IE 0day CVE-2010-0249 – Blocking and Tracking

Here are some suggested action to Block and Track the initial use of CVE-2010-0249 in “Operation Aurora” and the current use in exploiting the Mass (thx to Extraexploit for additional one).
Operation Aurora Domain List

• yahooo.8866.org
• sl1.homelinux.org
• 360.homeunix.com
• li107-40.members.linode.com
• ftp2.homeunix.com
• update.ourhobby.com
• blog1.servebeer.com

CVE-2010-0249 exploiting the Mass
Proxy Filtering and DNS Query Tracking (Exact and less restrictive)
… exploiter & 2nd stage hosting domain list

• 201003.3322.org
• systemxp.3322.org
• tempxxp.3322.org
• teepsnp.3322.org
• mxdo102.3322.org
• 201003.6600.org
• 66cc.7766.org
• wwaa4.7766.org
• 201002.7766.org
• 22ee.8866.org
• 22cc.8866.org
• 201003.8866.org
• xx222.8866.org
• www.ms8.cc
• www.babooa562.com
• ssun.dddwfft.com NEW
• www.fenghuashi.com
• a05.xfbfgw.com
• news.21npc.com
• www.qvodcom1.com
• h.d5d3.com
• ff.c5c3.com
• club.9istyle.com
• www.tsqzsb.cn
• www.fsus.cn
• malegebi251.21sys21.cn
• googleie2.23sys23.cn
• qqqqqqqqqqqqqqqqqqqbv.24sys24.cn
• www.latax.gov.cn
• vbdf23.xicp.cn NEW
• bbb.nba1001.net
• www.ynew.net
• we55.qq88.in NEW
• we22.qq88.in NEW
• bb55.qq66.in NEW
• 99.qq66.in NEW

Proxy Filtering and DNS Query Tracking (Wide and more restrictive – can block new one)
… exploiter & 2nd stage hosting

• *.3322.org
• *.6600.org
• *.7766.org
• *.8866.org

or better

• REGEXP .*\.\d{4}\.org.*

and

• *ms8.cc
• *.babooa562.com
• *.fenghuashi.com
• *.xfbfgw.com
• *.21npc.com
• *.9istyle.com
• *.qvodcom1.com
• *.d5d3.com
• *.c5c3.com
• *.dddwfft.com NEW
• *.tsqzsb.cn
• *.21sys21.cn
• *.23sys23.cn
• *.24sys24.cn NEW
• *.fsus.cn
• *.latax.gov.cn
• *.xicp.cn NEW
• *.nba1001.net
• *.ynew.net
• *.qq88.in NEW
• *.qq66.in NEW

Updated 28/1/2010 18.00 GMT+1