- 29.01.2009: Asprox Goes Phishing Again
- 24.01.2009: More Waledac Domains to Block
- 22.01.2009: Asprox - It's Baaaaaaack
- 19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
- 09.01.2009: Waledac Domains - Updated List
- 31.12.2008: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
- 11.12.2008: IE7 0-Day Exploit Gets Worse
- 10.12.2008: See below.
- 05.12.2008: Anti-Fraud Website Under Constant DDoS Attack
- No entries for November 2008.
Wednesday, 10 December 2008
IE7 0-Day Exploit Sites
As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system. Shadowserver is aware of several hosts which are currently hosting exploit code designed to exploit this vulnerability. We would like to share this information so that it can be used for protection and detection. However, we strongly discourage visiting these sites for any reason. DO NOT visit the below sites as they are currently house live exploit code for the new IE7 0day exploit. The majority if not all of them also house several other exploits for different vulnerabilities as well.
We came across a good many of these ourselves while we also had help from others in the security community that shared the sites. We would like to thank them as the information can now being passed on to you for mitigation. If you know any other sites that can be added to this list of IE7 exploit sites (for the current 0day issue), please drop us a line - steven [at] shadowserver [dot] org.
Domains known to be currently exploiting this vulnerability:
baidu.bbtu01.cn - 184.108.40.206 baidu.bbtu02.cn - 220.127.116.11 baidu.bbtu03.cn - 18.104.22.168 baidu.bbtu04.cn - 22.214.171.124 baidu.bbtu05.cn - 126.96.36.199 baidu.bbtu06.cn - 188.8.131.52 baidu.bbtu07.cn - 184.108.40.206 baidu-baiduxin1.cn - 220.127.116.11 baidu-baiduxin2.cn - does not resolve - possibly hostile in the future baidu-baiduxin3.cn - 18.104.22.168 baidu-baiduxin4.cn - 22.214.171.124 baidu-baiduxin5.cn - 126.96.36.199 baidu-baiduxin6.cn - 188.8.131.52 baidu-baiduxin7.cn - 184.108.40.206 baidu-baiduxin8.cn - 220.127.116.11 baidu-baiduxin9.cn - 18.104.22.168 baidu-baiduzi1.cn - 22.214.171.124 baidu-baiduzi2.cn - 126.96.36.199 baidu-baiduzi3.cn - 188.8.131.52 baidu-baiduzi4.cn - 184.108.40.206 baidu-baiduzi5.cn - 220.127.116.11 baidu-baiduzi6.cn - 18.104.22.168 baidu-baiduzi7.cn - 22.214.171.124 baidu-baiduzi8.cn - 126.96.36.199 baidu-du1.cn - 188.8.131.52 baidu-du2.cn - 184.108.40.206 baidu-du3.cn - 220.127.116.11 baidu-du4.cn - 18.104.22.168 baidu-du5.cn - 22.214.171.124 baidu-du6.cn - 126.96.36.199 baidu-du7.cn - 188.8.131.52 baidu-du8.cn - 184.108.40.206 baidu-du9.cn - 220.127.116.11 sllwrnm1.cn - 18.104.22.168 sllwrnm2.cn - 22.214.171.124 sllwrnm3.cn - does not resolve - possibly hostile in the future sllwrnm4.cn - 126.96.36.199 sllwrnm5.cn - 188.8.131.52 sllwrnm6.cn - 184.108.40.206 sllwrnm7.cn - 220.127.116.11 sllwrnm8.cn - 18.104.22.168 sllwrnm9.cn - 22.214.171.124 sllwrnm10.cn - 126.96.36.199 sllwbd1.cn - 188.8.131.52 sllwbd2.cn - 184.108.40.206 sllwbd3.cn - 220.127.116.11 sllwbd4.cn - 18.104.22.168 sllwbd5.cn - 22.214.171.124 sllwbd6.cn - 126.96.36.199 sllwbd7.cn - 188.8.131.52 sllwbd8.cn - 184.108.40.206 sllwbd9.cn - 220.127.116.11 sllwbd10.cn - 18.104.22.168 zlwrnm1.cn - does not resolve - possibly hostile in the future zlwrnm2.cn - does not resolve - possibly hostile in the future zlwrnm3.cn - does not resolve - possibly hostile in the future zlwrnm4.cn - does not resolve - possibly hostile in the future zlwrnm5.cn - 22.214.171.124 zlwrnm6.cn - does not resolve - possibly hostile in the future zlwrnm7.cn - 126.96.36.199 zlwrnm8.cn - 188.8.131.52 zlwrnm9.cn - 184.108.40.206 zlwrnm10.cn - 220.127.116.11 zlwrnm11.cn - 18.104.22.168 zlwrnm12.cn - 22.214.171.124 zlwrnm13.cn - 126.96.36.199 zlwrnm14.cn - 188.8.131.52 zlwrnm15.cn - 184.108.40.206 zlwrnm16.cn - does not resolve - possibly hostile in the future zlwrnm17.cn - 220.127.116.11 zlwrnm18.cn - 18.104.22.168 zlwrnm19.cn - 22.214.171.124 zlwrnm20.cn - 126.96.36.199 360avva.akvvv.cn - 188.8.131.52 vip.4s3w.cn - 184.108.40.206 cc4y7.cn - 220.127.116.11 hhhh8886.cn - 18.104.22.168 qqqqttrr.cn - 22.214.171.124 rrrrrrryyy.cn - 126.96.36.199 wwwwyyyyy.cn - 188.8.131.52 fyesn.cn - 184.108.40.206 -- The above list is the data we have as of December 10, 2008 - 20:26 UTC/GMT--
baidu.baibai1.cn - 220.127.116.11 baidu.xinlang1.cn - 18.104.22.168 cc4y6.cn - 22.214.171.124 cc4y8.cn - 126.96.36.199
Updated 12/12/2008 - 14:17 UTC/GMT:
www.17gamo.com - 188.8.131.52 *seen from SQL injection attacks* www.comefood.com - 184.108.40.206 bzka.3322.org - 220.127.116.11 lianrong.com.cn - 18.104.22.168 doubleluck.com.cn - 22.214.171.124 dingli.net - 126.96.36.199 www.mianfei58.cn - 188.8.131.52 www.yhgames.com - 184.108.40.206 iuwei.com - 220.127.116.11 www.6dsoft.cn - 18.104.22.168 w.c66i.cn - 22.214.171.124
www.800.look.tw - 126.96.36.199- * legit site that was hacked - now clean b81.8800.org - 188.8.131.52 web.jha2.cn - 184.108.40.206
Updated 12/16/2008 - 13:09 UTC/GMT:
vw.wd2a.cn - 220.127.116.11 927.bigwww.com - 18.104.22.168 h3hs4.cn - 22.214.171.124 buxhere.com - 126.96.36.199 517wyt.com - 188.8.131.52 googlehk.3322.org - 184.108.40.206 congs.zziyuan.com - 220.127.116.11 cookie7.cn - 18.104.22.168 mm.hacker315.cn - 22.214.171.124 ak136.justcctv6.cn - 126.96.36.199 china-jinpin.com - 188.8.131.52 zief.pl - 184.108.40.206 *well known hostile domain (Virut) 1ku.cn - 220.127.116.11 kkkkppp.cn - 18.104.22.168 22.214.171.124 - no DNS ptxk.com - 126.96.36.199 1ku.cn - 188.8.131.52 97.zjz-004.com - 184.108.40.206 ok16899.cn - 220.127.116.11 entmba.com - 18.104.22.168 cznutchuei.cn - 22.214.171.124 dmc.hb.cn - 126.96.36.199 mba.beisen.com - 188.8.131.52 184.108.40.206 - no DNS worldvedrcoo.com - 220.127.116.11 sothink1.cn - 18.104.22.168 sothink2.cn - 22.214.171.124 sothink3.cn - 126.96.36.199 sothink4.cn - 188.8.131.52 sothink5.cn - 184.108.40.206 sothink6.cn - 220.127.116.11 sothink7.cn - 18.104.22.168 sothink8.cn - 22.214.171.124 sothink9.cn - 126.96.36.199 sothink10.cn - 188.8.131.52 s.ardoshanghai.com - 184.108.40.206 wieyou.com - 220.127.116.11 abcrot.cn - 18.104.22.168 ak136.justbt1.cn - 22.214.171.124 www.golfinau.com - 126.96.36.199 w.c66b.cn - 188.8.131.52 w.c66d.cn - 184.108.40.206 w.c66f.cn - 220.127.116.11 w.c66g.cn - 18.104.22.168 jcl-0006.cn - 22.214.171.124 jcl-0007.cn - 126.96.36.199 252623.cn - 188.8.131.52 www.633r.com - 184.108.40.206 www.zjz-aaa.cn - 220.127.116.11 www.zjz-bbb.cn - 18.104.22.168 www.zjz-ccc.cn - 22.214.171.124 www.zjz-ddd.cn - 126.96.36.199 www.zjz-eee.cn - 188.8.131.52 www.zjz-fff.cn - 184.108.40.206 www.zjz-ggg.cn - 220.127.116.11 www.zjz-hhh.cn - 18.104.22.168 www.zjz-iii.cn - 22.214.171.124 dx.dxwyt1.com - 126.96.36.199 97.zjz-001.com - 188.8.131.52 97.zjz-002.com - 184.108.40.206 97.zjz-003.com - 220.127.116.11 www.federalservicesinfo.com - 18.104.22.168
We would like to thank Websense Security Labs and Ivan Macalintal from Trend Micro, the Microsoft Malware Protection Center team, Jonas Lindebring, Johan Dalesjöand, and several other anonymous contributors for additions to this list.
The following sites have not been seen hosting the IE7 exploits but are closely associated with above sites and should be considered for blocking/monitoring:
cc4y1.cn - 22.214.171.124 cc4y2.cn - 126.96.36.199 cc4y3.cn - 188.8.131.52 cc4y4.cn - 184.108.40.206 cc4y5.cn - 220.127.116.11 cc4y9.cn - 18.104.22.168 baidu.baibai2.cn - 22.214.171.124 baidu.baibai3.cn - 126.96.36.199 baidu.baibai4.cn - 188.8.131.52 baidu.baibai5.cn - 184.108.40.206 baidu.xinlang2.cn - 220.127.116.11 baidu.xinlang3.cn - 18.104.22.168 baidu.xinlang4.cn - 22.214.171.124
You may have noticed there are a relatively small number of IP addresses involved in our list. It appears that some of the attackers have created several domains with essentially the same set of exploits. We will be updating this list as we get more.
Detection and Prevention
Right now there are just a few things you can do to detect and prevent. Emerging Threats has a few Snort rules that have been released and you can get those by clicking here. However, these will only detect the specific unmodified variants they were written for, so do not consider these fool proof. It can't hurt to throw the rules in though!
Now for prevention, the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved. If you are aware of other fixes, please feel free to shoot them our way.
Updated: Microsoft has released a security advisory detailing this vulnerable here. There are additional workarounds now listed such as enabling DEP for IE7. Please take a look.
=>Posted December 10, 2008, at 12:22 PM by Steven Adair