Have you ever wondered why we are on this security chaos these days?
Well, I have one simple explanation, besides Stuxnets and DuQus oneof's , most of the current malware is simple, easy to understand and analyze. And Why? Because they dont need to be really advanced...:) And the malware writers know about it.
Take the BlackHole exploit kit gang for example, they are out there for some time, renting and selling the kit, and at least one gang is responsible for the majority of the spams that are floating around, like Your Flight Order NXXX, ACH and wire transfer disabled. , Scan from a Hewlett-Packard Officejet #XXX... ALL of them contain a link to a hacked website that redirects to a redret...:)
But what is a redret ?
This is a redret :
czredret.ru
curedret.ru
ctredret.ru
crredret.ru
bzredret.ru
byredret.ru
bxredret.ru
bwredret.ru
bvredret.ru
bsredret.ru
bpredret.ru
boredret.ru
blredret.ru
bkredret.ru
biredret.ru
bhredret.ru
bgredret.ru
bfredret.ru,
beredret.ru
bdredret.ru
bcredret.ru
bbredret.ru
aredret.ru
apredret.ru
amredret.ru
alredret.ru
akredret.ru
ajredret.ru
airedret.ru
ahredret.ru
agredret.ru
afredret.ru
aeredret.ru
adredret.ru
acredret.ru
abredret.ru
aaredret.ru
These are all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...
At this moment they are resolving to:
95.163.89.193
89.208.34.116
94.199.51.108
91.220.35.38
77.79.7.136
95.163.89.200
91.228.133.120
In a recent past, the following IPs were also observed hosting them:
188.190.99.26
87.120.41.191
94.199.53.14
89.208.34.116
I would recommend, to first check your logs for those, and second make good use of a regex, if you know what I mean...:)
-------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Well, I have one simple explanation, besides Stuxnets and DuQus oneof's , most of the current malware is simple, easy to understand and analyze. And Why? Because they dont need to be really advanced...:) And the malware writers know about it.
Take the BlackHole exploit kit gang for example, they are out there for some time, renting and selling the kit, and at least one gang is responsible for the majority of the spams that are floating around, like Your Flight Order NXXX, ACH and wire transfer disabled. , Scan from a Hewlett-Packard Officejet #XXX... ALL of them contain a link to a hacked website that redirects to a redret...:)
But what is a redret ?
This is a redret :
czredret.ru
curedret.ru
ctredret.ru
crredret.ru
bzredret.ru
byredret.ru
bxredret.ru
bwredret.ru
bvredret.ru
bsredret.ru
bpredret.ru
boredret.ru
blredret.ru
bkredret.ru
biredret.ru
bhredret.ru
bgredret.ru
bfredret.ru,
beredret.ru
bdredret.ru
bcredret.ru
bbredret.ru
aredret.ru
apredret.ru
amredret.ru
alredret.ru
akredret.ru
ajredret.ru
airedret.ru
ahredret.ru
agredret.ru
afredret.ru
aeredret.ru
adredret.ru
acredret.ru
abredret.ru
aaredret.ru
These are all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...
At this moment they are resolving to:
95.163.89.193
89.208.34.116
94.199.51.108
91.220.35.38
77.79.7.136
95.163.89.200
91.228.133.120
In a recent past, the following IPs were also observed hosting them:
188.190.99.26
87.120.41.191
94.199.53.14
89.208.34.116
I would recommend, to first check your logs for those, and second make good use of a regex, if you know what I mean...:)
-------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.