[Emerging-Sigs] Blackhole served via Yahoo

Martin Holste mcholste at gmail.com
Mon Dec 17 08:57:57 HAST 2012


We saw a kit alert on 98.139.135.21 and 98.139.135.22 with signatures like
Blackhole sig 1:2015487:9.  Passive DNS is showing lots of legit sites but
even more malicious DGA-style sites pointing to those IP's, so I'm
wondering if this is a simple matter of abusing Yahoo's hosting, or
something more complicated going on.  It's rare for us to see major sites
like Yahoo hosting malicious code (usually it's more like GoDaddy, The
Planet, etc.).  Is anyone else seeing hits for these?

Thanks,

Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/153ad9ac/attachment.html>


More information about the Emerging-sigs mailing list