Monday, February 1, 2010

New Koobface Domains [Updated]

Following are several domains affiliated with the Koobface worm, most of which are new or not widely known yet in the security community:
Many of the Wepawet reports also include a number of malicious URLs hosted at various IP addresses, at least some of which appear to be individual infected PCs whose IPs are probably dynamically assigned by the ISP.

Credit to my wife for reporting suspicious bit.ly redirect URLs that were being spread by a hacked Facebook account, which led to my investigation and discovery of these domains.

*Note that some of these domains were registered years ago. Their homepages may or may not be safe, but specific URLs hosted on these domains redirect to malicious sites or contain malware. Until the site owners remove the infected pages, these domains should not be trusted.

UPDATE, 8 Feb 2010 @ 06:20 PST: Added a second batch of sites.
UPDATE, 8 Feb 2010 @ 13:40 PST: Added pablopicassosite and VirusTotal links.
UPDATE, 8 Apr 2010 @ 21:30 PDT: I recently noticed that the Unmask Parasites blog linked back to this post. They've added an incredible amount of depth to this discussion, so please check out their article.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.