Dynamic DNS and Botnet of Zombie Web Servers

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details.

As always, it began when I started to notice a new pattern in domains of hidden iframes in Unmask Parasites reports.

Read more
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

Anthony and SysAdMini have also been posting a slew of these to Malware Domain List;

http://www.malwaredomainlist.com/forums/index.php?topic=3309