See: http://www.e-fensive.net/malware.pests - automated script generated & need be run at 16, 31, 46 and 01
Anyone to comment? Stumbled upon it looking for resuls on a combined search on the terms urlquery & malvertiser:
http://www.google.nl/search?hl=nl&output=search&sclient=psy-ab&q=urlquery+malvertiser&btnK=
By the way these block rules are being updated on a daily basis: http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules (IDS)
polonus
Damien,
Isn’t this basically the same as adding items to your host file ???
How much of a slow down does this produce ???
Hi bob3160,
Not much performance is being lost, same as subscribing to an additional list for ABP.
Some other light ones here: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
Slowing down can be repaired easily by a regular emptying of your browser cache,
polonus
Hi bob3160,
Know that with a combination of some extensions in the browser or some services already available to everyone like Google Safebrowsing inside Google Chrome the major scope of this list is being covered. Checked against URL blacklisted by Google Safe Browsing: goog-malware-shavar…
For instance look at this one from that list: http://www.scumware.org/report/samitam.ru
This is flagged by Google Safebrowsing-> https://www.google.com/safebrowsing/diagnostic?site=90.156.201.38&IP=on
And it should be on a permanent list because the malware found there has status “LONG OVERDUE” being on there for 733.3 hrs, malware = HTML/Rce.Gen5, → avast detects as JS:Redirector-ZK [Trj] → http://zulu.zscaler.com/submission/show/29161321d0cbebfa1a02e3fbb1fcb6f0-1349858811
Site is abusing a then IE Zero-day exploit detected as HTML/Flashload.a and HTML/Flashload.b.,
polonus
A new fight against a new threat, a malware botnet going by the name Aidra, see: http://www.atma.es/#aidra
It is a pity that their blocklist had to be discontinued during 2012, partly because of the Spanish economic hard times they could no longer afford these “pro deo” activities. But their fight and detecting goes on…
Aidra and formerly Hydra is another name for what is described here: http://www.kaspersky.co.uk/news?id=207576372 (investigation by Kaspersky"s)
and this is also part of it: https://blog.damballa.com/archives/1810 authors Damballa’s Manos Antonakakis, Jeremy Demar, Kevin Stevens and David Dagon,
from the same authors: https://www.damballa.com/downloads/r_pubs/Damballa_tdss_tdl4_case_study_public.pdf
This botnet will use DGAs in order to evade network-level domain blacklists
We see numerous cleansing routines for this type of malware performed by our qualified malwarer emoval experts on our forums, like essexboy, oldman, magna86, jeffc, Argus etc.
Some are found on here this listing: http://spameater.com/blacklist.global.php (spam eater is a paid spam blocker solution/robot driven)
DGA-based malware use an algorithm to pick out candidate domain names in order to hunt for their prospective C&C servers. The vast majority of the domain names they’re looking for simply don’t exist. In the world of DNS, attempting to resolve a domain name that doesn’t exist will result in a “no such domain”
But our friend, !Donovan, has evaluated and cracked the predictability of the algorithm that creates these random future domain names, so we know what we have to look out for. He certainly deserve kudo’s for that achievement, We stumbled upon these schemes from malware site analysis in the virus and worms section and so A could lead to B etc… So we can defend ourselves against these malcreants/cybercriminals, it just demands the extra effort from our side and …a clever and persistent analyst…
polonus
Two examples for the Adria botnet from Ipillion: http://www.ipillion.com/ip/199.237.239.72
Botmaster: http://www.ipillion.com/ip/46.20.43.3
http://www.ipillion.com/ip/106.187.102.56
http://www.ipillion.com/ip/199.115.97.252
67 found on ipillion, also compare with resources like this: http://myip.ms/view/cities/43097/IP_Addresses_Dighton.html (example)
polonus