03/22/2009

facebook being blocked more in Belgian enterprises and what it can do about it

It is all over the Belgian press today. According to a poll by Smart Business 70% of the Belgian enterprises are blocking or filtering their internet access. Most are totally normal like porn and music, but there was some astonishment because nearly 1 in 3 is blocking social sites althogether or Facebook in particular. Aren't enterprises using Facebook for their networking ? Isn't Facebook what email was before ?

what the journalists and the specialist forgot to mention was that Facebook and ebay for that matter but I suppose there are other applications like that, are responsable for such a huge part of the network traffic (even if there are not so many users) that it just becomes necessary to block it if you don't have any bandwith to spare. The reason for this is that there are so many different applications, advertisements and other servers that need to be contacted before the user has collected his whole page that instead of one simple page you have in fact download a whole site. Secondly as they use their inclusion in all these sites as their means of advertising, their servers are being asked for download much more that any others so Facebook and some others are directly and permanently on the top of the list of the superusers. So the administrators become interested and just think about the big win of limiting or blocking facebook. Everybody will have enough space again and everything will go faster and for the rest there is not much else to do.

You could also block these sites during working hours but liberate them during the lunch break for example.

What can Facebook do about this evolution (except neglect it and lose all those working and spending users in those business networks).

First is make the pages and interactions with the main servers of Facebook lighter. I am sure there are some things that could be blocked or made much lighter. This could be resolved by clicking on an activate link or by adapting some scripts and page-layouts to make it all lighter and faster.

Secondly is to make the advertisements and 'badges' lighter and try not to make them so dependent on the central servers.

Thirdly is to make together with the proxy and security filtering firms a light and secure way of browsing facebook in which the information is central and all the games, vids and pics are blocked out.

Permalink | |  Print |  Facebook | | | | Pin it! |

03/19/2009

BLock logmein from your network

logmein.com is a service that lets your users log in to your network from outside the network for free. I don't think I have to explain the problems with that.

# List distributed by IBlocklist.com # List builder v5 LogMeIn:74.201.74.0-74.201.75.255 Hamachi:5.0.0.0-5.255.255.255 LogMeIn:77.242.192.0-77.242.193.255 LogMeIn:69.25.20.0-69.25.21.255 Logmein:64.94.18.0-64.94.18.255

So block this

You may find a very big list of other blocklists on http://www.Iblocklist.com

Permalink | |  Print |  Facebook | | | | Pin it! |

03/18/2009

8 blockinglists for bad advertisers, malicious downloads and a botnet

Preview This Document Bad Advertiser Firms by Global Friends Online

Preview This Document Banned advertiser networks by Drcnetwork

Preview This Document Banned advertiser networks by x Surf

Preview This Document GPT Bad advertisers Links

 

Preview This Document Bluetack list of Malicious Flash Domains

Preview This Document Google Badware March malicious Download sites 1

Preview This Document Infected Mediacodec Sites by Unmaskparasites.com

 

Preview This Document zeus botnet domains march

Some of these lists are not copied, but edited to take out domains that are too general or that have to be blocked (whiteliste some useful like .ru and .cn) and to make them usable for blockinglists (take the explanation out for example)

If you have more lists, we are always interested.

Permalink | |  Print |  Facebook | | | | Pin it! |

03/17/2009

Google badware alerts (some remarks and a blocklist)

The first thing to read is that they don't analyse their information very much. They could have made a list of the sites that were most infecting or distributing malware across the web. They could start with publishing all the links that are infecting a certain website or delivering malware and not just a few of them. This would have made a priority blocklist and this action would have obliged some hosters and ISP's or the firms themselves to clean up their act. Trying to fetch such a list - as you will see under this posting - could be done much more easily from their database. Be creative, think out of the box.

Thinking about it, it could also be made into a feed that proxies and firewalls around the world could incorporate (if someone makes no stupid mistake again and thinks the whole internet has fallen in the hands of the crimeware mob)

Secondly it is astonishing to see big websites being (partly) blocked just because their are some pages on their enormous websites that are infected. It is also astonishing that these operations would not have securitypeople or have intervened themselves to clean up their act immediately. The first thing would be not to block them but to make them clean up their act if they seem capable of taking care of it immediately.

They could do this the same way they have done with the webmasters adsense etc... and effectively use that information for their securitycontacts.

Thirdly it is amazing how many scripts, troyans and downloads can be organised from one or two pages. THere are sites that had only one or two pages infected and were hosting hundreds of downloads. And if a big site is infected throughout it is mostly hundreds of pages.

the googlesearch is

site:google.com/safebrowsing/   "malicious software being downloaded"

And this is the blocklist of malware distributing sites in march 2009 (smart googled their database)

4pc-av-scanner.net

58.180.251.0

87.248.180.0

94.247.2.0

advanced-anti-virus-scan.com

afreeca.com

anade.osa.pl

analgize-google.cn

antimalwaresuperscanner.com

antispywareinternetscanner.com

antispywareonlineproscan.com

antivirus-bestscan.com

antivirusdefense.com

anti-virus-live-scanner.com

anti-virus-online-scan.com

antivirus-protectionscan.com

ardoshanghai.com

auctiva.com

avscan-pc.net

axa3.cn

bellwave.com

browserpower.cn

buynet.gr

cawjb.com

centralwebsecurity.cn

computerquickscanner.com

dbios.org

defense-live-scan.com

dizoxen.com

dl7s.biz

download-free-toolz.cn

eastbuildingkappagirl.notlong.com

employment911.com

escalonagolfvillage.com

fastantispywarescanner.com

fast-antivirus-pro-scan.com

fastantivirusproscanner.com

flysearch.net

fordgreatcars.cn

freeyobt.com

geografystart.ru

gogo2me.net

google-search.ru

goscanfuse.com

goscanmain.com

hqextra.com

hq-free-movies.com

icaapi.com

in4ik.com

including fast-antispyware-scanner.com

internethomescan.com

jjmaobuduo.3322.org

job-thai.net

latenighttalks.cn

lbs66.cn

liteantispywareproscanner.com

live-antivirus-pc-scan.com

liveantivirusprotectionscan.com

livescan6.com

luckffxi.com

malwareprosecurityscan.com

mibs.gr

microsoft2010.com

minimez.co.uk

music.gr

mybestantivirus-download.info

mybestantivirus-scanner.info

new-soft-4pc-download.com

newsworldinteger.cn

nice-extra.com

no-av-4comp.net

nokiasoftwarepromo.cn

onlineantimalwarescan.com

onlineantivirusproscan.com

onlineantivirus-scanner.com

onlinedetect.com

onlinepcvirusscanner.com

onlinesecurity-scan.com

onlynewclicks.cn

pc2009-antivr.net

pc-antispywarescanner.com

pcantivirusscan.com

pc-security-scan.com

perlcphp.com

poptraf.ru

post.lg.ua

premium-advanced-scan.com

premiumantiviruscheck.com

premiumonlinescanner.com

privateinterfacesystem.cn

proantiviruspcscan.com

pro-scanner-online .com

protectedgoclicks.com

protecteduser.cn

protection-manager.com

protect-management.com

rapidantiviruslivescan.com

reliable-anti-virus.info

s800qn.cn

savelocity.com

scan-4-pc-best.net

scanline4.com

scanner-pc-no-av.com

securitywwwclicks.com

stretse.freehostia.com

supermannews.cn

tionshow.com

top2009images.com

top20search.org

trafpartner.com

trancedj.net46.net

trustedtop10.com

ukr-mova.info

vaitarnet.info

vernoux.org

verynx.cn

vids247.cn

websafetyscan.com

whitebiz.cn

winesamile.cn

yourbestway.su

 

Permalink | |  Print |  Facebook | | | | Pin it! |

malicious infected PDF files coming faster (blocklist)

upgrade all your acrobat readers to 9.1

be sure that your antivirus of your network inspects PDF files (they were thought to be too safe and bothersome to scan for viruses)

keep your antivirus updated

be sure to have a clean image or backup of your servers and pc's in case

block these sites in the mean time

chura.pl
akajjcthr.com
leepe.cn
piratik.biz
smicrosoft.ru
zlzu.ru
ustechservic.com.cn
94.247.2.122
shmurge.com
pakras.com
bamrot.com
xazlon.cn
tozxiqud.cn
hayboxiw.cn
porgacig.cn

source malwarebytes

Permalink | |  Print |  Facebook | | | | Pin it! |

New waledec worm (blocklist)

romanticsloving.com
bestlovelong.com
adorepoem.com
yourgreatlove.com
goodnewsreview.com
bestgoodnews.com
linkworldnews.com
worldnewsdot.com
spacemynews.com
reportradio.com
wapcitynews.com
goodnewsdigital.com
worldnewseye.com
worldtracknews.com
bestadore.com
youradore.com
orldlovelife.com
funloveonline.com
breakingnewsltd.com
breakingfreemichigan.com
yourbreakingnew.com
breakingnewsfm.com
breakingkingnews.com
easyworldnews.com
tntbreakingnews.com
bestbreakingfree.com
breakinggoodnews.com
usabreakingnews.com

 

source http://www.malwarebytes.org/forums/index.php?showtopic=12725

Permalink | |  Print |  Facebook | | | | Pin it! |

01/26/2009

Adsense malware campaign : blocklist

Some adsense campaigns or other links if Adsense starts cleaning up, will link to the following domains

adobe-reader-co.com
adware-co.com
flash-player-co.com
paint-shop-pro.com
winrar-co.com
ccleaner-co.com
firefox-co.com
avi-codec-co.com
guitar-pro-co.com
codec-co.com
opera-co.com
messenger-comp.com
servicepack-co.com
azureus-co.com
emulegratis.es
messenger-plus-co.com
zone-alarm-co.com
directx-co.com
bittorrent-co.com
media-player-co.com
emulefree.com
divx-co.com
office-co.com
virtualdj-co.com
zattoo-co.com
clonecd-co.com
tuneup-co.com
lphant-co.com
explorer-co.com
amule-co .com
messenger75-co.com
limewire-comp.com
lite-codec-co.com
power-dvd-co.com
messenger-plus-live-co.com
reamweaver-co.com
aresgratis.net
vuze-co.com
emuleespaña.es
regcleaner-co.com
paint-net-co.com
download-acelerator.com
windownloadweb.com
xp-codecpack-co.com

 

Permalink | |  Print |  Facebook | | | | Pin it! |

New Rogue securitysoftare to blacklist

rapidspywarescanner .com (78.47.172.67)
live-antiviruspc-scan .com
professional-virus-scan .com
proantiviruscomputerscan .com
bestantivirusfastscan .com
premium-advanced-scanner .com

rapidantiviruspcscan .com (78.46.216.237)
securedserverdownload .com
securedonlinewebspace .com
securedupdateupdatesoftware .com
bestantivirusdefense .com
live-pc-antivirus-scan .com
best-antivirus-protection .com
proantivirusprotection .com
best-anti-virus-scanner .com
best-antivirus-scanner .com
bestantivirusproscanner .com
bestantivirusfastscanner .com
protectedsystemupdates .com
liveantispywarescan .com
live-antispyware-scan .com
internet-antispyware-scan .com

antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
bestantivirusdefence .com
best-antivirus-defense .com
premiumadvancedscan .com
bestantivirusproscan .com
best-antivirus-pro-scanner .com
internetprotectedpayments .com

secure.softwaresecuredbilling .com (209.8.45.122)
secure.goeasybill .com (209.8.25.202)
secure-plus-payments .com (209.8.25.204)

source

Permalink | |  Print |  Facebook | | | | Pin it! |

01/20/2009

new blocklist of rogue securitysoftware

source pandasoftware

we hate the fact that other antivirus software firms still think they have to hide the links that are involved in the malware campaigns. This doesn't help anybody else but the malware makers. In fact many people use Google to look if links are genuine or not and when they see them mentioned as spyware and so on, they just don't go there. But if many antivirus software companies don't publish them, how would Google recognize and index them as malware sites

best2008-scan-av .com
forpc-av-scanner .net
best-scanner-pc .net
best2008-scan-av .com
av-pcscan-comp .com
quickly-scan-no-av .com
best6scan .com
easy6scan .com
bestscan6 .com
easy4scan .com
easyscan6 .com
fastscan6 .com
fast4scan .com
fastscan4 .com 
fastscan6 .com 
livescan4 .com 
livescan5 .com
livescan6  .com
newscan4 .com
newscan5 .com 
new7scan .com 
newscan6 .com 
plus4scan .com 
plus6scan .com 
plusscan4 .com
scan4easy .com 
scan4fast .com 
scan5best .com 
scan5plus .com 
scan6live .com
scan7live .com 
sg10scanner .com
sg11scanner .com 
sg12scanner .com

Permalink | |  Print |  Facebook | | | | Pin it! |

(blocklist) fastflux botnet changing from christmas cards to Obama

while doing some research on the fastflux botnets that are going around I was trying the several domainnames that they were using. None of them worked. So I thought, not possible, these zombies can not all be downed and cleaned....

They weren't when I used the IP address up came a real fake Obame site looking like this len11

You can even try to log on, but then there is an application that asks to be downloaded (yeah sure)

len12

at the same time connecting to the site, gave an attack on the computer and the alert was the following

It was from the site googl-status.com from the IP address 74.200.80.10 on the port 80 and it tried to download a malicious PDF file.

and if you would have clicked on 'en espanol' you would have downloaded this http://85.101.77.184/usa.exe

The fake obama website is hosted on 85.101.77.184 in Turkey and it is part according to abuse.ch of the Waledec fastflux botnet

This means that fastflux botnets can also change from nature and content at will and maybe that is another danger that should be underlined why battling this kind of botnets is even of a bigger urgency than ever before.

According to other online posting the messages on this blog as if Obama had refused to become president were also spammed a few days ago.

According to Panda security software this is the list of websites who try to distribute a new worm

httx://bestbarack.com
httx://bestbaracksite.com
httx://bestchristmascard.com
httx://bestmirabella.com
httx://bestobamadirect.com
httx://bestyearcard.com
httx://blackchristmascard.com
httx://cardnewyear.com
httx://cheapdecember.com
httx://christmaslightsnow.com
httx://decemberchristmas.com
httx://directchristmasgift.com
httx://eternalgreetingcard.com
httx://expowale.com
httx://freechristmassite.com
httx://freechristmasworld.com
httx://freedecember.com
httx://funnychristmasguide.com
httx://goodnewsdigital.com
httx://goodnewsreview.com
httx://greatbarackguide.com
httx://greatmirabellasite.com
httx://greatobamaguide.com
httx://greatobamaonline.com
httx://greetingcardcalendar.com
httx://greetingcardgarb.com
httx://greetingguide.com
httx://greetingsupersite.com
httx://holidayxmas.com
httx://itsfatherchristmas.com
httx://jobarack.com
httx://justchristmasgift.com
httx://lifegreetingcard.com
httx://linkworldnews.com
httx://livechristmascard.com
httx://livechristmasgift.com
httx://mirabellaclub.com
httx://mirabellamotors.com
httx://mirabellanews.com
httx://mirabellaonline.com
httx://newlifeyearsite.com
httx://newmediayearguide.com
httx://newyearcardcompany.com
httx://newyearcardfree.com
httx://newyearcardonline.com
httx://newyearcardservice.com
httx://reportradio.com
httx://smartcardgreeting.com
httx://spacemynews.com
httx://superchristmasday.com
httx://superchristmaslights.com
httx://superobamadirect.com
httx://superobamaonline.com
httx://superyearcard.com
httx://thebaracksite.com
httx://themirabelladirect.com
httx://themirabellaguide.com
httx://themirabellahome.com
httx://topgreetingsite.com
httx://topwale.com
httx://uperobamadirect.com
httx://waledirekt.com
httx://waleonline.com
httx://waleprojekt.com
httx://wapcitynews.com
httx://whitewhitechristmas.com
httx://worldgreetingcard.com
httx://worldnewsdot.com
httx://worldnewseye.com
httx://worldtracknews.com
httx://yourchristmaslights.com
httx://yourdecember.com
httx://yourmirabelladirect.com
httx://yourregards.com
httx://youryearcard.com

Network administrators should warn their users not to click on messages with spectacular Obama video and other similar stuff and to keep to the real news sites for real information. You can use the sites above as a blocklist to make sure.

Permalink | |  Print |  Facebook | | | | Pin it! |

01/16/2009

Unique : the 50 geolocation for most active IP abusing according to abusebutler

We have put a geolocation search and results with the report of the most active and longlasting IP adresses according to

http://spamvertised.abusebutler.com/all.php info for domain registrars that they should keep somewhere, just to keep those people out of their systems


http://spamvertised.abusebutler.com/stats.php  most active 

Abuse Butler Most Active Geolocation

 

Permalink | |  Print |  Facebook | | | | Pin it! |

01/14/2009

Blocklist waldec trojan - the new storm worm

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Related Exploit Domains (no new ones listed):

seocom.name
seocom.mobi
seofon.net

source shadowserver.org

Permalink | |  Print |  Facebook | | | | Pin it! |

01/13/2009

blocklist for linkedin malware campaign

Domains used on the bogus profiles :
sextapegirls.net (88.214.200.5)
celebsvids.net (216.195.57.47)
katynude.com (216.195.57.47)
delshikandco.com (82.103.132.114)

sextapegirls.net 

hotvidz.info/ (88.214.200.5)

celebsvids.net

 katynude.com/ (216.195.57.47)

 quickly-porn-tube.net (69.59.21.247)

tube-4you-best.com/

(69.59.21.247)

2009download-best-soft.com/ (94.247.3.228)

  delshikandco.com (82.103.132.114) 

delshiktds.com/ (64.27.28.225),

delshiktds.com/

celebs-online2009 .com/

megaporntubesonlin.com/

filesstorage4you.com/

viewersoftwarearchive.com(94.247.3.232)


dasgdasg.net (91.205.96.12)
new-york-images.com (89.149.207.114)
future-pictures.com (94.247.2.117)
download-everything.com (69.46.16.99)
archiveviewsoftware.com

193.142.244.17

94.247.3.228
files-upload-21.com
downloabsecurehere1.com
downloabsecurehere2.com
downloabsecurehere3.com
downloabsecurehere4.com
fast-download-base-free.com
download-all4free.com
download-softarch .com
dwnld-files .com
get-frsh-files .com
download-fls.com
downloadall-soft-now .com
downloadallsoft-now.com
download-allsoftnow.com
downloadallsoftnow.com
soft-4-you-download.net
get-files-4free.net
download-top-software.net
files-download-arch.net
download-files-bak.net
download-files-plus.net
pure-download-new.net


69.59.21.247
uni-tube-911.com
bestmytubeonilne1 .com
bestmytubeonilne2.com
bestmytubeonilne3.com
mybest-pov-tube.com
my-bestpov-tube.com
u-tube-verse.com
tubeger.com
tube-4-free-center.com
tube-4you-best.com
tube-hu.com
tube-more-sex.com
quickly-porn-tube.net
fast-xxx-tube.net
tube-chick.net
tube-free-4-adult.net

antivir-av-toolz.net
scanner-pc-toolz.net
av-scan-soft.net
av-scan-here.net
anti-vir-toolz.com
freenonline-scannerw.com
freenonline-scanner.com
av-mc-antivir-checker .com
freenonline-scannera.com
bestmyscanneronilne3.com
bestmytubeonilne3.com
bestmyscanneronilne2.com
bestmytubeonilne2.com


94.247.3.232
viewerdownload2009 .com
freedownload2009 .com
filesstorage2009.com
exefileshere2009.com
bestfilesarchive2009.com
softwareviewers2009.com
filesinnet4you2009.com
downloadfilesservice .com
jetexestorage.com
clickandgetfile.com
secretfilesstoragehere.com
x-filesstorehere.com
filesportalher .com
exefileshere.com
extrafilesonlyhere.com
pornexearchive.com
viewerarchive.com
crystalfilesarchive.com
download2009exe.com
3d-softwareportal.com
downloadfilesportal.com
exesoftportal.com
softwareportalexefiles.com
becollectionoffiles.com
extracoolfiles.com
freepornclips2u.com
filesstorage4you.com
downloadexenow.com

soure

Permalink | |  Print |  Facebook | | | | Pin it! |

01/08/2009

botnet control and command centers from help israel win

the internet storm center has analysed the code of the tool that the website help Israel win wanted to distribute to more than 7500 people and about which we reported already earlier

this is the list to block (and read closely, you will see that some work on port 80 of webtraffic that you can't block so only destination blocking will help)

74.200.82.243:80
74.204.170.92:80
213.175.205.254:80
94.76.212.76:80
94.76.212.77:80
74.204.188.161:80
74.204.188.180:80
pati.dyndns.info (i think this is abuse of the service, no ?)
defend.is-a-geek.net
pati.servebeer.com
rocker.redirectme.net
pati.chickenkiller.com
takemeout.jumpingcrab.com

Permalink | |  Print |  Facebook | | | | Pin it! |

01/07/2009

new malwaredomain.com list for january


www.astrumavrpro.com
antivirusplus2009.com
antivirus-plus-2009.com
av-online-scan.org
spyprotector-pro.com
sys-scanner.com
traffchecking.com
virusandspywarescaning.com
watchnetprotection.com
whereismyclick.cn
pc-security-scanner.com
www.zghncsr.cn
www.368500.cn
seocom.mobi
www.fun6677.com
ixfree.net
www.ouwou.cn
www.fun6677.com
www.ffxionlion.com
evestars.net
bigsellstaff.cn
hbjhejsc.com
lepr.info
www.motruck.de
www.graphicdesign-valleedejoux.com
ihgcxianj.com
har5launo.com
www.anifan.de
lautec-doors.com
www.gdtranslations.com
www.mortar.metal.pl
www.jurand.yoyo.pl
www.mainstoreb.vot.pl
epeiy.com
blogsbee.com
thick-click.com
www.concertgroove.com
saudieng.net
www.versicherungen-waltrop.de
three-elements.us
82.165.74.94
troiani.altervista.org
www.naaree.com
www.siatkowka7.republika.pl
www.xtipp.hu
www.gajatravel.pl
www.miroslavgojic.rs.ba
www.milletinefendisi.com
www.prograf.tychy.pl
www.just-pol.pl
ioifilm.net
www.projektovanje.org
www.kamienicapolska.gmina.pl

Permalink | |  Print |  Facebook | | | | Pin it! |

01/06/2009

to block mailicious online links

from arbor networks

http://north-host.net
http://flemminglind.dk
http://numeralingenuity.com/
http://diettopseek.cn
http://numeralingenuity.com
213.155.6.80

http://asert.arbornetworks.com/2009/01/buy-buy-exploitation/

Permalink | |  Print |  Facebook | | | | Pin it! |

ID-ref.be part of international phishing botnet

reposted because important - there is a Belgian site in the botnetwork according to arbor networks and also block the mentioned sites they are part of a botnet (some other countries will see some of their own domains pop up, some say this diversity is a first for fast-flux botnets)

thanx Arbor networks for publishing this, we want more

Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):

  • dir10.cz
  • adobeflasplayer10.com
  • isapid.cz
  • es-pos1.es
  • es-pos0.es
  • frankiezfunz.com
  • sofia16-online18.com
  • es-pos3.es
  • idsrv1.es
  • serverdemobank.com
  • idsrv2.es
  • id-rt01.cz
  • aktien-news-online24.com
  • id-rt04.cz
  • flashplayercolonial.com
  • srv-3id.cz
  • clrtemp.cz
  • file033.cz
  • file11.cz
  • sofia16-online24.com
  • ref-id.es
  • idsrv4.es
  • player10update.com
  • bankamericademo.com
  • dir017.cz
  • idrtd.cz
  • 0177.es
  • id-ref.cz
  • serversupdates.com
  • srv-1id.cz
  • 72.in-addr.arpa
  • id0.cz
  • bmspeedlab.org
  • id-rt03.cz
  • democolonialbank.com
  • refid73.es
  • refid70.es
  • identify-3.cz
  • colonialshow.com
  • demobankofamerica.com
  • cs03.cz
  • isapi10.cz
  • es-pos2.es
  • id-ref.be
  • 0104.es
  • idsrv10.es
  • bumospo.com
  • hawaiiantel.net
  • isdir.cz
  • cs07.cz
  • cs01.cz
  • identify-4.cz
  • ptil.cz
  • sofia18-online.com
  • idsrv11.es
  • installadobeplayer.com
  • es-pos7.es
  • colonialdemo.com
  • bmspeedlab.com
  • id-rt02.cz
  • srv-4id.cz
  • fasttrk.cz
  • bumotor.org
  • srv-7id.cz
  • bumotor.net
  • identify-1.cz
  • bumospe.tk
  • onlineserverdownload.com
  • clasmatessup.com
  • everettzfunz.com
  • file17.cz
  • demoversions10.com
  • tempdir.cz
  • demoservers1.com

this was published the 14th of december by Arbor networks but as we have no CERT and I decided to take some holiday and more family time (this is not my job) nobody did anything with this info. Normally this should have been closed down 4 hours after being discovered (that counts for all of them in fact)

THis is the whois for id-ref.be (look at the emailadres.... if that doesn't work dns.be can block the domain but if it is a botnet, they will have to be careful with opening responsemail. As a domainregistrar I would not even use my own mailserver, you can try it from a yahoo account also, if it ain't working it won't work anywhere....)

For the moment there seems to be no website at this space, but may be somewhere hidden or waiting we can't see yet.

Also look at some other domainnames that were registered or used. Quite interesting ones for malware, don't you think, especially if you can fake MD5 certificates for files....

 

Domein details
Domein
Naamid-ref
StatusREGISTERED
Registratie26 november 2008
Laatste wijziging3 december 2008 10:55
Licentienemer
TaalEngels
E-mailemail
Technische contactpersonen van de registrar
NaamAuto répondeur
OrganisatieGandi Sas
TaalEngels
Adres15 place de la Nation
75011 Paris
Frankrijk
Telefoon+33.143737851
Fax+33.143731851
E-mailsupport-en@support.gandi.net
Registrar
OrganisatieGandi Sas
Websitewww.gandi.net
Nameservers
 
a.dns.gandi.net   
c.dns.gandi.net   

b.dns.gandi.net  

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

01/05/2009

block and see W32.Downadup.B worm

It is a typical old worm scanning for passwords, shares and other vulnerable stations

it is a new worm because it uses online services to check for internet connection and time. If you have a lot of connections to these services there could be a problem.

Next, the worm connects to the following URLs to obtain the IP address of the compromised computer:

  • http://www.getmyip.org
  • http://www.whatsmyipaddress.com
  • http://getmyip.co.uk
  • http://checkip.dyndns.org

 

The worm also makes new domainnames with letters these you can block because they have no other existence. This list follows here

 

Block Worm Domain Names

source is symantec

Permalink | |  Print |  Facebook | | | | Pin it! |

12/18/2008

IE exploit new attack sites to block

252623.cn - 221.0.193.228
www.633r.com - 218.95.37.110
www.zjz-aaa.cn - 222.215.136.19
www.zjz-bbb.cn - 222.215.136.19
www.zjz-ccc.cn - 222.215.136.19
www.zjz-ddd.cn - 222.215.136.19
www.zjz-eee.cn - 222.215.136.19
www.zjz-fff.cn - 222.215.136.19
www.zjz-ggg.cn - 222.215.136.19
www.zjz-hhh.cn - 222.215.136.19
www.zjz-iii.cn - 222.215.136.19
dx.dxwyt1.com - 222.215.136.19
97.zjz-001.com - 222.215.136.19
97.zjz-002.com - 222.215.136.19
97.zjz-003.com - 222.215.136.19
www.federalservicesinfo.com - 195.122.26.133

source shadowserver.org

Permalink | |  Print |  Facebook | | | | Pin it! |

12/03/2008

subdomain phisher hosters : the worst and what they can do

what they can do http://www.antiphishing.org/reports/APWG_Advisory_on_Subd...

The worst (you decide if you need them in your network)

now013

Permalink | |  Print |  Facebook | | | | Pin it! |

1 2 Next