Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as us.bf9.info, us.bp0.info, us.bn3.info, etc. The attackers employed some code splitting techniques to make their scripts more stealthy by moving suspicious shellcode from inside the primary exploit script to a secondary script. The attacks were being delivered through advertisements which [...]
|
|||||
|
While this is not totally new, I only recently came across my first event involving a one click host servingĀ malware. What is one click hosting? These are providers which you have probably heard of before such as RapidShare, Megaupload, yousendit and many many more. Wikipedia has a listing of many of them. These providers [...] In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines that were attacked where IDS failed to detect the exploit(s) due to obfuscation. The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here. Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye. One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP 84.243.196.0 – 84.243.197.255. inetnum: 84.243.197.0 – 84.243.197.255 |
|||||
|
Copyright © 2010 Andrew Martin - All Rights Reserved |
|||||