This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public. This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires. ** In regards to IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen. Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file. 2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules)
http://www.malwaredomains.com/bhdns.html Google Cache version of the above link
Massive thanks go to the following contributors: Google
List of exploit domains: vip762.3322.org
www.73yi.cn
110.165.41.103 |
AndreL 56 Posts Jul 7th 2009 |
Thread locked Subscribe |
Jul 7th 2009 1 decade ago |
I am collaborating with one of the listed domains and cannot found anything wrong until now.
How can I know who is listing my domain and what was found to be included in this "exploit domains" list? Any help will be appreciated |
Raulb 2 Posts |
Quote |
Jul 15th 2009 1 decade ago |
Send an email to handlers@sans.org with the domain in question and we will try and send you the full url that was detected as hosting the exploit. It would be best that the person who is responsible for the domain contact us directly vs third parties.
|
AndreL 56 Posts |
Quote |
Jul 15th 2009 1 decade ago |
I sent a mail to handlers@ explaining the situation about a domain incorrectly listed (segu1-info2.com3.ar4 - delete numbers). Please checkout ASAP. Thank you.
|
Cristian 1 Posts |
Quote |
Jul 15th 2009 1 decade ago |
Thanks for the update on false positives.
I hope OpenDNS correct the bad IP addresses which the are resolving now for the false positive domains. It is strange they did not follow the authoritative's DNS for that domains. |
Raulb 2 Posts |
Quote |
Jul 15th 2009 1 decade ago |
To give one example of an avenue of attack by the bad guys for a site on this list, a User went down the rabbit role when surfing to find free current movies to watch online and eventually hit srv.v-i-e-w.net and the machine did NOT get infected despite several exploits there.
The site was on a colo in the Netherlands and the webserver no longer serves up any pages. |
Andrew 41 Posts |
Quote |
Jul 15th 2009 1 decade ago |
Any chance someone has a copy of Maltego that they can throw all the domains in and provide a nice screenshot?
|
Andrew 1 Posts |
Quote |
Jan 20th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!