[Emerging-Sigs] Blackhole served via Yahoo

Lay, James james.lay at wincofoods.com
Mon Dec 17 13:40:06 HAST 2012


This may explain a bit:

 

http://www.itworld.com/endpoint-security/328299/egyptian-hacker-claims-f
ind-yahoo-vulnerabilities

 

James

 

From: emerging-sigs-bounces at lists.emergingthreats.net
[mailto:emerging-sigs-bounces at lists.emergingthreats.net] On Behalf Of
Martin Holste
Sent: Monday, December 17, 2012 11:58 AM
To: Emerging Threats Signatures
Subject: [Emerging-Sigs] Blackhole served via Yahoo

 

We saw a kit alert on 98.139.135.21 and 98.139.135.22 with signatures
like Blackhole sig 1:2015487:9.  Passive DNS is showing lots of legit
sites but even more malicious DGA-style sites pointing to those IP's, so
I'm wondering if this is a simple matter of abusing Yahoo's hosting, or
something more complicated going on.  It's rare for us to see major
sites like Yahoo hosting malicious code (usually it's more like GoDaddy,
The Planet, etc.).  Is anyone else seeing hits for these?

Thanks,

Martin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/afcfda98/attachment.html>


More information about the Emerging-sigs mailing list