Exploring the Blackhole exploit kit

A technical paper by Fraser Howard, SophosLabs, UK

Table of contents

← Prev | Next →

4.4 Abuse of dynamic DNS & domain registration services

We have seen aggressive abuse of free domain registration services by Blackhole. There are many organisations that provide such services, and it is not uncommon for malware to abuse them. Some examples of where Blackhole has done this are shown in Table 6.

Table 6

Table 6: Examples of domain registration abuse for the purpose of hosting Blackhole.

However, as you can see from Figure 15, the abuse of such services represents only a small percentage of active Blackhole sites.

Dynamic DNS services such as ddns.*, 1dumb.com (services provided by ChangeIP.com) and dlinkddns.com (service provided by D-Link) are also heavily abused by Blackhole. Some examples are listed in Table 7.

Table 7

Table 7: Examples of dynamic DNS abuse for the purpose of hosting Blackhole.

There are many dynamic DNS services available, and abuse is widespread (certainly not limited to Blackhole). As the abuse continues, the reputation of all dynamic DNS services suffers. One possible benefit of this is that some of the providers may opt to deliver services with more rigorous screening of users and verification of how their service is being used.

Table of contents

← Prev | Next →

What do you think?