- 29.01.2009: Asprox Goes Phishing Again
- 24.01.2009: More Waledac Domains to Block
- 22.01.2009: Asprox - It's Baaaaaaack
- 19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
- 09.01.2009: Waledac Domains - Updated List
- 31.12.2008: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
- 11.12.2008: See below.
- 10.12.2008: IE7 0-Day Exploit Sites
- 05.12.2008: Anti-Fraud Website Under Constant DDoS Attack
- No entries for November 2008.
Thursday, 11 December 2008
IE7 0-Day Exploit Gets Worse
It should be no surprise that it's getting a little worse. ISC is now reporting that at least one website that exploits the IE7 vulnerability (among others) is now being SQL injected into websites across the Internet. We have since updated our list of hostile domains on our page from yesterday. You can visit that page at the following URL:
We will continue to update this in the near term as we learn of more domains taking advantage of this vulnerability.
Nasty Remote Access Trojan (RAT) Malware
It turns out the domain that ISC is reported on is also dropping some pretty nasty malware. The domain "17gamo.com" is serving up the exploits which attempt to download malware from "www.steoo.com". Please do not visit either of these sites. If successful the exploits will install a Gh0st RAT on the system. This trojan is currently using the DNS name "evetlog.3322.org" and is beaconing to tcp port 3020.
We recommend blocking or looking for traffic to all of the sites we list above, but in particular as it related to this threat the following:
www.17gamo.com - 126.96.36.199 www.steoo.com - 188.8.131.52 evetlog.3322.org - 184.108.40.206 (was recently 220.127.116.11]
The IP addresses are of course subject to change, so we recommend resolving them when appropriate for traffic monitoring/blocking.
We have developed Snort rules that will pickup this traffic that can be used:
Both the client and server send and respond with "Gh0st" in the beginning data for their packets. We hope to have these up at Emerging Threats soon, possibly with some additional improvements.
=>Posted December 11, 2008, at 09:48 AM by Steven Adair