437 replies to this topic

[AplusWebMaster]

FYI...

More sites to block..,
- http://blog.dynamoo....o-block-on.html
13 August 2012 - "More evil sites to block on 194.28.115.150 (Specialist ISP*) following on from these:
idi42nga .rr.nu, kprud89entia .rr.nu, hin66gof .rr.nu, iste03dengi .rr.nu, hing30emplo .rr.nu,
ize84dso .rr.nu, ind42icat .rr.nu, lack33andw .rr.nu"
* http://blog.dynamoo....o-block-on.html
10 August 2012 - "... blocking access to 91.211.200.0/22 and 194.28.112.0/22 (Specialist ISP) plus -all- .rr.nu domains would be even better."

> http://blog.dynamoo....e-pro-spam.html
13 August 2012 - "..."46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem..."

Something evil on 178.63.195.128/26
- http://blog.dynamoo....6319512826.html
13 August 2012 - "The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170. A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here*). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice... quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 178.63.195.128 - 178.63.195.191
address: RUSSIAN FEDERATION
178.63.195.163...
178.63.195.167...
178.63.195.168...
178.63.195.170...
178.63.195.171..."
* https://krebsonsecur...or-black-deeds/

Edited by AplusWebMaster, 15 August 2012 - 09:44 AM.

[AplusWebMaster]

FYI...

"Federal Tax" spam...
- http://blog.dynamoo....megleeinfo.html
14 August 2012 - "... tax-themed spam leads to malware...

Date: Tue, 14 Aug 2012 15:21:33 +0200
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Rejected Federal Tax transfer
Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transaction
Tax Transaction ID: 38969777924999
Return Reason See details in the report below
Tax Transaction Report tax_report_38969777924999.doc (Microsoft Word Document) ...

... malicious payload... hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can."
___

"We can not charge your credit card" spam...
- http://blog.dynamoo....-card-spam.html
14 August 2012 - "... spam pretends to be from Amazon. Or UPS. Or perhaps both. Anyway, it leads to malware...

Date: Tue, 14 Aug 2012 05:26:05 +0200
From: "ups" [mail@ups.com]
Subject: We can not charge your credit card
Attachments: Amazon_Invoice.htm
Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible...

The attachment Amazon_Invoice.htm is malicious and it attempts to download a malicious script... hosted on the following IPs (which have all been used for malware distribution several times):
190.120.228.92
199.71.212.78
203.80.16.81 ..."

Edited by AplusWebMaster, 14 August 2012 - 08:55 AM.

[AplusWebMaster]

FYI...

Outgoing network traffic & Malicious Activity
- http://www.malwaredo...rdpress/?p=2831
August 23rd, 2012 - "SANs* has a nice write-up about analyzing outgoing network traffic to identify malicious activity. They list a bunch of ip blocklists and IP reputation sources.
(We’ve also has two updates since the last post**, busy at $Jobs...)"

* https://isc.sans.edu...d=13963#comment

** http://www.malwaredo...rdpress/?p=2829
August 14th, 2012

Also see: http://www.malwaredo...ist.com/mdl.php

Latest update: August 23, 2012 2:50 AM
- http://mirror2.malwa...ains.com/files/

[AplusWebMaster]

FYI...

DNS-BH Update – 104 new domains
- http://www.malwaredo...rdpress/?p=2833
August 27th, 2012 - "Added 104 new domains from hosts-file.net, safebrowsing.clients.google.com, avgthreatlabs.com and others..."

[AplusWebMaster]

FYI...

Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains
- http://www.malwaredo...rdpress/?p=2837
August 28th, 2012 - "Added domains associated with the Java 0-day, Blackhole Exploit Kit, and other badness. Sources include labs.sucuri.net, blog.fireeye.com, spamhaus.org..."

[AplusWebMaster]

FYI...

Java 0-day, Black Hole Exploits, and other malicious domains...
- http://www.malwaredo...rdpress/?p=2843
September 3rd, 2012 - "... Updates on August 29th and Sept 1st contained domains associated with the Java 0-day, Black Hole Exploits, and other malicious domains (another today @ 1:12 PM*)... Sources include safebrowsing.clients.google.com, scumware.org, blog.dynamoo.com and others..."
* http://mirror2.malwa...ains.com/files/

[AplusWebMaster]

FYI...

java exploit domains, rouge antivirus, malspam domains...
- http://www.malwaredo...rdpress/?p=2852
September 8th, 2012 - "Added 101 new domains associated with Java exploits, malicious spam, sutratds, fake antivirus, etc. Sources include emergingthreats.net, google.com/safebrowsing, blog.dynamoo.com..."

[AplusWebMaster]

FYI...

Several Sept Updates
- http://www.malwaredo...rdpress/?p=2862
September 16th, 2012 - "... Recent updates added domains associated with the Java 0day, Black Hole Exploits, etc. All sources are listed in our domain.txt file*..."
* http://dns-bh.sagadc.org/domains.txt

[AplusWebMaster]

FYI...

Nitro, malspam, risky domains ...
- http://www.malwaredo...rdpress/?p=2866
September 23rd, 2012 - "Added domains associated with Nitro, malspam, etc. Sources include safebrowsing.google.com, symantec.com, zeustracker.abuse.ch, blog.dynamoo.com, zataz.com, hosts-file.net..."

[AplusWebMaster]

FYI...

Site delistings - Blocklist correction ...
- http://www.malwaredo...rdpress/?p=2871
September 25th, 2012 - "artconcoction.com has been delisted and will be removed on the next update. There is also a (big) mistake in the zone file, don’t wait for an update on our end; please -remove- safebrowsing.clients.google.com* from your zone files ASAP."

* NOTE to AdBlock Plus users: Un-check it in the AdBlock Plus Filter Preference listing.

Edited by AplusWebMaster, 25 September 2012 - 04:56 PM.

[AplusWebMaster]

FYI...

malvertising, Black Hole Exploit Kit domains
- http://www.malwaredo...rdpress/?p=2873
September 26th, 2012 - "Added a bunch of domains associated with exploit kits, malvertising, and other badness. Sources include binrand.com, mwis.ru, vxvault.siri-urz.net..."

[AplusWebMaster]

FYI...

140 exploit, driveby, malicious domains
- http://www.malwaredo...rdpress/?p=2876
September 28th, 2012 - "Added 140 domains associated with drivebys, exploits, etc. Sources include wepawet.iseclab.org, urlvoid.com, sucuri.net, and others..."

[AplusWebMaster]

FYI...

250+ Domains...
- http://www.malwaredo...rdpress/?p=2880
October 2nd, 2012 - "Added over 250 domains — iframes, malicious spam, attack sites, etc. Sources: blog.dynamoo.com, safebrowsing.clients.google.com, blog.sucuri.net. etc..."

[AplusWebMaster]

FYI...

Sinowal, Sirefef, redkit domains, blackhole, downadup domains
- http://www.malwaredo...rdpress/?p=2885
October 5th, 2012 - "Added 151 domains associated with downadup, blackhole exploits, red kit, sinowal, etc. Sources include threatexpert.com, mwis.ru, safebrowsing.clients.google.com..."

[AplusWebMaster]

FYI...

downadup, iframes, torpig malicious spam domains added
- http://www.malwaredo...rdpress/?p=2889
October 8th, 2012 - "Added 167 domains associated with iframe injection, malspam, torpig, DownAdUp, etc. Sources include threatexpert.com, labs.sucuri.net, blog.dynamoo.com..."