SecurityZone.org - Information Security Blog

Just put up a new post on the Shadowserver page on July 4th/Independence day spam campaign activity.. it includes several new domains:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090704

Got the full list also being updated and posted on the Shadowserver website at the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

However, just wanted to reiterate to people that you should block all of these domains:

Registered January 23, 2009:

adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com

Registered January 19, 2009:

bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

Registered January 15, 2009:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Older:

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Waledac Exploit Domain List:

googol-analisys.com
seocom.name
seocom.mobi
seofon.net

—-

Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:

http://sudosecure.net/waledac/

It looks like SecureWorks with the assistance of Team Cymru and myNetWatchman have solved some of the mystery surrounding this trojan that suddenly found itself in the press. It’s apparently in some ways related to what some AV vendors have previously referred to as “Ozdok”. Interesting name at least. You can read more about this [solved] mystery at http://www.secureworks.com/research/threats/ozdok/?threat=ozdok. I am sure you all have been on the edge of your computer chairs just dying to find out more. Now you can fall off with joy!

Now for the next update you’ve been waiting for: Storm Worm! It’s got a new executable called valentine.exe. Really is that all? Oh man - the excitement does not end there folks. If you are lured onto the website you may be presented with any one of eight different Valentine’s Day themed pictures. The most interesting is one with Pooh Bear and Piglet. Not sure if they’re looking at each other as being each other’s valentine or not though. Anyway, we posted up some information on it Sunday at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080210.

Have a Happy Valentine’s Day! <3

It turns out there’s yet another botnet that’s growing pretty large in size and it’s apparently been dubbed Mega-D. According to this article the botnet presently accounts for 32% of all spam. The article does some comparison of it and the Storm Worm, which I don’t is really an important comparison. The point is there’s yet another fun botnet out there, but it seems we’re short on details. I have no idea if this is just another name for something we’ve looked at already or if this is really something new altogether. If anyone has a little more information or a sample binary, please shoot me an e-mail.

Enjoy the Super Bowl if you’re watching today!

We have noticed some interesting activity by the Storm Worm crew lately. It seems they have continued to move their criminal empire into targeting banking information. This time there are two new domains:

i-barclays.com
i-halifax.com

These domains are on the fast flux network and hosting phishing scams looking to rip you off. There’s a good brief posting about here from us at Shadowserver:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080108

It seems Fortinet had initially picked it up and SC Magazine has run a pretty good article with them that can be found in the above URL. Be on the look out for these and others that follow.

Surfing through the CNN website earlier today I came across an article about cybercrime, botnets, the FBI, and what appears to be some updates/developments since Operation Bot Roast. It appears a teenage going by the handle “AKILL” from New Zealand is being questioned in relation to what might be a botnet case. I cannot say I recognize the name, but it’s good to see more is being done and that the knowledge is being spread here.

“Today, botnets are the weapon of choice for cyber criminals” -FBI Director Robert Mueller

It seems everyone is starting to get the big picture that botnets are more than just infected computers. They lead to fraud, identity theft, DDoS attacks, SPAM, and all kinds of other bad stuff. Perhaps we will now see even more law enforcement resources thrown at the problem.