Tech Talk

[Java Exploit domains, trojans, rogues]

FYI...

Java Exploit domains, trojans, rogues
- http://www.malwaredomains.com/wordpress/?p=2800
July 25th, 2012 - "A small but important update containing domains associated with Java exploits, rogue antivirus, trojans, and other malicious domains you don’t want visiting your computer or network. Sources include mwis.ru, malwaredomainlist.com, and urlquery.net..."
___

- https://blogs.technet.com/b/mmpc/archive/2012/07/25/how-to-protect-yourself-from-java-based-malware.aspx?Redirected=true
25 Jul 2012 - "The last few months we have seen a drastic increase in Java-based malware abusing the CVE-2012-0507* AtomicReferenceArray type-confusion vulnerability. In addition to that, a few weeks ago, a new Java vulnerability was found (CVE-2012-1723)**; it is also a type-confusion vulnerability. The attack abusing this new vulnerability is also very active... The most effective measure against these vulnerabilities is -updating- your Java installation. To check the version of JRE your browser is running, visit following link:
http://www.java.com/en/download/installed.jsp ..."

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0507 - 10.0 (HIGH)
** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)

 

[RunForestRun DGA Update]

FYI...

RunForestRun DGA Update (update your Domain Blocklist) ...
- http://www.malwaredomains.com/wordpress/?p=2805
July 26th, 2012 in 0day, New Domains
>  http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/
26 Jul 12 - "... a quick recap of the RunForestRun attack: It began in mid-June and infected many servers with Plesk Panel since then. Hackers used Plesk’s File Manager to inject malicious code (mainly) at the bottom of .js files..."

"RunForestRun has changed the domain generating algorithm (DGA), and now uses waw.pl subdomains (instead of .ru) in malicious URLs."

 

[RunForestRun DGA Domains]

FYI...

RunForestRun DGA Domains
- http://www.malwaredomains.com/wordpress/?p=2811
July 28th, 2012 - "Added over 200 RunForestRun Domains listed at blog.unmaskparasites.com."

 

[DNS-BH Aug3 Update – relisted domains]

FYI...

DNS-BH Aug3 Update – relisted domains
- http://www.malwaredomains.com/wordpress/?p=2813
August 3rd, 2012 - "Added 203 domains – domains were at one time delisted but are once again associated with malware..."

 

[Domains and IPs to Block ASAP]

FYI...

Domains and IPs to Block ASAP
- http://www.malwaredomains.com/wordpress/?p=2825
August 9th, 2012 in 0day, sql injection - "Two posts from the Internet Storm Center:
> https://isc.sans.edu/diary.html?storyid=13864
SQL Injection Lilupophilupop style – Lists about a dozen domains you should immediately add to your blocklists plus more in Dynamoos blog*.
> https://isc.sans.edu/diary.html?storyid=13861
Zeus/Citadel variant causing issues in the Netherlands – Follow the links and block those IP addresses ..."

* http://blog.dynamoo.com/2012/08/more-malware-sites-to-block-on.html

   

[More sites to block]

FYI...

More sites to block..,
- http://blog.dynamoo.com/2012/08/even-more-malware-sites-to-block-on.html
13 August 2012 - "More evil sites to block on 194.28.115.150 (Specialist ISP*) following on from these:
idi42nga .rr.nu, kprud89entia .rr.nu, hin66gof .rr.nu, iste03dengi .rr.nu, hing30emplo .rr.nu,  
ize84dso .rr.nu, ind42icat .rr.nu, lack33andw .rr.nu"
* http://blog.dynamoo.com/2012/08/yet-more-malware-sites-to-block-on.html
10 August 2012 - "... blocking access to 91.211.200.0/22 and 194.28.112.0/22 (Specialist ISP) plus -all- .rr.nu domains would be even better."

> http://blog.dynamoo.com/2012/08/scan-from-xerox-workcentre-pro-spam.html
13 August 2012 - "..."46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem..."

Something evil on 178.63.195.128/26
- http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html
13 August 2012 - "The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170. A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here*). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice... quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 178.63.195.128 - 178.63.195.191
address: RUSSIAN FEDERATION
178.63.195.163...
178.63.195.167...
178.63.195.168...
178.63.195.170...
178.63.195.171..."
* https://krebsonsecurity.com/2012/07/service-secures-domains-for-black-deeds/

 

["Federal Tax" spam]

FYI...

"Federal Tax" spam...
- http://blog.dynamoo.com/2012/08/federal-tax-spam-wireframegleeinfo.html
14 August 2012 - "...  tax-themed spam leads to malware...

Date: Tue, 14 Aug 2012 15:21:33 +0200
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Rejected Federal Tax transfer
Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transaction
Tax Transaction ID:     38969777924999
Return Reason     See details in the report below
Tax Transaction Report     tax_report_38969777924999.doc (Microsoft Word Document) ...

... malicious payload... hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can."
___

"We can not charge your credit card" spam...
- http://blog.dynamoo.com/2012/08/we-can-not-charge-your-credit-card-spam.html
14 August 2012 - "... spam pretends to be from Amazon. Or UPS. Or perhaps both. Anyway, it leads to malware...

Date: Tue, 14 Aug 2012 05:26:05 +0200
From: "ups" [mail@ups.com]
Subject:  We can not charge your credit card
Attachments:  Amazon_Invoice.htm
Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible...

The attachment Amazon_Invoice.htm is malicious and it attempts to download a malicious script... hosted on the following IPs (which have all been used for malware distribution several times):
190.120.228.92
199.71.212.78
203.80.16.81 ..."

 

[Outgoing network traffic & Malicious Activity]

FYI...

Outgoing network traffic & Malicious Activity
- http://www.malwaredomains.com/wordpress/?p=2831
August 23rd, 2012 - "SANs* has a nice write-up about analyzing outgoing network traffic to identify malicious activity. They list a bunch of ip blocklists and IP reputation sources.
(We’ve also had two updates since the last post**, busy at $Jobs...)"

* https://isc.sans.edu/diary.html?storyid=13963#comment

** http://www.malwaredomains.com/wordpress/?p=2829
August 14th, 2012

Also see: http://www.malwaredomainlist.com/mdl.php

Latest update: August 23, 2012  2:50 AM
- http://mirror2.malwaredomains.com/files/

 

[DNS-BH Update – 104 new domains]

FYI...

DNS-BH Update – 104 new domains
- http://www.malwaredomains.com/wordpress/?p=2833
August 27th, 2012 - "Added 104 new domains from hosts-file.net, safebrowsing.clients.google.com, avgthreatlabs.com and others..."

 

[Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains]

FYI...

Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains
- http://www.malwaredomains.com/wordpress/?p=2837
August 28th, 2012 - "Added domains associated with the Java 0-day, Blackhole Exploit Kit, and other badness. Sources include labs.sucuri.net, blog.fireeye.com, spamhaus.org..."

 

[Java 0-day, Black Hole Exploits, and other malicious domains]

FYI...

Java 0-day, Black Hole Exploits, and other malicious domains...
- http://www.malwaredomains.com/wordpress/?p=2843
September 3rd, 2012 - "... Updates on August 29th and Sept 1st contained domains associated with the Java 0-day, Black Hole Exploits, and other malicious domains (another today @ 1:12 PM*)... Sources include safebrowsing.clients.google.com, scumware.org, blog.dynamoo.com and others..."
* http://mirror2.malwaredomains.com/files/

 

[java exploit domains, rouge antivirus, malspam domains...]

FYI...

java exploit domains, rouge antivirus, malspam domains...
- http://www.malwaredomains.com/wordpress/?p=2852
September 8th, 2012 - "Added 101 new domains associated with Java exploits, malicious spam, sutratds, fake antivirus, etc. Sources include emergingthreats.net, google.com/safebrowsing, blog.dynamoo.com..."

 

[Several Sept Updates]

FYI...

Several Sept Updates
- http://www.malwaredomains.com/wordpress/?p=2862
September 16th, 2012 - "... Recent updates added domains associated with the Java 0day, Black Hole Exploits, etc. All sources are listed in our domain.txt file*..."
* http://dns-bh.sagadc.org/domains.txt

 

[Nitro, malspam, risky domains]

FYI...

Nitro, malspam, risky domains ...
- http://www.malwaredomains.com/wordpress/?p=2866
September 23rd, 2012 - "Added domains associated with Nitro, malspam, etc. Sources include safebrowsing.google.com, symantec.com, zeustracker.abuse.ch, blog.dynamoo.com, zataz.com, hosts-file.net..."

 

[Site delistings]

FYI...

Site delistings - Blocklist correction ...
- http://www.malwaredomains.com/wordpress/?p=2871
September 25th, 2012 - "artconcoction.com has been delisted and will be removed on the next update. There is also a (big) mistake in the zone file, don’t wait for an update on our end; please -remove- safebrowsing.clients.google.com* from your zone files ASAP."

* NOTE to AdBlock Plus users: Un-check it in the AdBlock Plus Filter Preference listing.