Heads up ,folks , new Reg Exploit Kit domains reported....

Viruses and worms
1

The whole malware campaign started from a Dutch webhoster Webzilla, and some other Dutch hosters.

Now these new domains, often not yet blocked or given as malicious,
they were reported by Security.NL’s SecGuru_OTX (info credits here should go to him!).

I give them as he gave them in his post at Security.nl news:

-185.117.73.18

*.inbvq0t.-top
*.tyxnetcomp.-com

-108.61.167.148

*.yourdreamwealth. com
*.maslakagaoglu1453. com
*.superwealthysecret. com
*.maslakmyhome. net
*.maslaknurolplaza. net
*.maslak-eclipse. com
*.maslaknurolplaza. com
*.theloveimpact. com
*.leventkanyon. net
*.maslak-eclipse. net
*.maslakmashattan. net
*.maslak-myhome. com
*.maslakkiralikofis. com
*.thedailyshortcuts. com
*.maslaksatilikofis. com
*.thelovehandout. com
*.yourdailyshortcut. com
*.thelifestyledesigners. com
*.maslakparkplaza. net
*.maslakparkplaza. com
*.maslakresidence. org
*.maslakmashattan. org
*.best4u. bg

-109.234.34.166

*.usocenter. net
*.yapikrediplaza. com
*.vekogizplaza. net
*.polarisplaza. com
*.vadistanbul. biz
*.toruntower. net
*.moormanenterprisesllc. com
*.medlawinc. us
*.springgizplaza. net
*.mmlc. us
*.medparency. org
*.medparency. us
*.tekfentower. net
*.maslakvadistanbul. net
*.sunplaza. org
*.medlawinc. org
*.spine-tower. org
*.spineplaza. com
*.spine-tower. net
*.nidakulelevent. net
*.yapikrediplaza. net
*.trumptower. biz
*.nidapark. net
*.nidaparkseyrantepe. net
dm-hosting. ru
*.nidakule. net
upavito. ru
*.moormanmedia. com
add.spine-tower. org
*.saffo. ru
*.dm-hosting. ru
*.kanapka. ru
kanapka. ru
*.nuroltower. biz
hosting-serverok. ru
*.hosting-serverok. ru
axciom-ofline. com
*.upavito. ru

Do to this list as you see appropriate (add to a blocklist, block with block this link, add to IDs etc. etc.

polonus (volunteer website security analyst and website error-hunter)

2

Some sources are known to soon add such threats like here: http://www.unmaskparasites.com/security-report/?page= for instance.

Example from those domain given above in the thread:
URL: htxp://toruntower.net
Google: listed as suspicious↗* but Google Safe Browsing does not seem to have it as yet.

https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=toruntower.net
also DrWeb does not have it listed.

Fortinet’s IDS on urlquery.net scan alerts malware: http://urlquery.net/report.php?id=1476141253402

polonus

3

As always, thanks for the great information. 8)

4

@dbrisendine,

Hopefully they all come added here: -https://www.malwaredomainlist.com/mdl.php?search=Exploit+Kit&colsearch=All&quantity=50
Broke that link because all there should be considered malicious of sorts, so those that do not know what to do there should not visit this link. :wink:

Hope rules gets added here as well: https://www.snort.org/search?page=550&query=1

pol