It is all over the Belgian press today. According to a poll by Smart Business 70% of the Belgian enterprises are blocking or filtering their internet access. Most are totally normal like porn and music, but there was some astonishment because nearly 1 in 3 is blocking social sites althogether or Facebook in particular. Aren't enterprises using Facebook for their networking ? Isn't Facebook what email was before ?
what the journalists and the specialist forgot to mention was that Facebook and ebay for that matter but I suppose there are other applications like that, are responsable for such a huge part of the network traffic (even if there are not so many users) that it just becomes necessary to block it if you don't have any bandwith to spare. The reason for this is that there are so many different applications, advertisements and other servers that need to be contacted before the user has collected his whole page that instead of one simple page you have in fact download a whole site. Secondly as they use their inclusion in all these sites as their means of advertising, their servers are being asked for download much more that any others so Facebook and some others are directly and permanently on the top of the list of the superusers. So the administrators become interested and just think about the big win of limiting or blocking facebook. Everybody will have enough space again and everything will go faster and for the rest there is not much else to do.
You could also block these sites during working hours but liberate them during the lunch break for example.
What can Facebook do about this evolution (except neglect it and lose all those working and spending users in those business networks).
First is make the pages and interactions with the main servers of Facebook lighter. I am sure there are some things that could be blocked or made much lighter. This could be resolved by clicking on an activate link or by adapting some scripts and page-layouts to make it all lighter and faster.
Secondly is to make the advertisements and 'badges' lighter and try not to make them so dependent on the central servers.
Thirdly is to make together with the proxy and security filtering firms a light and secure way of browsing facebook in which the information is central and all the games, vids and pics are blocked out.
logmein.com is a service that lets your users log in to your network from outside the network for free. I don't think I have to explain the problems with that.
# List distributed by IBlocklist.com # List builder v5 LogMeIn:184.108.40.206-220.127.116.11 Hamachi:18.104.22.168-22.214.171.124 LogMeIn:126.96.36.199-188.8.131.52 LogMeIn:184.108.40.206-220.127.116.11 Logmein:18.104.22.168-22.214.171.124
So block this
You may find a very big list of other blocklists on http://www.Iblocklist.com
Some of these lists are not copied, but edited to take out domains that are too general or that have to be blocked (whiteliste some useful like .ru and .cn) and to make them usable for blockinglists (take the explanation out for example)
If you have more lists, we are always interested.
The first thing to read is that they don't analyse their information very much. They could have made a list of the sites that were most infecting or distributing malware across the web. They could start with publishing all the links that are infecting a certain website or delivering malware and not just a few of them. This would have made a priority blocklist and this action would have obliged some hosters and ISP's or the firms themselves to clean up their act. Trying to fetch such a list - as you will see under this posting - could be done much more easily from their database. Be creative, think out of the box.
Thinking about it, it could also be made into a feed that proxies and firewalls around the world could incorporate (if someone makes no stupid mistake again and thinks the whole internet has fallen in the hands of the crimeware mob)
Secondly it is astonishing to see big websites being (partly) blocked just because their are some pages on their enormous websites that are infected. It is also astonishing that these operations would not have securitypeople or have intervened themselves to clean up their act immediately. The first thing would be not to block them but to make them clean up their act if they seem capable of taking care of it immediately.
They could do this the same way they have done with the webmasters adsense etc... and effectively use that information for their securitycontacts.
Thirdly it is amazing how many scripts, troyans and downloads can be organised from one or two pages. THere are sites that had only one or two pages infected and were hosting hundreds of downloads. And if a big site is infected throughout it is mostly hundreds of pages.
the googlesearch is
site:google.com/safebrowsing/ "malicious software being downloaded"
And this is the blocklist of malware distributing sites in march 2009 (smart googled their database)
upgrade all your acrobat readers to 9.1
be sure that your antivirus of your network inspects PDF files (they were thought to be too safe and bothersome to scan for viruses)
keep your antivirus updated
be sure to have a clean image or backup of your servers and pc's in case
block these sites in the mean time
Some adsense campaigns or other links if Adsense starts cleaning up, will link to the following domains
rapidspywarescanner .com (126.96.36.199)
rapidantiviruspcscan .com (188.8.131.52)
antivirus-scan-your-pc .com (184.108.40.206; 220.127.116.11)
secure.softwaresecuredbilling .com (18.104.22.168)
secure.goeasybill .com (22.214.171.124)
secure-plus-payments .com (126.96.36.199)
we hate the fact that other antivirus software firms still think they have to hide the links that are involved in the malware campaigns. This doesn't help anybody else but the malware makers. In fact many people use Google to look if links are genuine or not and when they see them mentioned as spyware and so on, they just don't go there. But if many antivirus software companies don't publish them, how would Google recognize and index them as malware sites
while doing some research on the fastflux botnets that are going around I was trying the several domainnames that they were using. None of them worked. So I thought, not possible, these zombies can not all be downed and cleaned....
They weren't when I used the IP address up came a real fake Obame site looking like this
You can even try to log on, but then there is an application that asks to be downloaded (yeah sure)
at the same time connecting to the site, gave an attack on the computer and the alert was the following
It was from the site googl-status.com from the IP address 188.8.131.52 on the port 80 and it tried to download a malicious PDF file.
and if you would have clicked on 'en espanol' you would have downloaded this http://184.108.40.206/usa.exe
The fake obama website is hosted on 220.127.116.11 in Turkey and it is part according to abuse.ch of the Waledec fastflux botnet
This means that fastflux botnets can also change from nature and content at will and maybe that is another danger that should be underlined why battling this kind of botnets is even of a bigger urgency than ever before.
According to other online posting the messages on this blog as if Obama had refused to become president were also spammed a few days ago.
According to Panda security software this is the list of websites who try to distribute a new worm
Network administrators should warn their users not to click on messages with spectacular Obama video and other similar stuff and to keep to the real news sites for real information. You can use the sites above as a blocklist to make sure.
We have put a geolocation search and results with the report of the most active and longlasting IP adresses according to
http://spamvertised.abusebutler.com/all.php info for domain registrars that they should keep somewhere, just to keep those people out of their systems
http://spamvertised.abusebutler.com/stats.php most active
Related Exploit Domains (no new ones listed):
Domains used on the bogus profiles :
the internet storm center has analysed the code of the tool that the website help Israel win wanted to distribute to more than 7500 people and about which we reported already earlier
this is the list to block (and read closely, you will see that some work on port 80 of webtraffic that you can't block so only destination blocking will help)
pati.dyndns.info (i think this is abuse of the service, no ?)
from arbor networks
reposted because important - there is a Belgian site in the botnetwork according to arbor networks and also block the mentioned sites they are part of a botnet (some other countries will see some of their own domains pop up, some say this diversity is a first for fast-flux botnets)
thanx Arbor networks for publishing this, we want more
Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):
this was published the 14th of december by Arbor networks but as we have no CERT and I decided to take some holiday and more family time (this is not my job) nobody did anything with this info. Normally this should have been closed down 4 hours after being discovered (that counts for all of them in fact)
THis is the whois for id-ref.be (look at the emailadres.... if that doesn't work dns.be can block the domain but if it is a botnet, they will have to be careful with opening responsemail. As a domainregistrar I would not even use my own mailserver, you can try it from a yahoo account also, if it ain't working it won't work anywhere....)
For the moment there seems to be no website at this space, but may be somewhere hidden or waiting we can't see yet.
Also look at some other domainnames that were registered or used. Quite interesting ones for malware, don't you think, especially if you can fake MD5 certificates for files....
|Registratie||26 november 2008|
|Laatste wijziging||3 december 2008 10:55|
|Technische contactpersonen van de registrar|
|Adres||15 place de la Nation|
It is a typical old worm scanning for passwords, shares and other vulnerable stations
it is a new worm because it uses online services to check for internet connection and time. If you have a lot of connections to these services there could be a problem.
Next, the worm connects to the following URLs to obtain the IP address of the compromised computer:
The worm also makes new domainnames with letters these you can block because they have no other existence. This list follows here
252623.cn - 18.104.22.168
www.633r.com - 22.214.171.124
www.zjz-aaa.cn - 126.96.36.199
www.zjz-bbb.cn - 188.8.131.52
www.zjz-ccc.cn - 184.108.40.206
www.zjz-ddd.cn - 220.127.116.11
www.zjz-eee.cn - 18.104.22.168
www.zjz-fff.cn - 22.214.171.124
www.zjz-ggg.cn - 126.96.36.199
www.zjz-hhh.cn - 188.8.131.52
www.zjz-iii.cn - 184.108.40.206
dx.dxwyt1.com - 220.127.116.11
97.zjz-001.com - 18.104.22.168
97.zjz-002.com - 22.214.171.124
97.zjz-003.com - 126.96.36.199
www.federalservicesinfo.com - 188.8.131.52
what they can do http://www.antiphishing.org/reports/APWG_Advisory_on_Subd...
The worst (you decide if you need them in your network)