RSS Feed
Twitter
... When it's an exploit of course!This URL (vURL results, PDF);nit99.biz/myy/viewtopic.php?s=bec8f62472wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.And what
This is featured post 1 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 2 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 3 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
Thứ Tư, 30 tháng 12, 2009
Chủ Nhật, 27 tháng 12, 2009
15:29
nam tóc xù
The topic today is blackhat SEO, fake AV's and phishing. The culprit responsible for this boatload of maliciousness, is Eveloz (AS27716).Eveloz has 3 upstream providers, namely;AS11556 PA-CAPA2-LACNIC Cable-Wireless PanamaAS14551 ALTERNET-SA-AS UUNET TechnologiesAS23520 NEWWORLDNETWORK New World Network USA, Inc.Eveloz is also directly related to Panamaservers.com, an ISP with a history of
14:48
nam tóc xù
Just a note folks, I treat myself to a new Netgear WNR2000 N Router today (would've loved the MaxRange N router but couldn't afford it), which means the network will be unavailable later tonight, to allow for the current routers being replaced.I'm planning on doing the replacement at approx midnight tonight (GMT), and it shouldn't take more than 15 mins or so (allows for disconnection, connection
Thứ Tư, 23 tháng 12, 2009
15:36
nam tóc xù
I received an e-mail from a friend earlier, alterting me to possible malicious content over on Twitter (surprise surprise), and what I found actually did surprise me for a change.This spam run didn't lead to a worm, trojan, virus or other infection - but to an IAC website, webfetti.com.One thing they all have in common, aside from the IAC connection? Well, that would be Twivert. A site that
09:50
nam tóc xù
Those of you reading this blog for any length of time, or specializing in the documentation of malicious domains, will no doubt already be aware of RapidSwitch's history, but here's a little refresher for you;242 reasons to avoid 78.129.142.9 (RapidSwitch - AS29131)http://hphosts.blogspot.com/2008/09/242-reasons-to-avoid-781291429.htmlRapidSwitch customers still involved in SMS Fraud ......http:/
Thứ Ba, 22 tháng 12, 2009
17:26
nam tóc xù
After announcing to the world + dog, that they are offering their own version of OpenDNS, you'd have thought that meant they'd finally gotten serious about security (I know, I'm laughing at the thought too), but nope, Google's results are STILL littered with malicious content that will drive your PC into a frenzy, and drive you to a level of frustration you've never seen.As a quick example, I've
16:20
nam tóc xù
hpHosts has been and continues to be, an excellent project that I love being a part of, and although I'm glad that others find it useful, there's a certain segment that I would like to address. Given I don't know who these particular people are, I evidently can't contact them any other way, so figured a blog post would be best.Those I am referring to, are those "reviewing" and commenting on sites
08:10
nam tóc xù
This is indeed fantastic news, and a great present to Anderson, the Avant Force Team, the users that have supported Avant and Orca, and all of us lowly forum staff!As some of you may have heard the EU’s European Commision has forced Microsoft to include a ballot screen on all Windows computers running either Windows XP, Vista, or 7, you will get it through an update on Windows Update. This ballot
Thứ Bảy, 19 tháng 12, 2009
14:27
nam tóc xù
PDF exploits—mostly targeting Adobe Reader and Acrobat programs—are very commonly used on drive-by web sites. This situation is probably the result of the widespread use of the Adobe plugin, a rather large of number of vulnerabilities found in it, and reliable exploitation techniques.Two recent vulnerabilities for which I have added detection in Wepawet are CVE-2009-3459 and CVE-2009-4324 (click
08:19
nam tóc xù
Remember this and this? Well, it would appear they've had a change of heart, instead of suing me, the MD of the company, David Jones, has decided an apology is a better idea.I actually meant to post an update regarding this, a few days ago when the MD sent me the link, but I've been very side tracked with work and things, and forgot about it.Their blog doesn't mention Mr Mark Jones by name,
Thứ Sáu, 18 tháng 12, 2009
13:07
nam tóc xù
Many said Zango were dead, but myself and several others, have never considered them "dead", mainly because evidence was available to the contrary, but anyway, that's another story.I regularly check up on Google results for hpHosts as it's always proven useful in finding new malicious URL's (quite why is a mystery, but it's convenient non the less). Yesterday however, I stumbled on a couple of
11:23
nam tóc xù
Just an update folks. I'm happy to announce, after fighting with PHP for several hours (gave up, got some work done, then went to sleep), and then again for a couple hours this afternoon, the hpHosts forums and fSpamlist blog are back online.Annoyingly, in the end I had to completely rip PHP out of the server, and install an older version (i.e. the one that was working just fine and dandy until
Thứ Năm, 17 tháng 12, 2009
18:38
nam tóc xù
PHP released a new version earlier, and I thought I'd get the servers updated. Installing the new version on my development machine produced no problems, so I installed it on all of the servers that required it. All except the server that houses the hpHosts forums and fSpamlist blog, have taken to the new PHP release without issue.I've already tried rolling back to the prior version that was
Thứ Tư, 16 tháng 12, 2009
01:31
nam tóc xù
I'm happy to announce, Josh Kirkwood has just informed me that he's been successful in getting Spamhaus to SBL Riccom!http://www.spamhaus.org/sbl/sbl.lasso?query=SBL82098As of a check a couple mins ago, Riccom are still showing as unannounced, which means great news - they're still stranded!http://smakd.potaroo.net/cgi-bin/per-prefix?prefix=91.212.107.0%2F24http://cidr-report.org/cgi-bin/
Thứ Ba, 15 tháng 12, 2009
12:45
nam tóc xù
Just an update on the Cloudeight/Thundercloud issue folks. At the time of writing this, they've STILL not responded to my e-mail (asking them to what domain they were referring etc).http://hphosts.blogspot.com/2009/12/cloudeight-ever-hear-of-e-mail.htmlhttp://hphosts.blogspot.com/2009/12/thundercloudnetcloudeight-here-we-go.htmlA friend sent me a few of their newsletters, but I've not yet
05:28
nam tóc xù
I'm happy to announce, I woke up to a rather surprising e-mail today, from a Josh Kirkwood over at EuroConnex/BlueConnex. He informed me, because of this, they've booted Riccom, leaving them stranded.HelloI have read your article about us (/2009/12/blueconnexeuroconnex-as29550-riccom-ltd.html ) Firstly thanks for making such a concise list of the badness contained in that riccom /24 it was real
Thứ Hai, 14 tháng 12, 2009
05:40
nam tóc xù
Well, I'm back home for an hour (got the doctors in just over an hour too), so I've pulled the hpHosts server offline, replaced the PSU, replaced the CPU coolant, and am now defragging the data drive (the one with the hpHosts site files).The system drive was defragged over night, so if performance doesn't improve, I'm going to have to look at other options (it still needs converted over to SQL
Chủ Nhật, 13 tháng 12, 2009
16:30
nam tóc xù
The hpHosts server seems to be running alot slower than usual lately, and annoyingly, has been getting progressively worse over the past few weeks. I suspect it's due to a traffic overload, but am going to check the hardware in it as soon as I get back (I'm expecting to be back within approx 13 hours or so).The server has just been rebooted, but it's only gained a minor increase, and as such,
Thứ Sáu, 11 tháng 12, 2009
08:57
nam tóc xù
I was trying to access the Avant Browser forums earlier, and wondered why I couldn't. FTP wouldn't connect, nor would HTTP, so I tried via Web-Sniffer, to rule out a problem at this end, and nope, nothing there either.I then tried to phone HopOne, and was told I was in the position 3 of the queue, and would be speaking to someone in "2 minutes", but could check on their network status at
Thứ Năm, 10 tháng 12, 2009
17:38
nam tóc xù
Dear BlueConnex/EuroConnex, I wonder if you'd mind explaining to the ladies and gents of the internet, why you have STILL not booted Riccom? Why you continue providing connectivity for them, despite their not being a single legit domain within their IP range!.BlueConnex/EuroConnex's still providing connectivity is the reason they got a mention in the crimeware friendly ISP's listings, and sadly,
Thứ Ba, 8 tháng 12, 2009
16:11
nam tóc xù
Great News, my favourite RSS reader for the past few years, is going open source folks!.I have to say I haven’t spent a lot of time on GreatNews lately. Save the usual excuses, the most important thing is how to keep GreatNews updated regularly. I’m considering what’s the best way to release GreatNews source code. Most of the code base are safe to open, but there are small amount of code belong
Thứ Hai, 7 tháng 12, 2009
09:45
nam tóc xù
Want to own a domain name and do whatever you want? Including using it for malicious purposes - use dot.tk apparently.Nope, disgustingly, it's not a joke. Aslong as you're paying them for the domain, they apparently couldn't care less (that may not be how their e-mail to me was worded, but it's certainly what they've implied);Dear Sir/Madam, We appreciate your email. Unfortunately our policy does
07:14
nam tóc xù
It seems Mr Jones over at frontlinecom.co.uk isn't too happy with me. Not for publishing the information found concerning the spam - but for posting the footer of the e-mail (the bit with the company name, address etc etc in it).Given the information is available publicly anyway, via his own website infact, I'm confused as to what the problem is;It's okay for him to hire people he knows are going
07:04
nam tóc xù
A poster to the digitaltoast.co.uk blog concerning supportonclick.com, referenced yet another domain taking part. This time, onlinesupportforyou.com. Unfortunately this time, it is more than just a scam as this particular site, is carrying an exploit via;hxxp://kellerkamer.de/images/impressum.php> hxxp://matistuta.kampno.pl/prace/do_addcat.php>> hxxp://odenserideudstyr.dk/images/
Chủ Nhật, 6 tháng 12, 2009
15:04
nam tóc xù
Thundercloud/Cloudeight have went on another rant it seems.http://thundercloud.net/infoave/answers/2009/wot.htmI tried sending the following, but their contact form rejected it as it's over 300 chars;"Alas poor yoric ... I've just noticed yet again, that you've failed miserably in checking your facts;1. hpHosts comments on WoT are NOT posted by me. They're put there automagically when WoT syncs
Thứ Sáu, 4 tháng 12, 2009
05:58
nam tóc xù
I've just had an interesting conversation with Mark Jones over at Frontline (frontlinecom.co.uk), due to a Simon Carter (likely a fake name) spamming the hpHosts blog to advertise Frontline's website.Mark confirmed they'd hired an Indian based SEO company to market for them, and when told about spamming, said he would advise them not to spam the hpHosts blog again, but would NOT tell them to stop
Thứ Năm, 3 tháng 12, 2009
09:57
nam tóc xù
It's not uncommon for someone to e-mail me, or PM me via one of the many forums, to ask why a domain is listed, or ask for it to be removed, or even, ask for a domain to be added. Indeed, I've got 3 e-mails in my inbox at present, from 2 companies demanding their sites removed (Conduit and Ascentive) and threatening to sue me if I don't.Alas it seems, some people can't even send an e-mail. I came
08:24
nam tóc xù
hpHOSTS - UPDATED December 3rd, 2009The hpHOSTS Hosts file has been updated. There is now a total of 111,950 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! Latest Updated: 03/12/2009 13:24Last Verified: 02/12/2009 09:00Download hpHosts now!http://hosts-file.net/?s=DownloadhpHOSTS is a community managed hosts
Thứ Ba, 1 tháng 12, 2009
15:58
nam tóc xù
Following on from the SupportOnClick scam, it would appear folks, that we've got a new contender for the worlds worst scammer award.Reports are flowing online, of techonsupport.com, pulling the same scam as the folks over at supportonclick.com (other sites they're known to use are listed below. I first found out about them due to a comment over at DigitalToast.co.uk (I'd not noticed this one
15:57
nam tóc xù
Just a note folks, due to something cropping up, the hpHosts update will be out tomorrow instead of today (sorry folks).In addition, the fSpamlist server suffered corruption earlier, and sadly, rebuilding it didn't work (MySQL is playing silly buggers). As such, I've moved the site to a temporary server until I get some time tomorrow to rebuild the server from scratch.
05:26
nam tóc xù
Apologies for the latest downtime folks. Sadly the gateway died whilst I was asleep, leaving the entire network unaccessible. I've sorted that out and everything is now available again.I was also meant to have an hpHosts release out a few days ago, but due to a few things cropping up, it will be out later today instead.
Thứ Sáu, 27 tháng 11, 2009
18:38
nam tóc xù
The 31st issue of everybody’s favorite Ubuntu magazine is out! With 9.10 Karmic Koala just about a month old and the next release, Lucid Lynx, already on the horizon and in the news, take a look at what else is going on.This month, we’ve got:- Command and Conquer. - How-To: Program in Python – Part 5, The Perfect Server – Part 1, and Universe of Sound. - My Story – The Conversion. - My Opinion –
12:55
nam tóc xù
There is a lot of buzz surrounding the “New Moon” movie. In fact, there are thousands of websites trying to lure people into watching the movie for free, from the comfort of your home. Let’s mention that the movie is still in theatres Among those sites, there are those almost too goog to be true portals, where the movie is only a click away:Read morehttp://blogs.paretologic.com/malwarediaries/
Thứ Năm, 26 tháng 11, 2009
19:41
nam tóc xù
I wrote a while back (July, August and then again in September, about the Alliance and Leicester botnet, that served to scam the unwitting out of their banking information. Then of course, there was the MSN phishing from the Sun Network range, and later, spilled onto a botnet when myself and Jonathan, kept getting them shut down.Now it seems, both the Alliance and Leicester, and the MSN phishing
08:52
nam tóc xù
I've just received several more Facebook e-mails that point to URL's hosted on a botnet, and both steal your information, load an iFrame to an exploit, and finally, offer you an "update tool", that is the well known Zbot infection.Sadly, Outlook 2007 isn't letting my Outlook Export application work properly, so I've had to grab the IP's and such manually (well, via hpObserver ;)).hpObserver
Chủ Nhật, 22 tháng 11, 2009
06:42
nam tóc xù
Jonathan sent me an e-mail earlier, refering a domain involved in phishing. This particular one however, contains several interesting aspects.Most notably, it not only asks for your Facebook credentials, it also leads to what claims to be a legit software developer, and this "legit" developer, is offering a Conduit toolbar, claiming it to be a "Facebook toolbar". msbitsoftware.com is an Israel
Thứ Tư, 18 tháng 11, 2009
16:11
nam tóc xù
I've received two of these so far, both pointing to two different domains of course, and find them rather intruiging given it's the first time I've seen this method used.The e-mails start off pretty typical of the 419'ers, but then proceed with a link to ask for a donation - and so far, there's no additional infection involved that I can see;E-mail 1:Hello,My name is Marius and I am a student at
08:01
nam tóc xù
Okay, so I completely ruined what used to be a great Rod Stewart song - but it's been worth it. I was alerted by my friend Dee Hughes over at Freeware Home, of a rogue domain one of her visitors came across during a Google search for Outlook Express that led via the Sponsored results (surprise surprise) to expressdownloadz.com (see left).She asked if I could dig up anything on this domain as
Thứ Ba, 17 tháng 11, 2009
Chủ Nhật, 15 tháng 11, 2009
10:56
nam tóc xù
Looking up records for AS46636, I noticed something interesting. The Netblock WhoIs showed a reference to "uaonline", but the AS was saying it belonged to NatCoWeb, clearly something was amiss here, as I remember this as being Real International Business Corp just a few months ago.I decided to look further, and got clarification that Real International Business Corp, are indeed NatCoWeb, thanks
08:31
nam tóc xù
Ecatel (AS29073) have been on the radar for quite some time now, and looking at the amount of malicious content on their network, I'm not expecting this to go away any time soon.What I do find interesting, is the newest domains I've come across on their network, appear to be trying (and very badly I might add) to confuse automated analysis by obfuscating the code of the site you're eventually
Thứ Sáu, 13 tháng 11, 2009
15:09
nam tóc xù
WordPress have released a new version folks. MAKE SURE YOU'RE KEEPING YOURS UPTO DATE!!!!2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem,
09:53
nam tóc xù
Seems Malwarebytes have gotten themselves a fan, alongside the fans already out for MalwareDomainList et al. Just with malwaredomainlist2.com (which sporadically redirects via domains such as ask.com now by the way), this one is currently parked.Referred to: whois.above.comBy: whois.internic.netRegistration Service Provided By: ABOVE.COM, INC.Contact: +613.95897946Domain Name:
09:50
nam tóc xù
Just a warning folks. I've just received the following from PlusNet that indicates there's going to be an excessively high amount of traffic this coming weekend, which will see the potential for reduced performance for all of their customers, including those such as myself that have the business package.Service: Network Capacity (ADSL/20CN)Posted: Fri, Nov 13 2009 at 17:27:13Subject: Broadband
06:48
nam tóc xù
As if BT ripping you off by charging a fortune for calling people isn't enough (over £2 for under 3 mins to a US number!!!!), the phishers have come up with a little help for our dear BT management and shareholders, in the form of a phishing scam.I was advised about this a little earlier (sorry folks, was sleeping or would've posted this earlier). I don't have the original headers for the e-mail,
Thứ Năm, 12 tháng 11, 2009
15:10
nam tóc xù
If you've been anywhere online lately, especially Google or the likes, you'll no doubt have noticed or read about, the blackhat SEO campaigns. One of the many ISP's involved, whether deliberately or otherwise, is EuroConnex. This ISP has an excessively large amount of malicious domains currently present within their network.One of the most recent I came across, was actually whilst writing this,
Thứ Tư, 11 tháng 11, 2009
14:17
nam tóc xù
Personally, I don't believe the fine is large enough. Nor do I believe the Tagged CEO's response. Tagged knew exactly what they were doing, and were playing on their "users" (read: victims) not understanding that the company was stealing their contacts list in order to spam such - exactly what some other "social networking" sites do (i.e. Meet Your Messenger, WAYN et al).Tagged.com has paid
Thứ Ba, 10 tháng 11, 2009
14:37
nam tóc xù
Just a note folks, I've been advised that malwaredomainlist2.com has now also been registered, and not by any of us that run the real malwaredomainlist.com website. There's currently no website actually there, it's parked with sedoparking.com, but we're expecting abuse, and most likely the same form as we saw last time.Referred to: whois.above.comBy: whois.internic.netRegistration Service
09:52
nam tóc xù
Just a note folks, the hpHosts network will be down for approx 15-20 mins (hopefully alot less, depends on how the router behaves with the new firmware) to allow for the upgrading of the routers firmware. This update will start as soon as I've posted this./update 18:02Upgrade complete, and went alot smoother than the last one :o)
08:44
nam tóc xù
From the desk of, here Piradius goes again, comes news of their yet again providing housing to Zbot infrastructure .... sorry Piradius, what was that, you're a legit ISP? Well the evidence we've seen over the months says otherwise I'm afraid.Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot
07:49
nam tóc xù
Hosting Panama have several ranges that are or have been, involved in malicious activity. The latest of these being 200.106.145.0/24, which is responsible for this little baggage of fun;http://proanalytics.cn/stats.txtThis text file of course, isn't a text file at all, it's a Javascript file that leads to a whole heap of malicious exploit goodness;http://proanalytics.cn/tds/go.php?sid=1http://
05:49
nam tóc xù
I know I shouldn't be laughing, but after all the fanboys going wild with digs at IE etc users, about how "oh so more secure" Firefox is, I just can't help myself. I said this would happen, as did many others, and the fanboys were unable and are still unable, to provide a reasonable defense as to why we were wrong, instead preferring to go into childish playground arguments (ever found a fanboy
Thứ Hai, 9 tháng 11, 2009
16:12
nam tóc xù
Next on the list of cybercrime friendly ISP's, is root eSolutions, who amongst many others, are providing home for a range known as "Financial company "Titan" LTD" (193.169.12.0/23, AS49353 (TITAN)). This range has been the home of many a fake AV, exploits and various other things for longer than I'd like, and seemingly, root eSolutions don't give a hoot. Something we need to change.Just some of
09:34
nam tóc xù
Jonathan has been firing off e-mails to abuse depts for the various ISP's involved in providing hosting to one of the domains, and has sent me an update that includes those that have both responded and taken action, and those that have not.ISP's who have taken action already: 24.117.242.185 - > CableOne = DOWN, or just timing out.77.127.51.53 - > Zahav.net.il = DOWN, or just timing
Chủ Nhật, 8 tháng 11, 2009
05:14
nam tóc xù
If you remember, I wrote a couple days ago, about China based ISP, Sun Network.Jonathan has been e-mailing them since, and they've now gone back to claiming they can't do anything as it doesn't lie within their authority (funny, given they'd already sent their customer an e-mail saying they had 72 hours to remove the malicious content).What is worse however, is that their customer has not only
Thứ Bảy, 7 tháng 11, 2009
19:37
nam tóc xù
99% of you will already be aware of the likes of typo squatters, so I'll refrain from blabbering on about those ones, and instead, use one I came across today, which isn't actually a typo squatter, is "parked", but still contains a nasty surprise.The domain is hostsfile.net, look familiar? Yep, hpHosts is hosts-file.net (notice the difference?). If you made a typo whilst looking for the hpHosts
Thứ Sáu, 6 tháng 11, 2009
Crimeware friendly ISP's: Sun Network (AS38197 121.54.171.0/24, Hong Kong) / iJoos Network Solutions
19:17
nam tóc xù
What do you get if you cross MSN + scammers + a rogue Chinese ISP? That's right folks, a whole lot of phishing phun!http://hosts-file.net/?s=121.54.17.&view=matchesNB: Those previously at 121.54.174.* moved to .171 after their 174.* IP's were shut off, these will be reflected in the main hpHosts database when someone queries the respective domains report pagesMy friend Jonathan has been tracking
07:03
nam tóc xù
In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut
Thứ Năm, 5 tháng 11, 2009
04:50
nam tóc xù
Killing the beast...Part 4 (Ozdok)Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM. The question that arises again is who are the guys controlling this botnet, and more importantly from where? I recently conducted a
Thứ Ba, 3 tháng 11, 2009
03:52
nam tóc xù
We've had various phishing botnets over the years, and this one is no different, well, almost. I received several e-mails claiming to be from Facebook, with the following content;facebookDear Facebook user,In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features
Thứ Hai, 2 tháng 11, 2009
15:34
nam tóc xù
"Serious" over the Malwarebytes forums alerted me to a site that was suspected of ripping off the VirScan.org site (provides a service along the lines of VirusTotal), www.hrppw.com.cn.I fired off an e-mail to the virscan.org guys to see if they knew anything about it and appears they weren't aware of it. I thought I'd upload a file to see how exactly they were doing this, whether they were
13:30
nam tóc xù
Malwarebytes Corporation have recently published information on their blog, concerning the stealing of the Malwarebytes Anti-Malware database by China based, IObit.Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe,
Chủ Nhật, 1 tháng 11, 2009
14:25
nam tóc xù
A next-generation Web server honeypot project is under way that poses as Web servers with thousands of vulnerabilities in order to gather firsthand data from real attacks targeting Websites. Unlike other Web honeypots, the new open-source Glastopf tool dynamically emulates vulnerabilities attackers are looking for, so it's more realistic and can gather more detailed attack information, according
08:26
nam tóc xù
There seems to be a trend over the past 6 months, of switching from links directly in the phishing e-mails, to having the entire phishing page in the e-mail itself (as an attachment). Others in the security arena have already publicised this for the most part, so I'll skip over the details.I wonder however, why our dear scammer has done this. I know it's to try and bypass phishing and junk
Thứ Bảy, 31 tháng 10, 2009
08:12
nam tóc xù
Can you believe it? We’ve made it to thirty. That’s right; thirty issues of FCM, and they wouldn’t have happened without you! Here’s a giant thank you to all the editors, translators, writers, hosting donators, and everyone else that’s made FCM and Ubuntu possible.This month:- How-To: Program in Python – Part 4, Applications for Bookworms, Installing OpenOffice.org Base. - My Story – The Doctor
06:43
nam tóc xù
The MVP Open day (more like a weekend thingy, but still) has now ended, with everyone else buggering off home. Stuck here till late tonight myself as the train isn't due until 21:40, and I'll then have a 10 hour wait at Birmingham train station thanks to the train back to Newcastle not being until 0900 tomorrow morning (yipee!).Aside from a lack of WiFi, it's been absolutely great, got to meet a
Thứ Năm, 29 tháng 10, 2009
15:16
nam tóc xù
Just a note folks. I arrived at Reading at lunchtime, annoyingly, with 5 hours of absolute boredom on the train thanks to a complete lack of WiFi on the train (thanks once again to CrossCountry Trains, a company I'll never be using again, and 3G, whose mobile connection decided it didn't actually want to connect to err - anything).Got a connection now at the hotel, but it's as slow as molasses,
15:14
nam tóc xù
Looks like CyberDefender haven't learnt, and are still up to their previously published tricks;http://www.gl1800riders.com/forums/showthread.php?t=230204Is the poster in the thread real? Is their experience real? Who knows, but knowing CyberDefender, I'm inclined to believe .... yep, the poster.
Thứ Tư, 28 tháng 10, 2009
03:29
nam tóc xù
I am pleased to announce, albeit a day later than planned, the October release of hpHosts.The hpHOSTS Hosts file has been updated. There is now a total of 108,234 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 28/10/2009 09:30Last Verified: 27/10/2009 23:00Download hpHosts now!http://
Thứ Bảy, 24 tháng 10, 2009
18:04
nam tóc xù
I received an interesting Abbey National phish yesterday, that decided, instead of simply pointing me to a URL, they'd try a better method of evading suspicion and phish/spam etc filters.The e-mail arrived from 81.252.149.105, with a PDF (shown left) attached (Dear Abbey Internet Bankiewng Holder.pdf), and the following bit of text;You need to update your account information for more reasons: 1.
Thứ Sáu, 23 tháng 10, 2009
20:27
nam tóc xù
You may be wondering where the October release of hpHosts has wandered off to. Let me assure you, it's not gone on holiday, it's not gone to Vulcan and it's not gotten itself lost on the tube (that's my job ;o)).Due to server issues and work, amongst other things, the October release of hpHosts is due for release on Tuesday (I would say Monday, but want to give myself some room). It's been going
18:18
nam tóc xù
... as if it ever really vanished (nope, at least, not completely, as thousands of site owners have never cleaned up their sites, leaving the original infection and/or backdoors in place - woops!).Read the write ups by FireEye and Unmkask Parasites;Gumblar, not Gumby!http://blog.fireeye.com/research/2009/10/gumblar-not-gumby.htmlRevenge of the Gumblarhttp://blog.unmaskparasites.com/2009/10/23/
15:16
nam tóc xù
I'm happy to report, the hpHosts server (formerly the backup server) is now back online. Thanks to a BIOS flash update that I was finally able to get hold of, it's got the 300GB drive in (formerly in the network backup server), though annoyingly, the BIOS update has removed the ability to boot from CD/DVD (option is no longer in the BIOS, boot options are there, just can't change the boot order),
02:41
nam tóc xù
And here comes yet another fake Windows update. This one claims to be an update for Outlook/Outlook Express, but nope, it's not. Rather predictably, it's the Zbot infection (Forgot to disable NOD32 when grabbing a sample, and it flagged it as Kryptic.ATQ).URL in the e-mail points to;hxxp://update.microsoft.com.bbttyak.org.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=zerozen@
02:28
nam tóc xù
Just an update concerning this.The machine annoyingly, does not recognize the new HDD (500GB), so I thought I'd swap the 500 for the drive in the network's backup machine and annoyingly, it doesn't recognize that either. It would appear, given it's recognizing the 40GB out of the test machine, that it only likes drives up to 80GB, which is a major annoyance. I was going to look for a BIOS update
Thứ Năm, 22 tháng 10, 2009
Thứ Ba, 20 tháng 10, 2009
16:32
nam tóc xù
I was trying to decide who to name and shame next, and it was a toss up between Bigness (AS49093), Ecatel and Krypt Technologies. I thought this time, we'd go with Bigness and leave Ecatel and Krypt Technologies for next time.Bigness came across the radar a few months ago, due to it's hosting a slew of malicious domains, and ONLY hosting malicious domains (I've not seen a single legit site hosted
Chủ Nhật, 18 tháng 10, 2009
20:54
nam tóc xù
.... Otherwise known as, what happens when you let complete morons onto the interwebs? Why this of course (and if the popup blocker (it tried loading 12 popups!), flash and ActiveX hadn't been disabled, it would've likely led to alot more (Wepawet timed out when analyzing it, or I'd have linked you to a full summary)).It all started on a Monday morning at cantosencantos.com (IP: 74.63.81.226 -
12:51
nam tóc xù
Whilst analyzing URL's in the malware DB, I noticed a URL with .sys, which are associated with Koobface. I decided to analyze the executable and noticed something interesting.The executable is UPX packed, and contains some interesting strings. Most notably, references to Facebook, captchastop.com and capthcabreak.com. The only things I could get from both of these domains, were a login page, so I
Thứ Bảy, 17 tháng 10, 2009
01:00
nam tóc xù
I've just noticed this latest episode, publicized by S!Ri. We all knew it was happening, but now thanks to S!Ri, we have the proof we needed. Makes me glad I stuck to my guns about keeping the likes of Loaris, included in hpHosts (as if we didn't already have enough evidence against them - now they've provided us with even more!).Some blog webmasters are regularly using the screenshots I made on
Thứ Sáu, 16 tháng 10, 2009
21:42
nam tóc xù
Just a note folks, the hpHosts server just died with a BSOD (STOP c0000218). It's in the process of dumping physical memory to disk, and once it's finished, I'll begin diagnostics./edit 06:57CHKDSK and defrag have finished, as has the analysis, and sadly, CHKDSK revealed bad blocks on the main system drive. I'm going to get the drive replaced as soon as I can (likely not going to be until next
Thứ Tư, 14 tháng 10, 2009
16:50
nam tóc xù
I'm sorry to say, I've just received the following e-mail from ClamWin, which means I'll now no longer recommend ANYONE use their software, and will be removing it from all computers I own and/or look after for others.Hi again,ClamWin team would like to thank all of you who voted in our poll and helped us form a broader opinion about the partnership with Ask.com.Based on your feedback and our
15:47
nam tóc xù
I've just spent the last couple of hours or there abouts (wouldn't normally take that long, but I'm a sadist, so spent time analyzing each file), downloading/analyzing, more downloading, then uploading/re-setting-up and re-configuring a friends site, after his WordPress installation got hacked and a malicious script installed on ALL PHP pages, with a simple script format, placed in all of the .
11:50
nam tóc xù
Netelligent have been around the block a few times, and are no strangers when it comes to malicious activity within their networks. Their network has been found to be involved in everything from exploits to rogues, blackhat SEO, and everything else besides.Alas, someone from Netelligent recently dropped by the Malwarebytes forums, professing their innocence (their last post was September 21st).
07:49
nam tóc xù
That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.show.sheathssubtotal.info is dual
05:58
nam tóc xù
Just an update folks, I noticed a few minutes ago, that the server was returning resource exceeded messages again, which means the backup server it's on, has made a difference in terms of the site processing, but no difference to the DB processing. I've already ruled out corruption in the database, and errors in the sites codes, so the next step, is to re-write the site to use MySQL instead of
Thứ Hai, 12 tháng 10, 2009
23:26
nam tóc xù
Just a note folks, myself and Jasmine (Avant Force) have just finished moving the it-mate.co.uk, forum.avantbrowser.com etc sites, over to the new server (209.160.20.35). Sadly, the server doesn't seem to be publicly accessable at present (atleast, not from HTTP, and tracert is failing), so the sites will be down for a little while.
13:24
nam tóc xù
It would appear folks, that I forgot to use the non-thread safe installer when setting up PHP on the backup server for hpHosts (hpHosts itself doesn't use it, but certain routines do). Consequently leading to a couple of the DNS routines having to use the long way round (i.e. the Windows API) for DNS resolution.I've now installed IIS FastCGI (prefer the ISAPI myself, but apparently can't use that
Chủ Nhật, 11 tháng 10, 2009
19:45
nam tóc xù
I was asked by a friend earlier, to look at spywaretimes.com, due to it's appearing either hacked, or sold. Sadly, from what I've found, it appears to have been sold to an entity involved in fake meds.spywaretimes.com, for those unaware, is a former CoU sister site, and provided various anti-malware services (i.e. help with removal etc). What is surprising, is the Wayback Machine, shows the site
Đăng ký:
Bài đăng (Atom)
