Adobe have just announced yet another Zeroday Flash etc. exploit that has been seen in the wild in emailed Microsoft Word documents. The document installs the usual sort of backdoor trojan.
According to Mila Parkour, who reported it to Adobe, something, presumably the backdoor, then attempts to call back to a dyn-dns name (liciayee.dyndns-free.com). That name used to point to 123.123.123.123 (it now seems to be pointing to local host in most public DNS systems) which is an interesting IP address. As we have said many times before, bad IP addresses are often reused and this one is no exception. When I plugged it into our IP reputation database it showed up the following (as well as the information that the IP address is in China):
First Identified | Most Recently active | Present in the following feeds: |
2008-01-30 00:00:52 2009-07-18 17:01:32 2010-12-06 10:00:03 |
2008-02-06 22:00:50 2009-09-16 17:30:04 2011-04-12 00:00:11 |
SSH_CRACKER Parasites, Hijackers and Spyware Domains Russian Business Network |
We can learn two things from this. The first is that this address has a history of bad behavior (SSH cracker, spyware domain etc.) and the second (and possibly more critical one) is that it has been blocked by ThreatSTOP since December as it was identified then as part of the 'Russian Business Network'. That means any recipient of the email whose firewall was running ThreatSTOP was protected by this zeroday - and by any other exploit that happened to try and call back to this IP address.
Now it's a good thing to run AV and update your Flash when a patch is released and so on, but none of these tools can protect against all zerodays - in fact by definition they won't protect - so having an orthogonal protection mechanism is a good idea. IP reputation is precisely this orthogonal view of the problem and ThreatSTOP can get you protected in about an hour.