Sophos Cloud Optix
Tracking malicious activity is a crucial part of what SophosLabs do each day.
Tracking the threats gives us visibility into how computers are being infected and where threats are actually coming from.
The data gathered is used to drive some of the reputation filtering technologies that our products provide in order to keep Sophos’s customers safe.
The data also lets enables us to spot new tricks, techniques or tactics being used by attackers. For example, we have recently observed a spate of .eu domain registration abuse.
Numerous malicious .eu domains have been registered during November which are being used to infect PCs with malware via the Blackhole exploit kit. Here are some examples:
owzshm.eu
mpxuth.eu
ngpsjy.eu
wlwhhz.eu
jhzopj.eu
jqwwgm.eu
pmgugq.eu
jkiwhy.eu
nrxpxq.eu
vjtjpy.eu
xzjvhs.eu
xipuww.eu
kngipu.eu
ptkqzo.eu
pyrhox.eu
The domains all resolve to the same IP address, a server located in the Czech Republic.
They are short-lived; the names only resolve to the target server for a brief period before the attackers move on to the next.
This type of tactic is pretty common, used by many threats in their attempts to evade security filtering.
Normally however, it is TLDs other an .eu that are abused.
Digging a little further into the WHOIS information for these registrations reveals some interesting observations. A Finnish connection in fact, based on the registrant details provided.
We can go back a few more months, and see a similar spate of activity, again used for Blackhole hosting, but on .IN domains.
zjmnwv.in
yyssyr.in
wkhmyk.in
hwhjgj.in
As you can see, the domain names follow the same 6-character, seemingly random pattern.
Looking at the WHOIS information for some of these again throws up our Finnish connection!
And guess what? When active, these .IN domain names resolved to the very same IP address as above!
And what of this IP address? It has something of a long history of questionable activity, extending over many months. It currently hosts over 100 domains, whose purpose ranges from porn site gateways (referenced in spam) through to exploit sites.
This episode raises an important question. Is there more that Registrars could or should be doing to prevent the bad guys abusing their services?
Some of the very same techniques that we use to join the dots between data, linking attacks and highlighting malicious activity could be very useful to Registrars attempting to block malicious activity earlier.
History tells us that the European domain name authority, EurID, are no strangers to decisive action when it comes to protecting the reputation of the TLD.
I have reported the current spate of abuse to the appropriate people, so time will tell how effectively they can snub out this activity.
.EU domain image from Shutterstock.
Dude, you rock! There should be more people like you doing this and reporting these malicious sites. GREAT JOB!
Nice report. These cyber criminals have the greatest strategies and tactics. Too bad they can't or won't put it to white hat services. Thanks for the help. It assists me in explaining these tactics to people when I remove malicious malware.