The storm worm is making more binaries and infecting sites than any company can keep up with. During the first ten days of october they made 1400 different binaries (that is 140 variants a day) making it for the botnet hunter a total of 43,897+ unique binaries for the storm worm.
This means you will have to set your antivirus updates for critical machines to less than an hour and in fact limit your network traffic and email use to the strict business use. Sorry folks, this is an avalanche.
http://www.disog.org/2007/11/mac-codec-trojan.html this is the discussion about a perl script that adapts the download to the OS of the machine and that after installation connects to a control server of a botnet ( a number of infected computers under the control of the corruption company or hacker).
so stop having stupid 'which is saver' discussions and get your act together or do I have to remind that Macintosh does for the moment next to nothing to educate its users about security - just luring them into the stupid and dangerous believe that they are safe because they use a Mac....
more about this mac malware http://isc.sans.org/diary.html?storyid=3595
The Safe Browsing API is an experimental API that enables client applications to check URLs against Google's constantly updated blacklists of suspected phishing and malware pages. Your client application can use the API to download an encrypted table for local, client-side lookups of URLs that you would like to check.
Here are some of the things you can do with the Safe Browsing API:
- Warn users before clicking on links that appear in your site when they lead to malware-infested pages.
- Prevent users from posting links to phishing pages from your site.
- Check a list of pages against Google's lists of suspected phishing and malware pages.
excellent way to block spammers, scrapers, and other scumbags easily
and effectively. While there are many htaccess tricks involving
blocking domains, preventing access, and redirecting traffic, Apache's
mod_rewrite module enables us to target bad agents by testing the user-
agent string against a predefined blacklist of unwanted visitors. This
was passed the original was at "Perishable Press" with a few tested
This is well tested, and even though a large file, no noticable loss
of speed, but big improvement in bandwidth (note for BadWareAvenger)!
For all copy paste to .htaccess and enjoy the STOP :-) source
Ukraine is to cybercrooks what Turkye is for hackers : heaven or a world where you can do everything you have always dreamed off without any danger of being caught by the government as long as you leave them alone and only target foreigners.
One visit to their sites can bring tens to hundreds of malicious downloads seen and unseen behind and upfront your screen. And around 3 to 4 million people are being lured to their sites a month ? If they continue like that they will get richer than the other multimillion dollar cybercrook firm Cool Web Search.
They are very powerful crooks. They have launched the mpack attack against the Italian web infecting more than 10.000 sites in a few days with all kinds of malicious downloads visitors received and installed if they weren't protected. Mpack is one of the most professional online crimeware packs for sale. And if you really try to hurt them businesswise they will let some hackers force a very targeted attack on you as the Bank of India experienced. This was proof that targeted attacks by highly professional hackers is not something to underestimate if you are the victim. You only know it afterwards because the attack was so limited at the start that you didn't notice (oh, one virus or one computer doing strange) but after some time you won't know what hit you.
They lure people with links and advertising to fake antispyware and antivirusware that also promises to scan your machine (for vulnerabilities to use yeah). You should really warn the people in your network that they do not download such software or let these servers scan their machines.
If you wanna do it, use the big names, each has an online free scan services and if you look for free personal use antivirus there is avg and antivir and some others that are widely known. spybot search and destroy for antivirus.
Very useful listings can be find here and here and if you really like to block them totally out of your network or protect your users the complete way than you will find enough information here to do it. There are some ukrainan legitimate users but probably you don't need them and if they wanna be on the same network as those crooks, than it is their choice. If they were really that interested they would sue or change hosting. This is more difficult for the crooks as they have built up a whole network of servers and services and I am not sure other ISP's are very happy to take them on, even if they throw much money around. Everybody is for sale, but being blackwholed by the cybercommunity has the risk that if you need help against an attack or because you are victim of a disaster, they will just standby and say 'good riddance'.
For the moment they are like parasites that try to get into a network and than infect it. They mirror themselves in other networks and try to do the same. Or the networks cut out the cancer or the cancer takes over slowly the body or makes it very sick as it spreads cyberinfections over the whole network it has infiltrated.
More blocking info
iframecash com = 220.127.116.11 = Hiding within Cogent Communications (DC, US) moved back onshore to the US from Aki Mon Telecom
iframecash net = 18.104.22.168 = Hiding within Net Access Corporation (NJ, US) - along with many (what look like) bank phishing domains
anonymous-service (dot) com = 22.214.171.124 = within ThePlanet com (US) & proxy registered via Global Net Access (US) - also key domains
adulthosting (dot) ru, aspmedia (dot) net, sexbomba (dot) ru. webmoney-hosting (dot) net
76service com = 126.96.36.199 = still within Noc4hosts Inc (FL, US) and proxy registered via Global Net Access - also key domains:
firstoceanicbank (dot) net, gamesboard (dot) ru, hydrometeocenter (dot) net, newpulses (dot) com, odeku (dot) net, putany (dot) net, sosnovsky (dot) net
Something is different. Sometimes they change domainnames like men drink been when they are together (using the taste formulae) but here it seems they are keeping the sites, site-names and structure and just change the IP adresses. For once you are not running behind IP adresses.
best blog http://rbnexploit.blogspot.com/
ISP's and hosters should become member of this group to have more detailed information they can act on http://groups.google.com/group/russianbusinessnetwork