Abuse of .EU domains by malware gangs continues despite Registrar notification

EU flag. Image from ShutterstockA couple of weeks ago I wrote about how we had been seeing a jump in the number of malicious .EU domain registrations, for the purpose of infecting users via drive-by downloads using an exploit kit.

In that post, I raised two important questions:

  • Is there more that Registrars could or should be doing to prevent the bad guys abusing their services?
  • How effectively, once the appropriate people have informed about the abuse, will the activity be stamped out?

We also received several questions asking how much abuse we were seeing on .EU sites.

In this post, I will try to answer these queries.

Let’s start with how much abuse we have seen in .EU over the past 13 months.

The graph below shows the monthly count of malware that we have blocked on customer web appliances during that time.

It shows a dramatic spike in activity in November 2012 (corresponding to the drive-by attacks described in the previous article).

Threats hosted on .eu TLD blocked by Sophos Web Appliances

When I reported this abuse to the Registrar, I was careful to describe how short-lived the malicious .EU domains are:

From what I have seen so far, these domain names are only briefly "alive" in terms of DNS resolution, before they switch to the next hostname.

New domains are being abused each day, so I would be interested to you if you are able to use the characteristics of the above registrations to spot new malicious ones that you will most likely see in coming days.

As noted previously, there was some curious Finnish connection between all of the Registrant details used. I included this information (with examples) in my abuse report, and pointed out that the domains always seemed to be six characters in length.

All in all, I felt there was enough information provided to put in place some checks to nip this activity in the bud. Or, at the very least, to force the attackers to change their strategy.

The reply to my abuse report was thankfully from a human, not an automated reply.

However, it was brief, and did not convince me that they were going to do anything more than put my example domains on a blocklist. (All those domains were already inactive and harmless by then.)

Looking at the latest data seems to support this fear.

The daily volume of this Cool exploit kit (CoolEK) appears to have changed little since my abuse report.

Daily volume of CoolEK exploit kit blocked on customer endpoints

Peeking at the WHOIS information for a couple of recent domains, we can see the Finnish connection is still there, as is the Yahoo! email address.

WHOIS registration details

WHOIS registration details

The “What do you do to help disrupt attacks and get bad stuff taken offline?” question is one that SophosLabs personnel have to field regularly.

There is no silver bullet, but improved information sharing between organisations is clearly an important part of what needs to happen.

However, as this case illustrates, a proper understanding of the information and using it in some meaningful way is also necessary.

I will again contact Domain Robot, the German Registrar that has been exploited in this case, and try to explain more clearly what is happening. Perhaps, then, something will be be done to thwart the attacks.

Here’s hoping.

EU Flag image from Shutterstock.