ISC StormCast for Tuesday, December 7th 2011 http://isc.sans.edu/podcastdetail.html?id=2176
Cain & Abel v4.9.43 Released - http://www.oxid.it/

C|Net download.com serving malware with nmap software

Published: 2011-12-06
Last Updated: 2011-12-06 06:40:53 UTC
by Kevin Shortt (Version: 1)
6 comment(s)

Fyodor from insecure.org and the creator of nmap has issued the following statement on the nmap-hackers mailing list today.

http://seclists.org/nmap-hackers/2011/5

nmap is one the most respected networking tools available.
This is just another example that it is easy to be duped.

Downloaders beware. Stay vigilant.

-Kevin
--
ISC Handler on Duty

Keywords: nmap
6 comment(s)

The RedRet connection...

Published: 2011-12-06
Last Updated: 2011-12-06 03:04:51 UTC
by Pedro Bueno (Version: 1)
2 comment(s)

Have you ever wondered why we are on this security chaos these days?

Well, I have one simple explanation, besides Stuxnets and DuQus oneof's , most of the current malware is simple, easy to understand and analyze. And Why? Because they dont need to be really advanced...:) And the malware writers know about it.

Take the BlackHole exploit kit gang for example, they are out there for some time, renting and selling the kit, and at least one gang is responsible for the majority of the spams that are floating around, like "Your Flight Order NXXX", "ACH and wire transfer disabled." , " Scan from a Hewlett-Packard Officejet #XXX"... ALL of them contain a link to a hacked website that redirects to a "redret"...:)

But what is a "redret" ?

This is a "redret" :

  • czredret.ru
  • curedret.ru
  • ctredret.ru
  • crredret.ru
  • bzredret.ru
  • byredret.ru
  • bxredret.ru
  • bwredret.ru
  • bvredret.ru
  • bsredret.ru
  • bpredret.ru
  • boredret.ru
  • blredret.ru
  • bkredret.ru
  • biredret.ru
  • bhredret.ru
  • bgredret.ru
  • bfredret.ru,
  • beredret.ru
  • bdredret.ru
  • bcredret.ru
  • bbredret.ru
  • aredret.ru
  • apredret.ru
  • amredret.ru
  • alredret.ru
  • akredret.ru
  • ajredret.ru
  • airedret.ru
  • ahredret.ru
  • agredret.ru
  • afredret.ru
  • aeredret.ru
  • adredret.ru
  • acredret.ru
  • abredret.ru
  • aaredret.ru

These are all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...

At this moment they are resolving to:

  • 95.163.89.193
  • 89.208.34.116
  • 94.199.51.108
  • 91.220.35.38
  • 77.79.7.136
  • 95.163.89.200
  • 91.228.133.120

In a recent past, the following IPs were also observed hosting them:

  • 188.190.99.26
  • 87.120.41.191
  • 94.199.53.14
  • 89.208.34.116

  

I would recommend, to first check your logs for those, and second make good use of a regex, if you know what I mean...:)

-------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

 

2 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives