437 replies to this topic

[AplusWebMaster]

FYI...

work-at-home scam, kuluoz, trojan domains
- http://www.malwaredo...rdpress/?p=2895
October 12th, 2012 - "A bunch of work-at-home, fraud, scam domains added in addition to the usual black hole exploit kit, trojan, and other malicious domains. Sources include malwareurl.com, emergingthreats.net, malwaredomainlist.com..."

[AplusWebMaster]

FYI...

176 new domains added
- http://www.malwaredo...rdpress/?p=2905
November 3rd, 2012 - "... Added 176 new domains associated with malspam, malicious redirections, exploits, etc. Sources include hosts-file.net, safebrowsing.clients.google.com, blog.dynamoo.com..."

[AplusWebMaster]

FYI...

Big Update – 286 Domains
- http://www.malwaredo...rdpress/?p=2909
November 6th, 2012 - "Added 286 domains from zeustracker.abuse.ch, urlvoid.com, dshield.org, safebrowisng.clients.google.com..."

[AplusWebMaster]

FYI...

113 new domains added
- http://www.malwaredo...rdpress/?p=2914
November 10th, 2012 - "Added 113 new domains (onescan,malspam, pharma) listed at blog.dynamoo.com, dshield.org, support.clean-mx.com and others..."

[AplusWebMaster]

FYI...

156 New Rogue, Unsafe, Suspicious Domains
- http://www.malwaredo...rdpress/?p=2919
November 12th, 2012 - "Added 156 new domains from dshield.org, hosts-file.net, urlvoid.com and other sources..."

[AplusWebMaster]

FYI...

127 New Malicious Domains
- http://www.malwaredo...rdpress/?p=2921
November 17th, 2012 - "Added 127 new malicious domains from wepawet.iseclab.org, dshield.org, vxvault.siri-urz.net and others..."

[AplusWebMaster]

FYI...

Big Update: 211 Serenity Exploit Kit, Malspam, Malicious Domains
- http://www.malwaredo...rdpress/?p=2925
November 20th, 2012 - "Added 211 domains associated with Serenity Exploit Kit, malicious spam,etc from dshield.org, blog.dynamoo.com, malwaremustdie.blogspot.com..."

21,000 (!) JS/RunForestRun/PseudoRandom Domains
- http://www.malwaredo...rdpress/?p=2929
November 21st, 2012 - "The algorithm for creating Pseudo Random RunForestRun domains has been published by malwarereports.blogspot.com . Full list of domains (21000!) is located here*."
* http://pastebin.com/k3k7ibvJ

[AplusWebMaster]

FYI...

DNS-BH - Malware Domain Blocklist
Another big update: 207 domains
- 1 day ago
> received from RSS feed
"207 domains added (iframes, htaccess redirections and other harmful domains) from malwaremustdie.blogspot.com, dshield.org, labs.sucuri.net, etc..."
(Cannot access site - "under constant attack" [DDoS] ...)
Mirror site still available for updates dtd. Nov 22, 2012...

[AplusWebMaster]

FYI...

Nov 25 Update: 233 New Domains
> received from RSS feed
"Added 223 suspicious, harmful domains originally referenced in malwaredomainlist.com, safebrowsing.clients.google.com, blog.dynamoo.com and others..."
(Cannot access site - "under constant attack" [DDoS] ...)
"The server at malwaredomains.com is taking too long to respond."
Mirror site still available for updates dtd. Nov 25, 2012...

[AplusWebMaster]

FYI...

Another large update – 187 domains
- http://www.malwaredomains.com/?p=2941
November 28th, 2012 - "Add -187- exploit kit, malicious, koobface domains originally listed on ddanchev.blogspot.com, avgthreatlabs.com, dshield.org and other sources..."

[AplusWebMaster]

FYI...

exploit special – over 240 domains added
- http://www.malwaredomains.com/?p=2945
December 2nd, 2012 - "Added over 240 domains flagged as coolexploitkit, Nuclearexploitkit, bhexploitkit along with the usual array of malicious domains originally listed at mwis.ru, kahusecurity.com, malwaredomainlist.com..."

[AplusWebMaster]

FYI...

malspam, zeus, iceix domains
- http://www.malwaredomains.com/?p=2949
December 5th, 2012 - "Added -116- domains associated with malspam. zeus, iceix, etc. Sources: malwaredomainlist.com, blog.dynamoo.com, vxvault.siri-urz.net and others..."

[AplusWebMaster]

FYI...

Over 320 Domains Added
- http://www.malwaredomains.com/?p=2952
December 9th, 2012 - "Added over -320- Domains. Please update your blocklists..."

Joomla (and WordPress) Bulk Exploit ongoing
- http://www.malwaredomains.com/?p=2955
December 10th, 2012 - "Sans reports* that there is an ongoing bulk Joomla and WordPress exploit, complete with iframes pointing to Fake AV. If anyone has seen a published list of the FQDN’s involved in this, please let us know so we can add those domains here."
* https://isc.sans.edu...l?storyid=14677
Last Updated: 2012-12-10 23:17:33 UTC - "... reports and discussion around many Joomla (and some WordPress) sites exploited and hosting IFRAMES pointing to bad places. We'll get to the downloaded in a second, but the interesting thing to note is that it doesn't seem to be a scanner exploiting one vulnerability but some tool that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits. We'd like PCAPs or weblogs if you're seeing something similar in your environment. Right now it seems the biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website). The IFRAMES seem to have rapidly changing FQDN's that it is using but the common element is /nightend.cgi?8. Two of the bad IPs that seem to be frequent offenders are 78.157.192.72 and 108.174.52.38. Ultimately it pulls FakeAV software to do it's badness. Mediation is your typical advice, make sure all your software is up-to-date and kept that way on a regular basis. If you have weblogs (particularly verbose ones), I would be interested in seeing them..."

Joomla sites misused to deploy malware
- http://h-online.com/-1766841
12 Dec 2012 - "... Joomla site administrators should be sure to check whether they installed the Joomla Content Editor at some point in the past; if they have, they should update it to the current version JCE 2.3.1*. Those who have found an old version should also check any JavaScript files for suspicious iFrames. A quick overview is available via the
find . -print0 -name \*.js | xargs -0 grep -i iframe
command line instruction. This instruction doesn't cover variants in which the iFrame tag is assembled at a later stage via script code, but none of the infected sites that are known to heise Security include such variants. The injected PHP backdoor can often be found at /images/stories/story.php."
* http://www.joomlacon...ce-231-released

Edited by AplusWebMaster, 12 December 2012 - 06:05 AM.

[AplusWebMaster]

FYI...

142 malspam, iframe, joomla exploit, malicious domains
- http://www.malwaredomains.com/?p=2963
December 11th, 2012 - "Added -142- domains associated with malspam, iframe/joomla exploit. Sources include safebrowsing.clients.google.com, blog.dynamoo.com, labs.sucuri.net..."

[AplusWebMaster]

FYI...

247 kelihos, runforestrun domains
- http://www.malwaredomains.com/?p=2972
December 14th, 2012 - "247 domains (kelihos, runforestrun and others) were added. Sources include abuse.ch, malwaremustdie.blogspot.com..."
___

citadel, zeus, harmful domains
- http://www.malwaredomains.com/?p=2979
December 16th, 2012 - "Added -189- domains associated with citadel, zeus and other badness. Sources include zeustracker.abuse.ch, spamhaus.org, malwaredomainlist.com, safeweb.norton.com..."

Edited by AplusWebMaster, 21 December 2012 - 07:22 AM.