o-block-on.html

.

Edited by AplusWebMaster, 09 August 2012 - 01:11 PM.