IE 0day exploit domains (constantly updated)

IE 0day exploit domains (constantly updated)
This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public. This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires. ** In regards to IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen. Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file. 2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules) This diary entry will be updated frequently. The information provided has had varying degrees of verification performed on it. As such this information is provided as is. There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list. Link on how to leverage DNS to blackhole/redirect queries. http://www.malwaredomains.com/bhdns.html Google Cache version of the above link Massive thanks go to the following contributors: Google Websense CSIS UCSB-Wepawet IBM X-Force Sunbelt Software Telenor SOC blog.zol.com.cn List of exploit domains: vip762.3322.org 3b3.org www.27pay.com www.hao-duo.com dump.vicp.cc 64tianwang.com webxue38.3322.org 556622.3322.org jfg1.3322.org df56y.3322.org javazhu.3322.org 8dfgdsgh.3322.org ceewe3w2.cn js.tongji.linezing.com h65uj.8866.org 45hrtt.8866.org 8oy4t.8866.org www.mjbox.com 2wdqwdqw.cn www.vbsjs.cn cdew32dsw.cn qvod.y2y2dfa.cn kan31ni.cn www.duiguide.us gkiot.cn www.carloon.cn movie.wildmansai.com www.7iai.cn www.jazzhigh.com www.netcode.com 6ik76.8866.org 76ith.8866.org qd334t.8866.org u5hjt.8866.org vpsvip.com x16ake8.6600.org www.huimzhe.cn www.hostts.cn ucqh.6600.org qitamove.kmip.net news.85580000.com guama.9966.org dx123.9966.org ds355.8866.org dnf.17xj.cn dasda11d.cn d212dddw.cn ckt5.cn ccfsdee32.cn aaa.6sys6.cn 9owe2211.cn 8man7.3322.org 6gerere3e.cn 66yttrre.cn 45hrtt.8866.org tongji520.com Second stage domains (binaries downloaded from these domains): www.73yi.cn w1.7777ee.com w2.7777ee.com w3.7777ee.com w8.7777ee.com w9.7777ee.com milllk.com haha999b.com babi2009.com haha888l.com xin765.com Ip's (no domain used in exploit page): 110.165.41.103	AndreL 56 Posts Jul 7th 2009
Thread locked Subscribe	Jul 7th 2009 1 decade ago
I am collaborating with one of the listed domains and cannot found anything wrong until now. How can I know who is listing my domain and what was found to be included in this "exploit domains" list? Any help will be appreciated	Raulb 2 Posts
Quote	Jul 15th 2009 1 decade ago
Send an email to handlers@sans.org with the domain in question and we will try and send you the full url that was detected as hosting the exploit. It would be best that the person who is responsible for the domain contact us directly vs third parties.	AndreL 56 Posts
Quote	Jul 15th 2009 1 decade ago
I sent a mail to handlers@ explaining the situation about a domain incorrectly listed (segu1-info2.com3.ar4 - delete numbers). Please checkout ASAP. Thank you.	Cristian 1 Posts
Quote	Jul 15th 2009 1 decade ago
Thanks for the update on false positives. I hope OpenDNS correct the bad IP addresses which the are resolving now for the false positive domains. It is strange they did not follow the authoritative's DNS for that domains.	Raulb 2 Posts
Quote	Jul 15th 2009 1 decade ago
To give one example of an avenue of attack by the bad guys for a site on this list, a User went down the rabbit role when surfing to find free current movies to watch online and eventually hit srv.v-i-e-w.net and the machine did NOT get infected despite several exploits there. The site was on a colo in the Netherlands and the webserver no longer serves up any pages.	Andrew 41 Posts
Quote	Jul 15th 2009 1 decade ago
Any chance someone has a copy of Maltego that they can throw all the domains in and provide a nice screenshot?	Andrew 1 Posts
Quote	Jan 20th 2010 1 decade ago