Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: IE 0day exploit domains (constantly updated) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IE 0day exploit domains (constantly updated)

This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks.  This list  has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public.  This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires.   

** In regards to IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen.  Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file.   2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules)


This diary entry will be updated frequently. The information provided has had varying degrees of verification performed on it. As such this information is provided as is.  There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list.


Link on how to leverage DNS to blackhole/redirect queries.

http://www.malwaredomains.com/bhdns.html

Google Cache version of the above link

 

Massive thanks go to the following contributors:

Google
Websense
CSIS
UCSB-Wepawet
IBM X-Force
Sunbelt Software
Telenor SOC
blog.zol.com.cn

 

List of exploit domains:

vip762.3322.org
3b3.org
www.27pay.com
www.hao-duo.com
dump.vicp.cc
64tianwang.com
webxue38.3322.org
556622.3322.org
jfg1.3322.org
df56y.3322.org
javazhu.3322.org
8dfgdsgh.3322.org
ceewe3w2.cn
js.tongji.linezing.com
h65uj.8866.org
45hrtt.8866.org
8oy4t.8866.org
www.mjbox.com
2wdqwdqw.cn
www.vbsjs.cn
cdew32dsw.cn
qvod.y2y2dfa.cn
kan31ni.cn
www.duiguide.us
gkiot.cn
www.carloon.cn
movie.wildmansai.com
www.7iai.cn
www.jazzhigh.com
www.netcode.com
6ik76.8866.org
76ith.8866.org
qd334t.8866.org
u5hjt.8866.org
vpsvip.com
x16ake8.6600.org
www.huimzhe.cn
www.hostts.cn
ucqh.6600.org
qitamove.kmip.net
news.85580000.com
guama.9966.org
dx123.9966.org
ds355.8866.org
dnf.17xj.cn
dasda11d.cn
d212dddw.cn
ckt5.cn
ccfsdee32.cn
aaa.6sys6.cn
9owe2211.cn
8man7.3322.org
6gerere3e.cn
66yttrre.cn
45hrtt.8866.org
tongji520.com


Second stage domains (binaries downloaded from these domains):

www.73yi.cn
w1.7777ee.com
w2.7777ee.com
w3.7777ee.com
w8.7777ee.com
w9.7777ee.com
milllk.com
haha999b.com
babi2009.com
haha888l.com
xin765.com


Ip's (no domain used in exploit page):

110.165.41.103

AndreL

56 Posts
I am collaborating with one of the listed domains and cannot found anything wrong until now.
How can I know who is listing my domain and what was found to be included in this "exploit domains" list?

Any help will be appreciated

Raulb

2 Posts
Send an email to handlers@sans.org with the domain in question and we will try and send you the full url that was detected as hosting the exploit. It would be best that the person who is responsible for the domain contact us directly vs third parties.
AndreL

56 Posts
I sent a mail to handlers@ explaining the situation about a domain incorrectly listed (segu1-info2.com3.ar4 - delete numbers). Please checkout ASAP. Thank you.
Cristian

1 Posts
Thanks for the update on false positives.

I hope OpenDNS correct the bad IP addresses which the are resolving now for the false positive domains.
It is strange they did not follow the authoritative's DNS for that domains.
Raulb

2 Posts
To give one example of an avenue of attack by the bad guys for a site on this list, a User went down the rabbit role when surfing to find free current movies to watch online and eventually hit srv.v-i-e-w.net and the machine did NOT get infected despite several exploits there.

The site was on a colo in the Netherlands and the webserver no longer serves up any pages.
Andrew

41 Posts
Any chance someone has a copy of Maltego that they can throw all the domains in and provide a nice screenshot?
Andrew
1 Posts

Sign Up for Free or Log In to start participating in the conversation!