<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>There is some nasty <a href="http://www.f-secure.com/weblog/archives/00002172.html">Facebook spread malware going around</a> at the moment. F-Secure states that the malware infects users in the US and UK and applies to both Mac and PC users.</p> <!--more--><p>According to F-Secure's report (linked above) the malware is downloaded (after the usual series of redirects) from <strong>newtubes.in</strong>. This domain resolves to the address 77.79.11.91 (name servers for the domain itself (77.79.11.91) and 95.215.140.242). I'm pleased, but unsurprised, to note that both these IP addresses are already blocked by ThreatSTOP as they are in the RBN feed and have been for at least a month.</p> <p>It is worth noting that a number of domains also point to this IP address - various subdomains of newtubes.in as well as subdomains of finetube.in and goldtube.in and the single domain www.getmonclerjackets.com. I'm pretty sure that all of them are malware droppers so this is a good illustration that the blocking of the IP address is more efficient than the dropping of the DNS name lookups.</p></span>
