The exploit kit in question is the Goon EK, as shown in this URLquery report. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example).
The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see the following malicious websites active in that range (all on 66.96.195.49):
uvz.akovikisk.com
ovfvr.akovikisk.com
qn65l.akovikisk.com
ac1e0.alessakyndraenho.com
8dyh.akovikisk.net
y6aoj.akovikisk.net
0hzl.akovikisk.info
cx6n.akovikisk.info
xdxr2.akovikisk.info
where.hotspotingtram.org
Experience with this particular type of exploit kit shows that the bad guys will rotate IPs in the block, so blocking the entire /27 is advised.
At present that consists of just three domains to block, although I suspect there will be more:
akovikisk.com
alessakyndraenho.com
hotspotingtram.org
No comments:
Post a Comment