block

  • facebook being blocked more in Belgian enterprises and what it can do about it

    It is all over the Belgian press today. According to a poll by Smart Business 70% of the Belgian enterprises are blocking or filtering their internet access. Most are totally normal like porn and music, but there was some astonishment because nearly 1 in 3 is blocking social sites althogether or Facebook in particular. Aren't enterprises using Facebook for their networking ? Isn't Facebook what email was before ?

    what the journalists and the specialist forgot to mention was that Facebook and ebay for that matter but I suppose there are other applications like that, are responsable for such a huge part of the network traffic (even if there are not so many users) that it just becomes necessary to block it if you don't have any bandwith to spare. The reason for this is that there are so many different applications, advertisements and other servers that need to be contacted before the user has collected his whole page that instead of one simple page you have in fact download a whole site. Secondly as they use their inclusion in all these sites as their means of advertising, their servers are being asked for download much more that any others so Facebook and some others are directly and permanently on the top of the list of the superusers. So the administrators become interested and just think about the big win of limiting or blocking facebook. Everybody will have enough space again and everything will go faster and for the rest there is not much else to do.

    You could also block these sites during working hours but liberate them during the lunch break for example.

    What can Facebook do about this evolution (except neglect it and lose all those working and spending users in those business networks).

    First is make the pages and interactions with the main servers of Facebook lighter. I am sure there are some things that could be blocked or made much lighter. This could be resolved by clicking on an activate link or by adapting some scripts and page-layouts to make it all lighter and faster.

    Secondly is to make the advertisements and 'badges' lighter and try not to make them so dependent on the central servers.

    Thirdly is to make together with the proxy and security filtering firms a light and secure way of browsing facebook in which the information is central and all the games, vids and pics are blocked out.

  • BLock logmein from your network

    logmein.com is a service that lets your users log in to your network from outside the network for free. I don't think I have to explain the problems with that.

    # List distributed by IBlocklist.com # List builder v5 LogMeIn:74.201.74.0-74.201.75.255 Hamachi:5.0.0.0-5.255.255.255 LogMeIn:77.242.192.0-77.242.193.255 LogMeIn:69.25.20.0-69.25.21.255 Logmein:64.94.18.0-64.94.18.255

    So block this

    You may find a very big list of other blocklists on http://www.Iblocklist.com

  • 8 blockinglists for bad advertisers, malicious downloads and a botnet

    Preview This Document Bad Advertiser Firms by Global Friends Online

    Preview This Document Banned advertiser networks by Drcnetwork

    Preview This Document Banned advertiser networks by x Surf

    Preview This Document GPT Bad advertisers Links

     

    Preview This Document Bluetack list of Malicious Flash Domains

    Preview This Document Google Badware March malicious Download sites 1

    Preview This Document Infected Mediacodec Sites by Unmaskparasites.com

     

    Preview This Document zeus botnet domains march

    Some of these lists are not copied, but edited to take out domains that are too general or that have to be blocked (whiteliste some useful like .ru and .cn) and to make them usable for blockinglists (take the explanation out for example)

    If you have more lists, we are always interested.

  • Google badware alerts (some remarks and a blocklist)

    The first thing to read is that they don't analyse their information very much. They could have made a list of the sites that were most infecting or distributing malware across the web. They could start with publishing all the links that are infecting a certain website or delivering malware and not just a few of them. This would have made a priority blocklist and this action would have obliged some hosters and ISP's or the firms themselves to clean up their act. Trying to fetch such a list - as you will see under this posting - could be done much more easily from their database. Be creative, think out of the box.

    Thinking about it, it could also be made into a feed that proxies and firewalls around the world could incorporate (if someone makes no stupid mistake again and thinks the whole internet has fallen in the hands of the crimeware mob)

    Secondly it is astonishing to see big websites being (partly) blocked just because their are some pages on their enormous websites that are infected. It is also astonishing that these operations would not have securitypeople or have intervened themselves to clean up their act immediately. The first thing would be not to block them but to make them clean up their act if they seem capable of taking care of it immediately.

    They could do this the same way they have done with the webmasters adsense etc... and effectively use that information for their securitycontacts.

    Thirdly it is amazing how many scripts, troyans and downloads can be organised from one or two pages. THere are sites that had only one or two pages infected and were hosting hundreds of downloads. And if a big site is infected throughout it is mostly hundreds of pages.

    the googlesearch is

    site:google.com/safebrowsing/   "malicious software being downloaded"

    And this is the blocklist of malware distributing sites in march 2009 (smart googled their database)

    4pc-av-scanner.net

    58.180.251.0

    87.248.180.0

    94.247.2.0

    advanced-anti-virus-scan.com

    afreeca.com

    anade.osa.pl

    analgize-google.cn

    antimalwaresuperscanner.com

    antispywareinternetscanner.com

    antispywareonlineproscan.com

    antivirus-bestscan.com

    antivirusdefense.com

    anti-virus-live-scanner.com

    anti-virus-online-scan.com

    antivirus-protectionscan.com

    ardoshanghai.com

    auctiva.com

    avscan-pc.net

    axa3.cn

    bellwave.com

    browserpower.cn

    buynet.gr

    cawjb.com

    centralwebsecurity.cn

    computerquickscanner.com

    dbios.org

    defense-live-scan.com

    dizoxen.com

    dl7s.biz

    download-free-toolz.cn

    eastbuildingkappagirl.notlong.com

    employment911.com

    escalonagolfvillage.com

    fastantispywarescanner.com

    fast-antivirus-pro-scan.com

    fastantivirusproscanner.com

    flysearch.net

    fordgreatcars.cn

    freeyobt.com

    geografystart.ru

    gogo2me.net

    google-search.ru

    goscanfuse.com

    goscanmain.com

    hqextra.com

    hq-free-movies.com

    icaapi.com

    in4ik.com

    including fast-antispyware-scanner.com

    internethomescan.com

    jjmaobuduo.3322.org

    job-thai.net

    latenighttalks.cn

    lbs66.cn

    liteantispywareproscanner.com

    live-antivirus-pc-scan.com

    liveantivirusprotectionscan.com

    livescan6.com

    luckffxi.com

    malwareprosecurityscan.com

    mibs.gr

    microsoft2010.com

    minimez.co.uk

    music.gr

    mybestantivirus-download.info

    mybestantivirus-scanner.info

    new-soft-4pc-download.com

    newsworldinteger.cn

    nice-extra.com

    no-av-4comp.net

    nokiasoftwarepromo.cn

    onlineantimalwarescan.com

    onlineantivirusproscan.com

    onlineantivirus-scanner.com

    onlinedetect.com

    onlinepcvirusscanner.com

    onlinesecurity-scan.com

    onlynewclicks.cn

    pc2009-antivr.net

    pc-antispywarescanner.com

    pcantivirusscan.com

    pc-security-scan.com

    perlcphp.com

    poptraf.ru

    post.lg.ua

    premium-advanced-scan.com

    premiumantiviruscheck.com

    premiumonlinescanner.com

    privateinterfacesystem.cn

    proantiviruspcscan.com

    pro-scanner-online .com

    protectedgoclicks.com

    protecteduser.cn

    protection-manager.com

    protect-management.com

    rapidantiviruslivescan.com

    reliable-anti-virus.info

    s800qn.cn

    savelocity.com

    scan-4-pc-best.net

    scanline4.com

    scanner-pc-no-av.com

    securitywwwclicks.com

    stretse.freehostia.com

    supermannews.cn

    tionshow.com

    top2009images.com

    top20search.org

    trafpartner.com

    trancedj.net46.net

    trustedtop10.com

    ukr-mova.info

    vaitarnet.info

    vernoux.org

    verynx.cn

    vids247.cn

    websafetyscan.com

    whitebiz.cn

    winesamile.cn

    yourbestway.su

     

  • malicious infected PDF files coming faster (blocklist)

    upgrade all your acrobat readers to 9.1

    be sure that your antivirus of your network inspects PDF files (they were thought to be too safe and bothersome to scan for viruses)

    keep your antivirus updated

    be sure to have a clean image or backup of your servers and pc's in case

    block these sites in the mean time

    chura.pl
    akajjcthr.com
    leepe.cn
    piratik.biz
    smicrosoft.ru
    zlzu.ru
    ustechservic.com.cn
    94.247.2.122
    shmurge.com
    pakras.com
    bamrot.com
    xazlon.cn
    tozxiqud.cn
    hayboxiw.cn
    porgacig.cn

    source malwarebytes

  • New waledec worm (blocklist)

    romanticsloving.com
    bestlovelong.com
    adorepoem.com
    yourgreatlove.com
    goodnewsreview.com
    bestgoodnews.com
    linkworldnews.com
    worldnewsdot.com
    spacemynews.com
    reportradio.com
    wapcitynews.com
    goodnewsdigital.com
    worldnewseye.com
    worldtracknews.com
    bestadore.com
    youradore.com
    orldlovelife.com
    funloveonline.com
    breakingnewsltd.com
    breakingfreemichigan.com
    yourbreakingnew.com
    breakingnewsfm.com
    breakingkingnews.com
    easyworldnews.com
    tntbreakingnews.com
    bestbreakingfree.com
    breakinggoodnews.com
    usabreakingnews.com

     

    source http://www.malwarebytes.org/forums/index.php?showtopic=12725

  • Adsense malware campaign : blocklist

    Some adsense campaigns or other links if Adsense starts cleaning up, will link to the following domains

    adobe-reader-co.com
    adware-co.com
    flash-player-co.com
    paint-shop-pro.com
    winrar-co.com
    ccleaner-co.com
    firefox-co.com
    avi-codec-co.com
    guitar-pro-co.com
    codec-co.com
    opera-co.com
    messenger-comp.com
    servicepack-co.com
    azureus-co.com
    emulegratis.es
    messenger-plus-co.com
    zone-alarm-co.com
    directx-co.com
    bittorrent-co.com
    media-player-co.com
    emulefree.com
    divx-co.com
    office-co.com
    virtualdj-co.com
    zattoo-co.com
    clonecd-co.com
    tuneup-co.com
    lphant-co.com
    explorer-co.com
    amule-co .com
    messenger75-co.com
    limewire-comp.com
    lite-codec-co.com
    power-dvd-co.com
    messenger-plus-live-co.com
    reamweaver-co.com
    aresgratis.net
    vuze-co.com
    emuleespaña.es
    regcleaner-co.com
    paint-net-co.com
    download-acelerator.com
    windownloadweb.com
    xp-codecpack-co.com

     

  • New Rogue securitysoftare to blacklist

    rapidspywarescanner .com (78.47.172.67)
    live-antiviruspc-scan .com
    professional-virus-scan .com
    proantiviruscomputerscan .com
    bestantivirusfastscan .com
    premium-advanced-scanner .com

    rapidantiviruspcscan .com (78.46.216.237)
    securedserverdownload .com
    securedonlinewebspace .com
    securedupdateupdatesoftware .com
    bestantivirusdefense .com
    live-pc-antivirus-scan .com
    best-antivirus-protection .com
    proantivirusprotection .com
    best-anti-virus-scanner .com
    best-antivirus-scanner .com
    bestantivirusproscanner .com
    bestantivirusfastscanner .com
    protectedsystemupdates .com
    liveantispywarescan .com
    live-antispyware-scan .com
    internet-antispyware-scan .com

    antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
    bestantivirusdefence .com
    best-antivirus-defense .com
    premiumadvancedscan .com
    bestantivirusproscan .com
    best-antivirus-pro-scanner .com
    internetprotectedpayments .com

    secure.softwaresecuredbilling .com (209.8.45.122)
    secure.goeasybill .com (209.8.25.202)
    secure-plus-payments .com (209.8.25.204)

    source

  • new blocklist of rogue securitysoftware

    source pandasoftware

    we hate the fact that other antivirus software firms still think they have to hide the links that are involved in the malware campaigns. This doesn't help anybody else but the malware makers. In fact many people use Google to look if links are genuine or not and when they see them mentioned as spyware and so on, they just don't go there. But if many antivirus software companies don't publish them, how would Google recognize and index them as malware sites

    best2008-scan-av .com
    forpc-av-scanner .net
    best-scanner-pc .net
    best2008-scan-av .com
    av-pcscan-comp .com
    quickly-scan-no-av .com
    best6scan .com
    easy6scan .com
    bestscan6 .com
    easy4scan .com
    easyscan6 .com
    fastscan6 .com
    fast4scan .com
    fastscan4 .com 
    fastscan6 .com 
    livescan4 .com 
    livescan5 .com
    livescan6  .com
    newscan4 .com
    newscan5 .com 
    new7scan .com 
    newscan6 .com 
    plus4scan .com 
    plus6scan .com 
    plusscan4 .com
    scan4easy .com 
    scan4fast .com 
    scan5best .com 
    scan5plus .com 
    scan6live .com
    scan7live .com 
    sg10scanner .com
    sg11scanner .com 
    sg12scanner .com

  • (blocklist) fastflux botnet changing from christmas cards to Obama

    while doing some research on the fastflux botnets that are going around I was trying the several domainnames that they were using. None of them worked. So I thought, not possible, these zombies can not all be downed and cleaned....

    They weren't when I used the IP address up came a real fake Obame site looking like this len11

    You can even try to log on, but then there is an application that asks to be downloaded (yeah sure)

    len12

    at the same time connecting to the site, gave an attack on the computer and the alert was the following

    It was from the site googl-status.com from the IP address 74.200.80.10 on the port 80 and it tried to download a malicious PDF file.

    and if you would have clicked on 'en espanol' you would have downloaded this http://85.101.77.184/usa.exe

    The fake obama website is hosted on 85.101.77.184 in Turkey and it is part according to abuse.ch of the Waledec fastflux botnet

    This means that fastflux botnets can also change from nature and content at will and maybe that is another danger that should be underlined why battling this kind of botnets is even of a bigger urgency than ever before.

    According to other online posting the messages on this blog as if Obama had refused to become president were also spammed a few days ago.

    According to Panda security software this is the list of websites who try to distribute a new worm

    httx://bestbarack.com
    httx://bestbaracksite.com
    httx://bestchristmascard.com
    httx://bestmirabella.com
    httx://bestobamadirect.com
    httx://bestyearcard.com
    httx://blackchristmascard.com
    httx://cardnewyear.com
    httx://cheapdecember.com
    httx://christmaslightsnow.com
    httx://decemberchristmas.com
    httx://directchristmasgift.com
    httx://eternalgreetingcard.com
    httx://expowale.com
    httx://freechristmassite.com
    httx://freechristmasworld.com
    httx://freedecember.com
    httx://funnychristmasguide.com
    httx://goodnewsdigital.com
    httx://goodnewsreview.com
    httx://greatbarackguide.com
    httx://greatmirabellasite.com
    httx://greatobamaguide.com
    httx://greatobamaonline.com
    httx://greetingcardcalendar.com
    httx://greetingcardgarb.com
    httx://greetingguide.com
    httx://greetingsupersite.com
    httx://holidayxmas.com
    httx://itsfatherchristmas.com
    httx://jobarack.com
    httx://justchristmasgift.com
    httx://lifegreetingcard.com
    httx://linkworldnews.com
    httx://livechristmascard.com
    httx://livechristmasgift.com
    httx://mirabellaclub.com
    httx://mirabellamotors.com
    httx://mirabellanews.com
    httx://mirabellaonline.com
    httx://newlifeyearsite.com
    httx://newmediayearguide.com
    httx://newyearcardcompany.com
    httx://newyearcardfree.com
    httx://newyearcardonline.com
    httx://newyearcardservice.com
    httx://reportradio.com
    httx://smartcardgreeting.com
    httx://spacemynews.com
    httx://superchristmasday.com
    httx://superchristmaslights.com
    httx://superobamadirect.com
    httx://superobamaonline.com
    httx://superyearcard.com
    httx://thebaracksite.com
    httx://themirabelladirect.com
    httx://themirabellaguide.com
    httx://themirabellahome.com
    httx://topgreetingsite.com
    httx://topwale.com
    httx://uperobamadirect.com
    httx://waledirekt.com
    httx://waleonline.com
    httx://waleprojekt.com
    httx://wapcitynews.com
    httx://whitewhitechristmas.com
    httx://worldgreetingcard.com
    httx://worldnewsdot.com
    httx://worldnewseye.com
    httx://worldtracknews.com
    httx://yourchristmaslights.com
    httx://yourdecember.com
    httx://yourmirabelladirect.com
    httx://yourregards.com
    httx://youryearcard.com

    Network administrators should warn their users not to click on messages with spectacular Obama video and other similar stuff and to keep to the real news sites for real information. You can use the sites above as a blocklist to make sure.

  • Unique : the 50 geolocation for most active IP abusing according to abusebutler

    We have put a geolocation search and results with the report of the most active and longlasting IP adresses according to

    http://spamvertised.abusebutler.com/all.php info for domain registrars that they should keep somewhere, just to keep those people out of their systems


    http://spamvertised.abusebutler.com/stats.php  most active 

    Abuse Butler Most Active Geolocation

     

  • Blocklist waldec trojan - the new storm worm

    bestchristmascard.com
    bestmirabella.com
    bestyearcard.com
    blackchristmascard.com
    cardnewyear.com
    cheapdecember.com
    christmaslightsnow.com
    decemberchristmas.com
    directchristmasgift.com
    eternalgreetingcard.com
    freechristmassite.com
    freechristmasworld.com
    freedecember.com
    funnychristmasguide.com
    greatmirabellasite.com
    greetingcardcalendar.com
    greetingcardgarb.com
    greetingguide.com
    greetingsupersite.com
    holidayxmas.com
    itsfatherchristmas.com
    justchristmasgift.com
    lifegreetingcard.com
    livechristmascard.com
    livechristmasgift.com
    mirabellaclub.com
    mirabellamotors.com
    mirabellanews.com
    mirabellaonline.com
    newlifeyearsite.com
    newmediayearguide.com
    newyearcardcompany.com
    newyearcardfree.com
    newyearcardonline.com
    newyearcardservice.com
    smartcardgreeting.com
    superchristmasday.com
    superchristmaslights.com
    superyearcard.com
    themirabelladirect.com
    themirabellaguide.com
    themirabellahome.com
    topgreetingsite.com
    whitewhitechristmas.com
    worldgreetingcard.com
    yourchristmaslights.com
    yourdecember.com
    yourmirabelladirect.com
    yourregards.com
    youryearcard.com

    Related Exploit Domains (no new ones listed):

    seocom.name
    seocom.mobi
    seofon.net

    source shadowserver.org

  • blocklist for linkedin malware campaign

    Domains used on the bogus profiles :
    sextapegirls.net (88.214.200.5)
    celebsvids.net (216.195.57.47)
    katynude.com (216.195.57.47)
    delshikandco.com (82.103.132.114)

    sextapegirls.net 

    hotvidz.info/ (88.214.200.5)

    celebsvids.net

     katynude.com/ (216.195.57.47)

     quickly-porn-tube.net (69.59.21.247)

    tube-4you-best.com/

    (69.59.21.247)

    2009download-best-soft.com/ (94.247.3.228)

      delshikandco.com (82.103.132.114) 

    delshiktds.com/ (64.27.28.225),

    delshiktds.com/

    celebs-online2009 .com/

    megaporntubesonlin.com/

    filesstorage4you.com/

    viewersoftwarearchive.com(94.247.3.232)


    dasgdasg.net (91.205.96.12)
    new-york-images.com (89.149.207.114)
    future-pictures.com (94.247.2.117)
    download-everything.com (69.46.16.99)
    archiveviewsoftware.com

    193.142.244.17

    94.247.3.228
    files-upload-21.com
    downloabsecurehere1.com
    downloabsecurehere2.com
    downloabsecurehere3.com
    downloabsecurehere4.com
    fast-download-base-free.com
    download-all4free.com
    download-softarch .com
    dwnld-files .com
    get-frsh-files .com
    download-fls.com
    downloadall-soft-now .com
    downloadallsoft-now.com
    download-allsoftnow.com
    downloadallsoftnow.com
    soft-4-you-download.net
    get-files-4free.net
    download-top-software.net
    files-download-arch.net
    download-files-bak.net
    download-files-plus.net
    pure-download-new.net


    69.59.21.247
    uni-tube-911.com
    bestmytubeonilne1 .com
    bestmytubeonilne2.com
    bestmytubeonilne3.com
    mybest-pov-tube.com
    my-bestpov-tube.com
    u-tube-verse.com
    tubeger.com
    tube-4-free-center.com
    tube-4you-best.com
    tube-hu.com
    tube-more-sex.com
    quickly-porn-tube.net
    fast-xxx-tube.net
    tube-chick.net
    tube-free-4-adult.net

    antivir-av-toolz.net
    scanner-pc-toolz.net
    av-scan-soft.net
    av-scan-here.net
    anti-vir-toolz.com
    freenonline-scannerw.com
    freenonline-scanner.com
    av-mc-antivir-checker .com
    freenonline-scannera.com
    bestmyscanneronilne3.com
    bestmytubeonilne3.com
    bestmyscanneronilne2.com
    bestmytubeonilne2.com


    94.247.3.232
    viewerdownload2009 .com
    freedownload2009 .com
    filesstorage2009.com
    exefileshere2009.com
    bestfilesarchive2009.com
    softwareviewers2009.com
    filesinnet4you2009.com
    downloadfilesservice .com
    jetexestorage.com
    clickandgetfile.com
    secretfilesstoragehere.com
    x-filesstorehere.com
    filesportalher .com
    exefileshere.com
    extrafilesonlyhere.com
    pornexearchive.com
    viewerarchive.com
    crystalfilesarchive.com
    download2009exe.com
    3d-softwareportal.com
    downloadfilesportal.com
    exesoftportal.com
    softwareportalexefiles.com
    becollectionoffiles.com
    extracoolfiles.com
    freepornclips2u.com
    filesstorage4you.com
    downloadexenow.com

    soure

  • botnet control and command centers from help israel win

    the internet storm center has analysed the code of the tool that the website help Israel win wanted to distribute to more than 7500 people and about which we reported already earlier

    this is the list to block (and read closely, you will see that some work on port 80 of webtraffic that you can't block so only destination blocking will help)

    74.200.82.243:80
    74.204.170.92:80
    213.175.205.254:80
    94.76.212.76:80
    94.76.212.77:80
    74.204.188.161:80
    74.204.188.180:80
    pati.dyndns.info (i think this is abuse of the service, no ?)
    defend.is-a-geek.net
    pati.servebeer.com
    rocker.redirectme.net
    pati.chickenkiller.com
    takemeout.jumpingcrab.com

  • new malwaredomain.com list for january


    www.astrumavrpro.com
    antivirusplus2009.com
    antivirus-plus-2009.com
    av-online-scan.org
    spyprotector-pro.com
    sys-scanner.com
    traffchecking.com
    virusandspywarescaning.com
    watchnetprotection.com
    whereismyclick.cn
    pc-security-scanner.com
    www.zghncsr.cn
    www.368500.cn
    seocom.mobi
    www.fun6677.com
    ixfree.net
    www.ouwou.cn
    www.fun6677.com
    www.ffxionlion.com
    evestars.net
    bigsellstaff.cn
    hbjhejsc.com
    lepr.info
    www.motruck.de
    www.graphicdesign-valleedejoux.com
    ihgcxianj.com
    har5launo.com
    www.anifan.de
    lautec-doors.com
    www.gdtranslations.com
    www.mortar.metal.pl
    www.jurand.yoyo.pl
    www.mainstoreb.vot.pl
    epeiy.com
    blogsbee.com
    thick-click.com
    www.concertgroove.com
    saudieng.net
    www.versicherungen-waltrop.de
    three-elements.us
    82.165.74.94
    troiani.altervista.org
    www.naaree.com
    www.siatkowka7.republika.pl
    www.xtipp.hu
    www.gajatravel.pl
    www.miroslavgojic.rs.ba
    www.milletinefendisi.com
    www.prograf.tychy.pl
    www.just-pol.pl
    ioifilm.net
    www.projektovanje.org
    www.kamienicapolska.gmina.pl

  • to block mailicious online links

    from arbor networks

    http://north-host.net
    http://flemminglind.dk
    http://numeralingenuity.com/
    http://diettopseek.cn
    http://numeralingenuity.com
    213.155.6.80

    http://asert.arbornetworks.com/2009/01/buy-buy-exploitation/
  • ID-ref.be part of international phishing botnet

    reposted because important - there is a Belgian site in the botnetwork according to arbor networks and also block the mentioned sites they are part of a botnet (some other countries will see some of their own domains pop up, some say this diversity is a first for fast-flux botnets)

    thanx Arbor networks for publishing this, we want more

    Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):

    • dir10.cz
    • adobeflasplayer10.com
    • isapid.cz
    • es-pos1.es
    • es-pos0.es
    • frankiezfunz.com
    • sofia16-online18.com
    • es-pos3.es
    • idsrv1.es
    • serverdemobank.com
    • idsrv2.es
    • id-rt01.cz
    • aktien-news-online24.com
    • id-rt04.cz
    • flashplayercolonial.com
    • srv-3id.cz
    • clrtemp.cz
    • file033.cz
    • file11.cz
    • sofia16-online24.com
    • ref-id.es
    • idsrv4.es
    • player10update.com
    • bankamericademo.com
    • dir017.cz
    • idrtd.cz
    • 0177.es
    • id-ref.cz
    • serversupdates.com
    • srv-1id.cz
    • 72.in-addr.arpa
    • id0.cz
    • bmspeedlab.org
    • id-rt03.cz
    • democolonialbank.com
    • refid73.es
    • refid70.es
    • identify-3.cz
    • colonialshow.com
    • demobankofamerica.com
    • cs03.cz
    • isapi10.cz
    • es-pos2.es
    • id-ref.be
    • 0104.es
    • idsrv10.es
    • bumospo.com
    • hawaiiantel.net
    • isdir.cz
    • cs07.cz
    • cs01.cz
    • identify-4.cz
    • ptil.cz
    • sofia18-online.com
    • idsrv11.es
    • installadobeplayer.com
    • es-pos7.es
    • colonialdemo.com
    • bmspeedlab.com
    • id-rt02.cz
    • srv-4id.cz
    • fasttrk.cz
    • bumotor.org
    • srv-7id.cz
    • bumotor.net
    • identify-1.cz
    • bumospe.tk
    • onlineserverdownload.com
    • clasmatessup.com
    • everettzfunz.com
    • file17.cz
    • demoversions10.com
    • tempdir.cz
    • demoservers1.com

    this was published the 14th of december by Arbor networks but as we have no CERT and I decided to take some holiday and more family time (this is not my job) nobody did anything with this info. Normally this should have been closed down 4 hours after being discovered (that counts for all of them in fact)

    THis is the whois for id-ref.be (look at the emailadres.... if that doesn't work dns.be can block the domain but if it is a botnet, they will have to be careful with opening responsemail. As a domainregistrar I would not even use my own mailserver, you can try it from a yahoo account also, if it ain't working it won't work anywhere....)

    For the moment there seems to be no website at this space, but may be somewhere hidden or waiting we can't see yet.

    Also look at some other domainnames that were registered or used. Quite interesting ones for malware, don't you think, especially if you can fake MD5 certificates for files....

     

    Domein details
    Domein
    Naamid-ref
    StatusREGISTERED
    Registratie26 november 2008
    Laatste wijziging3 december 2008 10:55
    Licentienemer
    TaalEngels
    E-mailemail
    Technische contactpersonen van de registrar
    NaamAuto répondeur
    OrganisatieGandi Sas
    TaalEngels
    Adres15 place de la Nation
    75011 Paris
    Frankrijk
    Telefoon+33.143737851
    Fax+33.143731851
    E-mailsupport-en@support.gandi.net
    Registrar
    OrganisatieGandi Sas
    Websitewww.gandi.net
    Nameservers
     
    a.dns.gandi.net   
    c.dns.gandi.net   

    b.dns.gandi.net  

     

     

  • block and see W32.Downadup.B worm

    It is a typical old worm scanning for passwords, shares and other vulnerable stations

    it is a new worm because it uses online services to check for internet connection and time. If you have a lot of connections to these services there could be a problem.

    Next, the worm connects to the following URLs to obtain the IP address of the compromised computer:

    • http://www.getmyip.org
    • http://www.whatsmyipaddress.com
    • http://getmyip.co.uk
    • http://checkip.dyndns.org

     

    The worm also makes new domainnames with letters these you can block because they have no other existence. This list follows here

     

    Block Worm Domain Names

    source is symantec
  • IE exploit new attack sites to block

    252623.cn - 221.0.193.228
    www.633r.com - 218.95.37.110
    www.zjz-aaa.cn - 222.215.136.19
    www.zjz-bbb.cn - 222.215.136.19
    www.zjz-ccc.cn - 222.215.136.19
    www.zjz-ddd.cn - 222.215.136.19
    www.zjz-eee.cn - 222.215.136.19
    www.zjz-fff.cn - 222.215.136.19
    www.zjz-ggg.cn - 222.215.136.19
    www.zjz-hhh.cn - 222.215.136.19
    www.zjz-iii.cn - 222.215.136.19
    dx.dxwyt1.com - 222.215.136.19
    97.zjz-001.com - 222.215.136.19
    97.zjz-002.com - 222.215.136.19
    97.zjz-003.com - 222.215.136.19
    www.federalservicesinfo.com - 195.122.26.133

    source shadowserver.org

  • subdomain phisher hosters : the worst and what they can do

    what they can do http://www.antiphishing.org/reports/APWG_Advisory_on_Subdomain_Registries.pdf

    The worst (you decide if you need them in your network)

    now013