Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 12 September 2009

Dynamic DNS and Botnet of Zombie Web Servers

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details.

As always, it began when I started to notice a new pattern in domains of hidden iframes in Unmask Parasites reports.

Read more

Anthony and SysAdMini have also been posting a slew of these to Malware Domain List;

No comments: