InformAction Forums

Posted: **Sat Jun 05, 2010 4:29 am**

# MaliciousNetworks.org IP Blocklist
# Generated on 2010-06-04
#
#    (    (   (        
#    )\ ) )\ ))\ )     
#   (()/((()/(()/((    
#   /(_))/(_))(_))\   
#  (_))_(_))(_))((_) 
#   ___    __   ___ 
#  |__  | |__) |__  
#  |    | |  \ |___ 
#

(Line art or ascii art ... Just a guy having a little fun. How's that not "professional"?
I don't believe in using HOSTS files in this manner, but that's just me.
Actually there were issues (now resolved) in doing so in certain versions of Windows (which versions, escape me now).)

Posted: **Wed Jun 09, 2010 4:48 am**

Guest wrote:
Tom T. wrote: I chose *one* IP randomly from the FIRE list, 64.12.164.247.

That traces to http://icq-mv02.coreweb.aol.com/ -- an ICQ site.
Perhaps ICQ on IP 64.12.164.247 on AS1668 is also being used by someone as a botnet command and control server, on June 3, 2010.

http://www.maliciousnetworks.org/ipinfo ... 2010-06-03
http://www.maliciousnetworks.org/chart.php?as=AS1668

ICQ Botnet Communications
http://4.bp.blogspot.com/_wICHhTiQmrA/R ... botnet.jpg
http://ddanchev.blogspot.com/2007/03/bo ... forms.html

This post is not supposed to mean more than what it says.

OK. But I'm not clear on a couple of things. One is that does that necessarily imply that merely visiting that site, as I did, automatically infects (or attempts to infect) one with malware? Surely NoScript, my anti-virus, and other tools would have detected the same. Or if they were disguised as the AOL, ICQ, and Facebook objects shown in NoScript, then the site should be notified of same. Does FIRE do this?

Another is my original complaint on the format of the list. Must one take every single entry and look up the links, as you did, or trace them through traceroute and visit them, as I did, to determine the URL and domain name/owner? The Hosts services mentioned have that information in plain--text, readable form, right there in the blacklist. The FIRE list is information-free.

I don't use IRC or ICQ, and the site seemed to have legitimate functions for fans of its type, and hosted by the more-or-less respectable AOL. Still not sure that the site itself needs to be blocked for everyone, and if evildudes have found a way to use it sub rosa for C&C of botnets, for heaven's sake, tell the webmaster.

Still unaddressed is the issue of blocking by IP rather than by URL or domain name, when many legitimate sites change or rotate IPs, especially for load-balancing purposes for large sites with a global user base and multiple IPs.

Thanks for the additional resource information on Fire and the reminder of the possible misuse of legit sites. Seems it would be better if the list itself were more self-explanatory, but it was good to have additional calm and reasoned commentary. (I liked the disclaimer.

)

Posted: **Sun Jun 13, 2010 12:18 am**

Tom T. wrote:
Guest wrote:
Tom T. wrote: I chose *one* IP randomly from the FIRE list, 64.12.164.247.

That traces to http://icq-mv02.coreweb.aol.com/ -- an ICQ site.

OK. But I'm not clear on a couple of things. One is that does that necessarily imply that merely visiting that site, as I did, automatically infects (or attempts to infect) one with malware?

Depends. ICQ sites on that IP are associated with at least some versions of what Kaspersky names the QiMiral IM worms, so some do get automatically infected there, apparently. http://www.kaspersky.co.uk/viruswatchli ... us=QiMiral For example, "A Worm is a malicious program that spreads itself without any user intervention." http://www.spywaredetector.net/spyware_ ... iral.l.htm

In addition to worm infections, ThreatExpert also has listed various malware associated with that IP, some may try to download files from it, while others may try to block connections to it http://www.threatexpert.com/reports.asp ... 12.164.247

Enjoy!

InformAction Forums

adblock subscriptions

Re: adblock subscriptions

Re: adblock subscriptions

Re: adblock subscriptions