Author Topic: YES Exploit System 2.0 checks if a site is already listed at MDL  (Read 14571 times)

0 Members and 1 Guest are viewing this topic.

September 02, 2009, 08:42:31 pm
Read 14571 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://translate.google.com/translate?prev=hp&hl=en&js=y&u=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26source%3Dweb%26ct%3Dres%26cd%3D5%26url%3Dhttp%253A%252F%252Fwww.hack-info.ru%252Fshowthread.php%253Fp%253D310457%26ei%3DpNeeSprWB4b6_AaE-N39Cw%26usg%3DAFQjCNEUo9EV4haXWSPZ4cKBrjhzWIii1w&sl=ru&tl=en&history_state0=

Quote
Verification: авточек Malware Domain List for the presence of your "white" IP-address \ Domain, Malware-sheets. Если ваш IP-адрес\Домен обнаруживается в списке, вам выводится соответствующее уведомление. If your IP-address \ domain is found in the list, you are notified.
Ruining the bad guy's day

September 02, 2009, 11:40:19 pm
Reply #1

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

September 04, 2009, 03:36:20 pm
Reply #2

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
...why amazing?It's a 100% retard idea,seems to me they've probably ran out of 0-day exploits,in order to sell out their newer packs...
There are at least 10 extra lists they could make use of...and in all cases,all they would succeed into,would be to become more easily traceable...  8)

PS: ...maybe next time they should use Google's Safe Browsing api,lmao...  :D
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 04, 2009, 05:54:03 pm
Reply #3

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
its not a retard idea at all.

if its on MDL then they know its public and might get shut down very soon
so they switch everything...
Mal-Aware

September 05, 2009, 02:49:23 am
Reply #4

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
...sorry if I sounded harsh in my comment above - that wasn't my goal...  :(
No matter if the data from the various blacklists is partially available to public,
they certainly will still find their way without any delay to ISPs,security companies,
browser developers and the appropriate legal entities of course...  8)
Thereby the chances they get shut down (or at least blocked by various products),
are more or less the same,no matter if except from the various individual researchers,
exploit pack developers can also see part of this data in public view or not,heh...

Publicity obviously plays a very effective role,but that's just only in the final end to say so...
ie. when it comes to specific cases of really 'dirty' players,ie.say like it happened with Zlkon.lv or Atrivo,
but even such,most of the data was already known to the security community,one way or another...

PS: In short,I believe that exploit pack developers really over-estimate MDL's publishing of domains,
especially since various blocklists already existed way before,although in a quite different way....
Meaning,even if MDL was turned "invisible" for the wide public,they would still get the same effects,
they can be rest assured for that...you simply cannot make "fud" a domain...  ::)  ;)
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 18, 2009, 08:23:14 am
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Now Malwareurl.com has been added too.

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26source%3Dweb%26ct%3Dres%26cd%3D7%26url%3Dhttp%253A%252F%252Fforum.blackhack.ru%252Fshowthread.php%253Fp%253D29411%26ei%3DXEKzSpulNYmF_AbT67zODQ%26usg%3DAFQjCNHymBXwt__DMvA_c6plA9QA2iZfOw

Quote
An update to version 2.0.2
Что нового: What's new:
1. 1. Добавлен авточек домена на McAfee TrustedSource; Added авточек domain McAfee TrustedSource;
2. 2. Добавлен авточек домена на MalwareURL; Added авточек domain MalwareURL;
3. 3. Добавлена чистка BDS от 16 Сентября; Added cleaning BDS from 16 September;
4. 4. Добавлен альтернативный редирект-линк; Added alternative redirection-link;
5. 5. Добавлен новый эксплоит; Added a new exploit;
6. 6. Изменен 1 эксплоит, теперь служит для "доработки" загрузок; Changed 1 exploit now serves to "finalize" downloads;
7. 7. Доработан ms09-002; Finalized ms09-002;
8. 8. Почищен(Заменен на новый) подгрузчик PDF(Чистка от 16 Сентября); Cleaned (replace with new) podgruzchik PDF (Shoe of 16 September);
9. 9. Оптимизированна выдача; Optimized delivery;
10.Добавлена доп. 10.Dobavlena add. обфускация шеллкода; shellcode obfuscation;
11.Багфикс для YES Stats Viewer. 11.Bagfiks for YES Stats Viewer.
Ruining the bad guy's day

September 20, 2009, 04:16:55 am
Reply #6

.rt

  • Newbie

  • Offline
  • *

  • 4

September 20, 2009, 07:44:38 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Dear YES exploit kit programmers,

I think you have misunderstood how to query our list.
Why do you query a domain but send an IP as a parameter ?
Why do you send a domain name when you query an ip address ?

It doesn't work this way:
Code: [Select]
210.51.10.189 - - [20/Sep/2009:11:54:42 -0400] "GET /mdl.php?search=morde.su&colsearch=IP&quantity=50 HTTP/1.0" 200 5648 "-" "-"
210.51.10.189 - - [20/Sep/2009:11:56:51 -0400] "GET /mdl.php?search=morde.su&colsearch=IP&quantity=50 HTTP/1.0" 200 5648 "-" "-"
210.51.10.189 - - [20/Sep/2009:11:58:21 -0400] "GET /mdl.php?search=morde.su&colsearch=IP&quantity=50 HTTP/1.0" 200 5648 "-" "-"

Code: [Select]
210.51.10.189 - - [20/Sep/2009:11:50:02 -0400] "GET /mdl.php?search=210.51.10.184&colsearch=Domain&quantity=50 HTTP/1.0" 200 5837 "-" "-"
210.51.10.189 - - [20/Sep/2009:11:51:57 -0400] "GET /mdl.php?search=210.51.10.184&colsearch=Domain&quantity=50 HTTP/1.0" 200 5837 "-" "-"
210.51.10.189 - - [20/Sep/2009:11:52:46 -0400] "GET /mdl.php?search=210.51.10.184&colsearch=Domain&quantity=50 HTTP/1.0" 200 5837 "-" "-"
210.51.10.189 - - [20/Sep/2009:11:53:41 -0400] "GET /mdl.php?search=210.51.10.184&colsearch=Domain&quantity=50 HTTP/1.0" 200 5837 "-" "-"


This way it will work.

http://www.malwaredomainlist.com/mdl.php?search=morde.su&colsearch=Domain&quantity=50

http://www.malwaredomainlist.com/mdl.php?search=210.51.10.184&colsearch=IP&quantity=50


Hope it helps
Ruining the bad guy's day

September 20, 2009, 10:05:51 pm
Reply #8

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
cooooooooooooooooooooooooooolllllllllllllllllllllllllllllll

rofl.....


September 21, 2009, 04:02:12 am
Reply #9

.rt

  • Newbie

  • Offline
  • *

  • 4
SysAdMini, уёбок :(
Now i make generator, to create "dynamic" query ...
P.S: "[20/Sep/2009:11:54:42 -0400] "GET /mdl.php?search=morde.su&colsearch=IP&quantity=50" , it's beta-version, someone not updated :(

September 21, 2009, 11:16:54 am
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
SysAdMini, уёбок :(
Now i make generator, to create "dynamic" query ...
P.S: "[20/Sep/2009:11:54:42 -0400] "GET /mdl.php?search=morde.su&colsearch=IP&quantity=50" , it's beta-version, someone not updated :(

Oh, I'm surprized. I haven't expected an answer.
Ruining the bad guy's day

September 21, 2009, 03:04:55 pm
Reply #11

.rt

  • Newbie

  • Offline
  • *

  • 4
))))
now system does IP-check ... domains only ...
P.S: thx

September 21, 2009, 03:23:00 pm
Reply #12

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
))))
now system does IP-check ... domains only ...
P.S: thx

Was todays DDoS your job ? It started immediately after your last posting in the morning.

Ruining the bad guy's day

September 21, 2009, 03:30:58 pm
Reply #13

.rt

  • Newbie

  • Offline
  • *

  • 4
It's a test ... sorry )
P.S: Привет secureblog.info :)

September 21, 2009, 03:51:13 pm
Reply #14

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132