Exploring the Blackhole exploit kit

A technical paper by Fraser Howard, SophosLabs, UK

Table of contents

← Prev | Next →

4.4 Abuse of dynamic DNS & domain registration services

We have seen aggressive abuse of free domain registration services by Blackhole. There are many organisations that provide such services, and it is not uncommon for malware to abuse them. Some examples of where Blackhole has done this are shown in Table 6.

Table 6

Table 6: Examples of domain registration abuse for the purpose of hosting Blackhole.

However, as you can see from Figure 15, the abuse of such services represents only a small percentage of active Blackhole sites.

Dynamic DNS services such as ddns.*, 1dumb.com (services provided by ChangeIP.com) and dlinkddns.com (service provided by D-Link) are also heavily abused by Blackhole. Some examples are listed in Table 7.

Table 7

Table 7: Examples of dynamic DNS abuse for the purpose of hosting Blackhole.

There are many dynamic DNS services available, and abuse is widespread (certainly not limited to Blackhole). As the abuse continues, the reputation of all dynamic DNS services suffers. One possible benefit of this is that some of the providers may opt to deliver services with more rigorous screening of users and verification of how their service is being used.

Table of contents

← Prev | Next →

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s