RSS Feed
Twitter
I know it's not 2012 everywhere yet, but it is here, so happy new year everyone!.2011 has been an exceptionally strange, and sometimes downright frustrating year, and I doubt 2012 will be any different as I don't forsee some of the hosting companies/registrars attitudes changing, nor do I see ICANN or Ripe/Arin et al, getting off their backside and doing their damn job for a change.However, 2011
This is featured post 1 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 2 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 3 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
Thứ Bảy, 31 tháng 12, 2011
Thứ Sáu, 30 tháng 12, 2011
01:34
nam tóc xù
The hpHOSTS Hosts file has been updated. There is now a total of 230,392 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 29/12/2011 00:15Last Verified: 28/12/2011 22:33Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Tư, 28 tháng 12, 2011
Thứ Tư, 21 tháng 12, 2011
12:03
nam tóc xù
Ransomware, the practice of providing fake notifications that “you’re infected” and then selling a fake solution that removes the fake malware they just installed, has been a boon for scammers. Now, they’re taking it a step farther, and throwing in a law enforcement scare.This time, an official-looking banner pops up, purporting to be from various law enforcement agencies, localized by region,
Thứ Sáu, 9 tháng 12, 2011
21:40
nam tóc xù
I am assisting a friend at present, with an issue involving IPs constantly attacking his servers, and noted during one of his recent updates, that alot of them were HostNOC - turns out, there's quite the list of them (ignoring the others from known criminal networks). All are RFI etc, and all are already being blocked by ZBBlock (a script written by my friend Zaphod).The problem here, is HostNOCs
12:21
nam tóc xù
This one came in whilst I was asleep, no JS MITMs this time, just the link in the e-mail that uses a meta refresh to redirect you to the domain housing the Blackhole exploit itself;Hello,Shipping ConfirmationOrder # 651-5411744-0155168 Your estimated delivery date is:Tuesday, December 13, 2011Track your package
Thứ Năm, 8 tháng 12, 2011
22:29
nam tóc xù
This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;facebook Hi,You haven't been back to Facebook recently.You have received notifications while you were gone. 1 message
11:55
nam tóc xù
This little chap arrived in my spam box today, and almost got over-looked (I was checking the newest e-mails leading to the Blackhole exploit (one of which, couldn't decide if it was from LinkedIn or the FDIC)), and not surprisingly, is fake.The Payload, all 593KB of it, infects the unwitting victim with the SpyEye trojan. VT detection is utterly rubbish of course - only 2 vendors detecting
Thứ Hai, 5 tháng 12, 2011
10:01
nam tóc xù
I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).The MO in this case, is;1. Site A2. ExploitThere's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only
03:01
nam tóc xù
For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;1. Site A2. 4 x MITMs5. Exploit siteIn this case;cadcamengineers.com/6ebc21/index.html-> napaul.com/statcounters.js-> proplastics.rs/statcounters.js-> rodns.eu/statcounters.js-> sashandbow.com.au/
Thứ Tư, 30 tháng 11, 2011
08:39
nam tóc xù
Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You might also be interested in a resource page I've started here at AVIEN.One prospective victim instructed to connect via the Run window to www.support.me. This turns out to belong to
Thứ Hai, 21 tháng 11, 2011
12:12
nam tóc xù
The hpHOSTS Hosts file has been updated. There is now a total of 216,044 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 21/11/2011 18:30Last Verified: 21/11/2011 19:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Ba, 15 tháng 11, 2011
23:17
nam tóc xù
I thought I'd made this clear, but apparently not. I got an e-mail earlier, from a RoadRunner IP (residential US ISP), using an @up-yours.com address.There's two problems here however;1. It's an invalid address, so can't reply2. The e-mail houses a childish threat, without actually telling me what I did to deserve it*********************************************************************General*****
Chủ Nhật, 13 tháng 11, 2011
16:29
nam tóc xù
According to a post at my favorite news site, it looks like Lavasoft' new owners are the infamous chaps behind the well known "Interactive Brands". Should've seen this coming really, given they de-listed the well known malware player, WhenU, some time ago - I know that was 6 years ago, but it can't just be a coincidence, especially given who the new owners are.Anti-spyware company Lavasoft AB is
Thứ Sáu, 11 tháng 11, 2011
05:03
nam tóc xù
You may remember, in September I blogged about Internet.BS, well known as a bulletproof provider for domain registrations.Sadly, neither Verisign nor ICANN have done anything, and Internet.bs are still refusing reports (I say refusing because whilst the error is a 450, they were notified months ago and it's still producing the same error, preventing reports going through), courtesy of the Gmail
Thứ Tư, 9 tháng 11, 2011
13:32
nam tóc xù
Following an article I wrote recently for SC Magazine, Martijn Grooten of Virus Bulletin, who shares my interest in and dislike of support desk scams, contacted me about the web site associated with eFIX, a company claiming to offer online technical support. He and I, along with Steven Burn, who has a great deal of experience of working in this area, have been able to dig out some interesting
Thứ Ba, 1 tháng 11, 2011
17:26
nam tóc xù
Look at the image on the left. See anything that shouldn't be there?I'll give you a hint - it's got a black background.I identified this whilst doing a routine enquiry on an IP housing a plethora of fake meds sites. I dropped a note to the sites owner and registrar, who informed me it most definitely should NOT be there.The content in question, is;
Thứ Ba, 18 tháng 10, 2011
17:32
nam tóc xù
I received 4 spam e-mails earlier that housed 4 links pointing to zip files on 4 sites housed on rZone.de (Cronon) IP space - all of the files contain trojans - more on that later.As I normally do, I tried dropping the address listed in the net-block info an e-mail (cmueller@cronon.net and abuse@cronon.net), sadly it seems they don't want to receive abuse reports;Mail delivery to the following
Thứ Hai, 10 tháng 10, 2011
22:42
nam tóc xù
From my friend Conrad;The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server. 94.63.149.1094.63.149.1194.63.149.1294.63.149.1394.63.149.1494.63.149.15146.185.250.140146.185.250.141195.3.145.251195.3.145.252195.3.145.253212.36.9.5294.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no
Thứ Bảy, 8 tháng 10, 2011
19:10
nam tóc xù
microsoft-key.com was registered through the well known criminal friendly, BIZCN on October 7th (key-microsoft.com existed previously, same IP range), and not surprisingly, is up to no good. The domain is presently only in German for some reason (auto-redirs to /de-DE/, and no other language dirs seem to exist).A translation via Google, since I don't speak German, shows;Welcome to the Microsoft
Thứ Tư, 5 tháng 10, 2011
Thứ Năm, 29 tháng 9, 2011
11:14
nam tóc xù
Sorry for the delay folks.The hpHOSTS Hosts file has been updated. There is now a total of 222,922 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 29/09/2011 18:00Last Verified: 29/09/2011 01:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Tư, 28 tháng 9, 2011
15:47
nam tóc xù
Q. How do you tell when a registrar is generating alot of abuse reports?A. When you receive failure messages such as;This is the mail system at host us.internet.bs.I'm sorry to have to inform you that your message could notbe delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You
Thứ Ba, 27 tháng 9, 2011
16:16
nam tóc xù
Executive SummaryMicrosoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS
Thứ Tư, 21 tháng 9, 2011
12:50
nam tóc xù
About bleedin time too.One of Microsoft's Gold Partners has had its relationship with the software giant unceremoniously terminated, after being revealed to be orchestrating a telephone support scam.Comantra, based in India, are said to have cold-called computer users in the UK, Australia, Canada and elsewhere, claiming to offer assistance in cleaning up virus infections.The bogus support calls
Thứ Bảy, 17 tháng 9, 2011
18:50
nam tóc xù
I was sent a URL earlier, that redirected to fake meds (surprise surprise). Checking further however, I arrived at the sites homepage to discover two scripts being loaded, one from a site that has now been cleaned, and another loaded from 70.85.43.147, that is still there;70.85.43.147/minitools.jsTrying a quick check, Malzilla, JSUnpack etc failed to decode it, so I figured I'd wait until I had a
Thứ Sáu, 16 tháng 9, 2011
11:36
nam tóc xù
Not surprisingly, when the bad guys get a foot in, they take full advantage, and that's exactly what they're doing over at Formspring.me. Having started a campaign, and Formspring seemingly doing nothing to prevent it, the surge is continuing, with new ones being created every day so far.Thanks to someone that used to work for them, those that were reported to him, have been taken care of, but
Thứ Hai, 12 tháng 9, 2011
Thứ Sáu, 9 tháng 9, 2011
19:11
nam tóc xù
Seems there's somewhat of a surge of abuse over at formspring.com lately, same kind of abuse seen previously on similar providers.The following, all leading to varying locations, are currently active, and have been reported to the upstream, since Formspring don't want to publicize an abuse contact (CC'd the report to the address listed in the WhoIs for formspring' parent company).hxxp://
Thứ Ba, 6 tháng 9, 2011
06:11
nam tóc xù
New domains today, still only 71 unique MD5s, and all domains living at;IP: 69.64.72.123PTR: 69-64-72-123.dedicated.codero.netNS: *.dns-diy.netAS: 10316 69.64.64.0/19 CODERO-AS - CoderoSame registrar as all of the rest;Registrant: Frank Jorney / jormwyuh4@hotmail.comRegistrar: ONLINENIC, INC367u3hsl.com/files/18367u3hsl.com/files/19367u3hsl.com/files/23367u3hsl.com/files/24367u3hsl.com/files/
Thứ Bảy, 3 tháng 9, 2011
05:02
nam tóc xù
Well, yesterday Sinowall was at 108.59.2.213, as of today, there's 2 new domains and a new IP - still the same amount of files, same 71 unique MD5s;
sghlymfsbvf.com/files/18 Trojan.Agent
sghlymfsbvf.com/files/19 Trojan.Agent
sghlymfsbvf.com/files/23 Trojan.Agent
sghlymfsbvf.com/files/24 Trojan.Agent
sghlymfsbvf.com/files/25 Trojan.Agent
sghlymfsbvf.com/files/26 Trojan.Agent
sghlymfsbvf.com/files
sghlymfsbvf.com/files/18 Trojan.Agent
sghlymfsbvf.com/files/19 Trojan.Agent
sghlymfsbvf.com/files/23 Trojan.Agent
sghlymfsbvf.com/files/24 Trojan.Agent
sghlymfsbvf.com/files/25 Trojan.Agent
sghlymfsbvf.com/files/26 Trojan.Agent
sghlymfsbvf.com/files
Thứ Sáu, 2 tháng 9, 2011
06:11
nam tóc xù
Q. What do you get if you cross 108.59.2.213 with a bunch of newly created domains?
A. Over 600 newly malicious URLs of course!
There's actually only a very small amount of domains, but 91 URLs to each domain, serving a grand total across them all, of 498 files and 71 unique MD5s;
File MD5 Size
f88deaeb24ee0ae8f783ed61c8508b37 aguyet47td.com\files\17 2.00 KB
A. Over 600 newly malicious URLs of course!
There's actually only a very small amount of domains, but 91 URLs to each domain, serving a grand total across them all, of 498 files and 71 unique MD5s;
File MD5 Size
f88deaeb24ee0ae8f783ed61c8508b37 aguyet47td.com\files\17 2.00 KB
Thứ Năm, 1 tháng 9, 2011
18:59
nam tóc xù
co.tv have had quite the history, with a plethora of abuse of their service. They've previously been responsive as far as takedowns, but lately there's been no response, and those reported over the past week, have remained active.
A lot of the domains are pointing to an IP that resolves to parking.co.tv, but this isn't actually a parking server - it is a redirector;
Query: fuqayisi.co.tv
HTTP/
A lot of the domains are pointing to an IP that resolves to parking.co.tv, but this isn't actually a parking server - it is a redirector;
Query: fuqayisi.co.tv
HTTP/
Chủ Nhật, 28 tháng 8, 2011
18:54
nam tóc xù
Certainly took them long enough, but having been the latest service to be bombarded and misused by criminals, it seems at least one of the many heavily abused providers has seen sense and cancelled the option to create a free "domain" through them.
If you've been taking note, you'll have noticed the sheer volume of hostnames created on *.co.tv that have been involved in fake meds and exploits.
If you've been taking note, you'll have noticed the sheer volume of hostnames created on *.co.tv that have been involved in fake meds and exploits.
Thứ Bảy, 27 tháng 8, 2011
20:49
nam tóc xù
And courtesy of my friend Anthony at MalwareURL (and I'm shamefully admitting to not thinking of checking this myself), here comes another 328 of them;
http://clickmeaa.fileave.com/
http://clickmeab.fileave.com/
http://clickmeac.fileave.com/
http://clickmead.fileave.com/
http://clickmeae.fileave.com/
http://clickmeaf.fileave.com/
http://clickmeag.fileave.com/
http://clickmeah.fileave.com/
http:/
http://clickmeaa.fileave.com/
http://clickmeab.fileave.com/
http://clickmeac.fileave.com/
http://clickmead.fileave.com/
http://clickmeae.fileave.com/
http://clickmeaf.fileave.com/
http://clickmeag.fileave.com/
http://clickmeah.fileave.com/
http:/
18:39
nam tóc xù
Yet another mass compromise going on recently folks (yep, surprise surprise). This time, the malicious code leads to a URL in the format;
clickme**.fileave.com
Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z].fileave.com, and today these are rather predictably, clickmeo[a-z].fileave.com.
Yesterdays were reported to both Network Solutions, and to FileAve (
clickme**.fileave.com
Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z].fileave.com, and today these are rather predictably, clickmeo[a-z].fileave.com.
Yesterdays were reported to both Network Solutions, and to FileAve (
15:18
nam tóc xù
I know it's late folks, and my apologies (better late than never?). Sadly the connection has been rubbish lately (I had a second phone and broadband line installed with another provider Wednesday gone and the current line is being re-provisioned, so should hopefully see the issues vanish).
The hpHOSTS Hosts file has been updated. There is now a total of 189,155 listed hostsnames.
If you are NOT
The hpHOSTS Hosts file has been updated. There is now a total of 189,155 listed hostsnames.
If you are NOT
Thứ Năm, 25 tháng 8, 2011
22:38
nam tóc xù
There's another phish doing the rounds lately it seems, this time targetting Windows Live users.
If you've received an e-mail similar to the following, click "Mark As" > "Phishing Scam" and delete it - DO NOT CLICK THE LINK!
Windows-Live - Account ALERT! - *Re-activate your account* (24-Aug)?
Dear (email address),
We are sending you this e-mail because Microsoft SmartScreen Technology has
If you've received an e-mail similar to the following, click "Mark As" > "Phishing Scam" and delete it - DO NOT CLICK THE LINK!
Windows-Live - Account ALERT! - *Re-activate your account* (24-Aug)?
Dear (email address),
We are sending you this e-mail because Microsoft SmartScreen Technology has
Thứ Năm, 11 tháng 8, 2011
15:56
nam tóc xù
Something evil on 95.168.177.144: reddingtaxcm.com and inferno.name
reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).
The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.
reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).
The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.
Thứ Tư, 10 tháng 8, 2011
20:30
nam tóc xù
Few people asked me to join LinkedIn recently, a site I've avoided like all other social networks for as long as I can remember, and I decided "at least it's not Facebook" (who themselves have now decided to get even worse), so popped over. I already know that social networks can't be trusted, they've proven that time and time again, and now it seems LinkedIn are proving it themselves;
12:46
nam tóc xù
A few updates today folks. Firstly, I've published a new hpObserver release. Nothing special, just a couple of bug fixes.
The hpHosts release has also been delayed due to a worse than rubbish connection, drastically slowing down the validation process (almost 24 hours just to run a DNS validation on 3600 domains (only seems to be DNS affected by the slowdown so far)).
I also noted yesterday
The hpHosts release has also been delayed due to a worse than rubbish connection, drastically slowing down the validation process (almost 24 hours just to run a DNS validation on 3600 domains (only seems to be DNS affected by the slowdown so far)).
I also noted yesterday
Chủ Nhật, 7 tháng 8, 2011
Thứ Tư, 3 tháng 8, 2011
18:30
nam tóc xù
Just a warning folks, there's a replacement for the now suspended rulesbreacker.com/wsumg.com botnet, and it's mstdpro.com. Resolving to residential IPs and serving exploits and a trojan through URLs such as;mstdpro.com/mydata/forms/apisrv.phpmstdpro.com/appserver/mstdpro.com/efs/servlet/military/login.jspmstdpro.com/app/bps/main/mstdpro.com/arc/files/mstdpro.com/arc/files/archivo.exemstdpro.com/
Thứ Bảy, 30 tháng 7, 2011
15:48
nam tóc xù
Love Top Gear? I do to, can't wait for Sundays and Wednesdays, and tend to watch it on Dave through the week (seen them all hundreds of times since they're repeated around 5 times a day, but bah, there's normally nothing else on anyway). However, if you're searching for Top Gear episodes (thought everyone knew the official URL (http://bbc.co.uk/topgear), but obviously not), then you may find
Thứ Ba, 26 tháng 7, 2011
16:20
nam tóc xù
There's lots been written on security for your machines and networks, be it routers, PCs, laptops, netbooks, iPads, Androids and Blackberrys and the likes - but all the security in the world isn't going to help you if these actually get stolen, either through a break-in or pick pocketing or the likes.Are you prepared for this? Could you tell the police how to identify and track your items, should
Chủ Nhật, 24 tháng 7, 2011
08:27
nam tóc xù
The chaps behind Renos are on the move again as of today, this time to Russia based, Eurobyte Llc (AS35415), or best known, as a customer of Webazilla. Both known bulletproof hosting.New domain as of 30 mins ago, is through UK2 (surprise surprise), though there's been one prior to that, through DirectI (suspended a few mins after being reported);fileyourextension.net/New-Video-Addon.48560.exeIP:
Thứ Sáu, 22 tháng 7, 2011
14:30
nam tóc xù
I phoned HostNOC/Burst around an hour ago, regarding an IP that had been serving Renos for a while, and stayed on the phone until it was suspended. Expecting them to move to a new IP rather quickly, but sadly had to pop to the shops. Getting back however, I wasn't to be disappointed. The chaps behind Renos (still don't know who that is, but am working on it), had moved to a new IP yet again,
Thứ Ba, 19 tháng 7, 2011
08:37
nam tóc xù
I love predictability, makes my job much easier (well, as far as these chaps are concerned anyway). 3 IPs as of today, same registrars (surprise surprise);UK2DirectINetEarthOne of the IPs is the same as yesterday (errr Burst.net/HostNOC - what happened to your 24 hour warning?).66.197.187.152 immovable.detectstakes.com AS21788 66.197.128.0/17 NOC - Network Operations Center Inc.193.105.171.120
Thứ Hai, 18 tháng 7, 2011
09:50
nam tóc xù
Well, I said it would happen and it has - my friends at Leaseweb finally nulled the server housing Renos, and as with their previous pattern - they're back to HostNOC/Burst.They're now using 66.197.187.152 (latest domain: worldmediaplugins.org), same registrars and infection, so nothing else to report I'm afraid. As far as UK2 and DomainContext, the latter is still failing to reply, and I'm
Thứ Sáu, 15 tháng 7, 2011
05:12
nam tóc xù
Looks like they're on the move to a new host, this time it's Leaseweb (Rob and Jottie will hopefully be getting it down shortly, so they shouldn't be there long). As of a few minutes ago, the latest Renos domain is pointing to;82.192.79.49The URL;makepan.in/New-Video-Addon.48563.exeReferencesPart 5a: Interserver, malware, and the Scottish weatherhttp://hphosts.blogspot.com/2011/06/part-5-
Thứ Năm, 14 tháng 7, 2011
14:39
nam tóc xù
Facebook worms are nothing new, having been documented as far back as 2008, but after a tip from a friend, I dipped into the DNS records for a couple of IPs, and plucked out this lovely lot. All of which appear involved in the same Facebook worm/phish that others have blogged about;10gambling.com11likes.info12v-dc-motor.motorsforsales.us2003-microsoft.officediscount.us2010-
Thứ Ba, 12 tháng 7, 2011
09:10
nam tóc xù
I've not worked out their obsession with HostNOC yet, but so far, the only two hosting companies they're flitting between, are CoolVDS (AS50669, well known to be criminal friendly) having until a few hours ago, been housed at 193.105.171.226 since their last stint on HostNOC (184.22.253.11) until July 7th.You'll no doubt not be surprised to hear, other than their flitting between the two hosts,
Thứ Tư, 6 tháng 7, 2011
06:09
nam tóc xù
64.120.151.73 was first reported to HostNOC/Burst, on July 2nd, both via e-mail and via telephone. When speaking to them on the phone, I was advised they'd give the customer a 24 hour warning.Watching the new domains popping up each day, I continued to send them reports, and resorted to a second phone call last week (Sunday if memory serves), to be told yet again, they'd give the customer a 24
Thứ Bảy, 2 tháng 7, 2011
09:52
nam tóc xù
This was never intended to be multipart, but I figured after part 1, I may as well do the other IPs they're using. As it happens, one of the other IP ranges they've got is through AS56927.The /24 in question, similar to the previous one, is 188.229.97.0/24. What's curious here, is that AS records show something interesting - an invisible link (AS52366 that AS records says doesn't exist. If we
Thứ Sáu, 1 tháng 7, 2011
13:16
nam tóc xù
Just a note folks, the network housing the likes of fspamlist.com, mysteryfcm.co.uk and the Abelhadigital.com forums, will be down for around 2 hours tomorrow, to allow for maintenance. The exact time hasn't been finalized yet, but is expected to be between 15:00-17:00.Sites affected:*.mysteryfcm.co.uk*.
11:12
nam tóc xù
The hpHOSTS Hosts file has been updated. There is now a total of 154,282 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 01/06/2011 17:00Last Verified: 01/06/2011 12:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Tư, 29 tháng 6, 2011
18:58
nam tóc xù
What do you do when you need lots of IPs to house your fake meds and other criminal sites? Use botnets? compromised sites/servers? That's certainly what the bad guys involved in exploits, malware and other badness like to do.Of course, another favourite of the bad guys, is to set up their own ASNs, complete with batches of IPs and IP ranges, to house their criminal activities. This is exactly
Thứ Ba, 28 tháng 6, 2011
16:53
nam tóc xù
If you've not already done so, you'll want to block 78.111.51.100 asap. It's currently housing a plethora of domains that are serving malware via exploit.Payloads are coming from paths such as;thujkdswg.tld.tc/k.php?f=20&e=3-> about.exe--> 3c6d68ea89512089df0cd7629439c378You'll no doubt notice the usual suspects as far as the ccTLD branches (redirection services serving off of ccTLDs such as .cc)
05:03
nam tóc xù
Looks like HostNOC/Burst, finally pulled their finger out. Over the past 24 hours, they've now moved to a bulletproof host (193.105.171.70, AS50669 COOLVDS-as FOP Kutcevol Maksum Mukolaevich). If you've not already, you may want to consider blackholing the following;91.218.120.0/22193.105.171.0/24Registrars used haven't changed, still using DirectI resellers, DomainContext and UK2. Thankfully,
Thứ Hai, 27 tháng 6, 2011
06:12
nam tóc xù
Ever get the feeling HostNOC/Burst aren't taking this seriously? They took 3 years to boot these guys the first time, and now all they're doing, is jumping across different IPs on the HostNOC/Burst AS.The new IP they're using as of today, 173.212.255.31Filenames occasionally change (new ones: New-Video-Addon.40028.exe, FlashPlayer.40028.exe, old ones produce fake 404s), but the infection
Thứ Năm, 23 tháng 6, 2011
19:29
nam tóc xù
Opinion A recent newspaper investigation uncovered evidence that companies are paying agencies to create false online reviews for their services. But what those companies may not realise is that this is illegal and could ruin their businesses.The practice is called astroturfing, because it fakes grass-roots support, and it is not only ethically questionable, it is illegal. And if the law doesn't
Thứ Tư, 22 tháng 6, 2011
21:48
nam tóc xù
Well that didn't take them long. They're back to .in domains, and have moved to the well known SwiftWay (AS35017).New payload URL;rhyzilch.in/FlashPlayer.40028.exeIP: 46.21.159.228PTR: 228.159.21.46.inferno.nameMD5: 42a61ad4f894d9d21434cc5d5819aaefThis /24 of course, as with all SwiftWay ranges, is no stranger to malicious content, having hosted everything from fake AVs to trojans, and even fake
20:43
nam tóc xù
Well, the bad guys tried fooling everyone by changing the filename yet again (sorry Mr Bad Guy - we're not that stupid).You'll remember that they were using HostNOC as of the latest incarnations, and I both e-mailed, and phoned HostNOC on the 20th, the day the move was made, and the person I spoke to advised me they were giving the customer a 24 hour warning. 3 days later, and it was still online
Chủ Nhật, 19 tháng 6, 2011
09:52
nam tóc xù
Not surprisingly, since my last post, they've switched the latest ones back to HostNOC/Burst.Net (same company that took 3 years to boot them last time). Registrars are primarily DirectI and UK2 (who don't seem to be replying ....). DirectI have been shutting down those I've found, within 30 mins of their being reported.I've likely missed quite a few since my sleeping meds knocked me out for a
Thứ Năm, 16 tháng 6, 2011
18:45
nam tóc xù
They say, if you don't like the Scottish weather, wait 20 mins. That's all I've got on that one.In the last few weeks alone, 2 specific IPs have racked up a count of over 2000 malicious domains, most through just a handful of registrars (all those through DirectI have been suspended within around 20 mins on average, of being discovered, with DirectI suspending several thousand more related
Chủ Nhật, 12 tháng 6, 2011
09:13
nam tóc xù
I get a few of these, and they always make me laugh. Seems some people don't bother reading or researching, what hpHosts actually is, before e-mailing me.Name: HugoE-mail: {REMOVED}How did you find us?: Other... Other: Not providedSite navigation: Very easyComments: Please add my site to your database. I've removed his e-mail address to save him some embarrassment, but little hint to those of you
Thứ Tư, 1 tháng 6, 2011
23:50
nam tóc xù
For web applications to spring even farther ahead of traditional software, our teams need to make use of new capabilities available in modern browsers. For example, desktop notifications for Gmail and drag-and-drop file upload in Google Docs require advanced browsers that support HTML5. Older browsers just don’t have the chops to provide you with the same high-quality experience.For this reason,
Thứ Năm, 26 tháng 5, 2011
18:23
nam tóc xù
Seems the bad guys don't believe we actually check sites/files we're coming across anymore, only that we look for a specific filename. I've been monitoring a couple sites leading to trojans, and having the domains shut down. Over the past few days (approx the 20th), they've disabled the specific filename the malicious code points to, possibly believing we'll say "okay, it doesn't exist anymore,
09:02
nam tóc xù
Just an FYI folks. To allow my ISP to identify a fault on the line, I've got to take the entire network offline for an hour. This will obviously mean all servers will be unavailable.The network will be taken offline this evening at 19:00 GMT London, and will be back at 20:00 GMT London.Sites affected:*.mysteryfcm.co.uk*.
Thứ Tư, 25 tháng 5, 2011
10:49
nam tóc xù
The hpHOSTS Hosts file has been updated. There is now a total of 149,988 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 25/05/2011 15:30Last Verified: 25/05/2011 01:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Ba, 24 tháng 5, 2011
21:21
nam tóc xù
My other half, though in her 20's, is also part of the "share it all" and "it'll never happen to me" generation, despite being as paranoid and insecure as heck about everything (though generally only paranoid about what her friends think, what I think etc, rather than things that actually matter). Drives me up the wall, especially given she should be mature enough to know better.Kids are already
19:43
nam tóc xù
Oh dear, this isn't going to end well (especially given they were involved in the Phorm debacle too);BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course.BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the
Chủ Nhật, 22 tháng 5, 2011
22:33
nam tóc xù
As if you needed telling, but sadly to state the obvious, the scammers traced back to India are still very much involved in defrauding insuspecting victims, and are now apparently going one step further by infecting their machines to boot.In previous iterations of this scam the person on the phone would get you to click through to the event viewer to "find something red". Strangely enough there
10:07
nam tóc xù
My friend and co-admin at MalwareDomainList just alerted me to a site impersonating VirusTotal, for the purposes (surprise surprise) of infecting unwitting victims with both a fake AV and a trojan.I've sent an e-mail to my friend Ross at Dot.tk, to have the .tk domain taken out, and will be getting in touch with the host and registrar, for the site it's pointing to, but in the meantime, you can
Thứ Năm, 12 tháng 5, 2011
01:25
nam tóc xù
Oh I do love good news in the morning. Zango/Pinball need no introduction, everyone is aware of their ongoing shenanigans over the years, and it looks like they're down for the count for now. Or at least, business filings say they are (well all know Zango tried the same hide and seek method, and left a trail that led to the switch to Pinball Corp being discovered relatively quickly).I've said it
Thứ Năm, 5 tháng 5, 2011
18:40
nam tóc xù
Ever wonder why some hosting companies try and send you on a "we're waiting, it's resolved, really we're just the innocent victims here, please be patient" game, that results in your getting frustrated and the criminals staying online even longer?Well, the answer is companies (and I use the term companies loosely in this case) such as Don Servers, which is actually the same "company" as CompLife
12:26
nam tóc xù
hpHOSTS - Updated May 2011The hpHOSTS Hosts file has been updated. There is now a total of 124,448 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 05/05/2011 17:00Last Verified: 05/05/2011 06:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Tư, 4 tháng 5, 2011
13:05
nam tóc xù
Hat tip to the guys at the ISC for the heads up (got the Microsoft RSS on the reader but didn't notice this one).We have received notification that Sysinternals has had some updates. One in particular that is a favorite among handlers is Process Explorer. It now includes: Process Explorer v14.11 includes the ability to configure network and disk activity icons in the tray. Check out the
Thứ Năm, 28 tháng 4, 2011
Thứ Ba, 26 tháng 4, 2011
20:26
nam tóc xù
Many have been bleating on about securing WiFi pretty much since WiFi was first available to the masses, but many still don't bother securing it, leaving them wide open to abuse at best, and at worst, being prosecuted because someone used YOUR unsecured wireless connection, to download child pornography.A case has been brought to light yet again, of a man prosecuted because a neighbour used his
Chủ Nhật, 24 tháng 4, 2011
Thứ Ba, 19 tháng 4, 2011
20:18
nam tóc xù
hpHOSTS - Updated April 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,034 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 20/04/2011 03:00Last Verified: 20/04/2011 01:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Tư, 16 tháng 3, 2011
20:13
nam tóc xù
Taking down malicious sites has been part of daily life for years now, and I still love every second of it. Primarily because it annoys the bad guys, but mostly because it means there's less malicious sites (for a second anyway) for people to get infected via.During the years, there's been many changes in the responses from hosting companies and registrars. GoDaddy have become one of the best at
Thứ Ba, 15 tháng 3, 2011
Thứ Bảy, 12 tháng 3, 2011
16:00
nam tóc xù
Sites such as eBay are extremely useful for finding that wonderful collectable, part or a multitude of other things you've been meaning to and wanting to, buy for yourself.Sadly however, as with many other sites, there are those on these sites, that are doing as much as possible, to part you with your money. There are millions of legit users on there, just like yourself, but don't forget -
Thứ Sáu, 11 tháng 3, 2011
10:10
nam tóc xù
That certainly appears to be the case with a site I came across today. The following, if loaded in a browser, displays what we're used to seeing when a site wants to infect our machine with a fake AV;www(.)sosgt.com/indexm.phpIn this case however, we're given a purchase page.Clicking to proceed to the checkout, takes us to;hxxps://secureonlinestore.net/secureorder/orders.phpIncase you're
Thứ Tư, 9 tháng 3, 2011
11:28
nam tóc xù
Second verse, same as the first. Same registrar, same registrant, same multi-residential IP setup, same content - same everything.usabbc.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)utgroup.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)waterspa.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)werace.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126
Thứ Ba, 8 tháng 3, 2011
01:14
nam tóc xù
Normally I get very annoyed with myself when I miss one of Chris Boyds blogs. This time however, I'm partially glad I did, as otherwise, I may have missed what I've just found.Going over some of the stuff he found, I decided to do a bit more digging, and not only has franebook.com come back to life - the bad guys behind it have gotten themselves some new domains, all associated with a single name
Thứ Bảy, 5 tháng 3, 2011
09:29
nam tóc xù
I guess someone in the general area of Kolkata reads my blog posts. At any rate, after I posted a blog yesterday bemoaning the fact that I had to do my own systems support, I got a phone call from a gentleman with a pronounced accent wanting to help me with my virus problem.It's Raining Men (And Wooden Horses)You didn't know I had a virus problem? Neither did I, but he assured me that I was
Thứ Năm, 3 tháng 3, 2011
19:33
nam tóc xù
Myself and others have been reporting on and following, the telephony based scams which for now, are being traced back to "companies" in Kolkata, India, for quite some time now.I'm sorry to say (but definitely not surprised), these scammers are still targeting people around the world, with reports coming in quite frequently to places such as digitaltoast.co.uk (warning, due to the page size, it
Thứ Ba, 1 tháng 3, 2011
17:30
nam tóc xù
hpHOSTS - Updated March 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,276 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 02/03/2011 00:00Last Verified: 01/03/2011 16:00Download hpHosts now!http://hosts-file.net/?s=Download
Chủ Nhật, 27 tháng 2, 2011
20:54
nam tóc xù
I came across something a few minutes ago that absolutely disgusted me. A ProBoards user reported a fraudulent advert, being advertised through the ProBoards service, and instead of saying thank you - ProBoards abuse dept sent a warning to the USER THAT REPORTED IT, due to a simple NONE ABUSIVE message on the top of the users forums;http://kasha-against-spam.proboards.com/index.cgi?board=kasscams
Thứ Năm, 24 tháng 2, 2011
21:47
nam tóc xù
As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).An MDL user pointed me to a few sites running the ever so
Thứ Ba, 22 tháng 2, 2011
07:23
nam tóc xù
Release: v0.52Date: 22-02-2011* Fixed bug in functions.php* Modified IsValidEmail() function* Changed strpos() calls to substr_count()* Fixed bug in check_spammers_plain.php that resulted in invalid e-mails being allowed+ Added code to check for Bad Result error when querying blacklists* Contains modifications (e.g. re-written isURLOnline() and getURL() functions) and bug fixes with thanks to Dan
Thứ Bảy, 12 tháng 2, 2011
Thứ Ba, 8 tháng 2, 2011
14:13
nam tóc xù
hpHOSTS - UPDATED February, 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,245 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 08/02/2011 21:00Last Verified: 08/02/2011 12:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Tư, 2 tháng 2, 2011
10:54
nam tóc xù
If x = b, what do we need numbers for?Last time I checked, the Soviet Union didn't exist anymore, yet as we all know, the .su TLDs live on.Random musings are great aren't they? Well not in this case. I've yet to see a .su domain that's actually legit, and this one is no different. The domain in this case, is officialversion.su (also known as officialversion.ru), a domain we're all familiar
Thứ Sáu, 21 tháng 1, 2011
09:46
nam tóc xù
hpHOSTS - UPDATED January 21st, 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,616 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 21/01/2011 16:50Last Verified: 21/01/2011 10:00Download hpHosts now!http://hosts-file.net/?s=Download
Thứ Năm, 20 tháng 1, 2011
06:05
nam tóc xù
Due to an issue with my mail server, I am currently experiencing problems sending replies, and receiving new e-mail. I thought I'd pinned down the cause to a queue issue with the server, but apparently not.If you're awaiting a reply from me, please be patient whilst I try and resolve the problem.Please be advised, this issue affects all sites using the server aswell (inclusive of the hpHosts
Thứ Hai, 17 tháng 1, 2011
04:15
nam tóc xù
I've had a reply from Heart Internet, regarding the latest list sent to them (still verifying what's going on about the first few lists);We've identified how it's happened, and we are going to clean the sites very soon.I'd like to point out that they're all the result of compromised personal Windows machines (ie, people's home desktop which have viruses). No machine of Heart Internet's has been
Thứ Bảy, 15 tháng 1, 2011
11:32
nam tóc xù
I was pointed to a site earlier, that provided nothing but links to malicious sites. Presumably the sites sole intention is for search engines to crawl it. What was interesting is it didn't have all of the links on one page - you had to keep refreshing it. Very boring and time consuming, so I wrote a program to do it for me.Refreshing it 1000 times brought a list of over 800 unique sites involved
06:42
nam tóc xù
Remember the attack on other hosting companies by the blackhat SEO gang? Well now they've moved to attacking Heart Internet customers - and they're doing a pretty damn good job of it too.The problem here isn't actually the bad guys so much as it is Heart Internet themselves (and yes, the bad guys are of course the primary problem as they're the ones doing it). Heart Internet have had alot of
Thứ Bảy, 8 tháng 1, 2011
02:32
nam tóc xù
Whilst investigating a site earlier, I stumbled upon a site claiming to be a vanilla porn site. Not surprisingly, it turned out to be slightly more than that.This site offers its victims the usual player you're used to seeing on the likes of YouTube - with a major difference. Instead of the fake codec, or actual video, an HTA is downloaded and executed, that contains;
Đăng ký:
Bài đăng (Atom)
Popular Posts
-
You've probably noticed by now that the server that houses it-mate.co.uk and forum.avantbrowser.com (amongst others), is down and has be...
-
Having been suspended from more hosts than I care to remember, Blackshades are on the move again today, having been suspended from Snelis. T...
-
We all know about what had happened in US recently, it is a very sad & unfortunate situation. People died during the accident and the ma... -
Just when you thought it couldn't get stupider than Cameron' imposing of the smut ban in the UK, this Russian politico has decided t...
-
The hpHOSTS Hosts file has been updated. There is now a total of 254,257 listed hostsnames.If you are NOT using the installer, please read t...
-
Background I was contacted by a fellow researcher friend @StopMalvertisin to take a look into an infection of the double trojan downloading... -
Looks like it's the turn of the IMDB to be spoofed. Same gang responsible, not surprisingly. Return-Path: Delivered-To: [REMOVED] X-Spam...
-
Whether it's those god awful "fake surveys" that you can rarely get through to get the "leet crack", "free iPho...
-
Looks like the Blackhole folk are branching out from the usual LinkedIn etc, e-mails leading to the Blackhole exploit. Nothing new as far as...
-
Just a little note to say happy christmas ladies and gents. Whilst things have been going rather hayward of late (blueray/DVD player died ar...
Design by NewWpThemes | Blogger Theme by Lasantha - Premium Blogger Templates | NewBloggerThemes.com