ThreatSTOP Blocking New Facebook Malware

There is some nasty Facebook spread malware going around at the moment. F-Secure states that the malware infects users in the US and UK and applies to both Mac and PC users.

According to F-Secure's report (linked above) the malware is downloaded (after the usual series of redirects) from newtubes.in. This domain resolves to the address 77.79.11.91 (name servers for the domain itself (77.79.11.91) and 95.215.140.242). I'm pleased, but unsurprised, to note that both these IP addresses are already blocked by ThreatSTOP as they are in the RBN feed and have been for at least a month.

It is worth noting that a number of domains also point to this IP address - various subdomains of newtubes.in as well as subdomains of finetube.in and goldtube.in and the single domain www.getmonclerjackets.com. I'm pretty sure that all of them are malware droppers so this is a good illustration that the blocking of the IP address is more efficient than the dropping of the DNS name lookups.

Share this: