RFI Attacks

Suspected Attacks 463125

[Details]


Inside the Massive Gumblar Attack

I first found out about Gumblar a couple days ago via one of Scan Safe’s blog posts. Responsible for 42% of “all malicious infections found on websites” (Sophos) during a 7 day period, Gumblar (JSRedir-R)  has been extremely effective at propagating. Many bloggers have been focusing on the script involved in the attack, not so [...]

Share
May 20th, 2009 | Tags: , , , , , , , , | Category: Intelligence, Malware Binaries (exe/dll), Malware scripts and other formats | Comments are closed

Sources of Badness – ZlKon – Round 2

It’s my first day back on the job and I decided to do a little hunting to see what this notorious hosting provider has been up to while I was gone. Unsurprisingly, we saw a large number of attacks from this hosting company. They all appear to be fake anti virus related. Given the age [...]

Share
May 12th, 2009 | Tags: , , | Category: Intelligence, Malware Binaries (exe/dll) | 2 comments

Sources of Badness – Still Trade LTD

The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here. person: Perevitskiy [...]

Share
December 22nd, 2008 | Category: Intelligence, Intrusion Detection, Malware Binaries (exe/dll) | Leave a comment

Sources of Badness – Starline Web Services

Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye. inetnum: 92.62.101.0 – 92.62.101.255 netname: STARLINE_EE descr: Starline Web Services country: EE admin-c: VN268-RIPE tech-c: VN268-RIPE status: ASSIGNED PA mnt-by: AS39823-MNT changed: roman@compic.ee 20080403 e-mail: info@starline.ee abuse-mailbox: abuse@starline.ee source: [...]

Share
December 17th, 2008 | Category: Intelligence, Intrusion Detection, Malware Binaries (exe/dll) | 2 comments

Sources of Badness – PortNAP

One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP 84.243.196.0 – 84.243.197.255. inetnum: 84.243.197.0 – 84.243.197.255 netname: GFX-CUST-PORTNAP descr: PortNAP Internet Services org: ORG-PIS13-RIPE [...]

Share
December 16th, 2008 | Category: Intelligence, Intrusion Detection, Malware Binaries (exe/dll) | Leave a comment

Sources of Badness – ZlKon

After a weekend hiatus, I’m back with the next host of interest – ZlKon. role: ZlKon HostMaster address: Lilijas iela 4-74 address: Riga, LV-1055 address: Latvija phone: +371 26330593 e-mail: hostmaster@zlkon.lv admin-c: AD5952-RIPE tech-c: AD5952-RIPE nic-hdl: ZK508-RIPE mnt-by: ZLKON-MNT changed: hostmaster@zlkon.lv 20081125 source: RIPE abuse-mailbox: abuse@zlkon.lv Based in Latvia, Zlkon seems to have a high [...]

Share
December 15th, 2008 | Tags: , , , | Category: Intelligence, Intrusion Detection, Malware Binaries (exe/dll) | 3 comments
« Newer Entries  
  Older Entries »