On the hunt as usual, I came across yet another rogue, again using xorg.pl etc via blackhat SEO, but using .tk domains (surprise surprise). What I did find rather humorous however, was a javascript file that was loaded.The javascript contained a lovely little snippet, and a note for the folks over at Eset (though evidently, the bad guys got their Star Wars and Star Trek mixed up, as it was the Borg that said Resistance is futile - not anyone from Star Wars);
/*hello nod32 guys; the force is strong with u, young Padawans, but u won't defeat us; any resistance is futile;*/
The file in question;
hxxp://www2.megosave2.tk/107ad6ae3feaa24b00263864f0be76edbcf43009611.js
I did some checking, and not surprisingly, there's alot more than this one that's been created (I've already dropped abuse reports to dot.tk), including;
http://www2.megosave1.tk
http://www2.megosave2.tk
http://www2.megosave3.tk
http://www2.megosave4.tk
http://www2.megosave5.tk
http://www2.megosave6.tk
http://www2.megosave7.tk
http://www2.megosave8.tk
http://www2.megosave9.tk
http://www1.allclearnow1.tk
http://www1.allclearnow2.tk
http://www1.allclearnow3.tk
http://www1.allclearnow4.tk
http://www1.allclearnow5.tk
http://www1.allclearnow6.tk
http://www1.allclearnow7.tk
http://www2.megosave2.tk
http://www2.megosave3.tk
http://www2.megosave4.tk
http://www2.megosave5.tk
http://www2.megosave6.tk
http://www2.megosave7.tk
http://www2.megosave8.tk
http://www2.megosave9.tk
http://www1.allclearnow1.tk
http://www1.allclearnow2.tk
http://www1.allclearnow3.tk
http://www1.allclearnow4.tk
http://www1.allclearnow5.tk
http://www1.allclearnow6.tk
http://www1.allclearnow7.tk
I've got a verification going to ID any more of these. Until dot.tk change their policy of not taking down domains that the registrant has paid them for, I feel pretty confident that we're going to see more and more .tk domains involved in criminal activity.
As far as the IPs involved, you'll no doubt have guessed that it's the usual suspects;
44565 188.124.5.0/24 VITAL TEKNOLOJI
49981 217.23.0.0/20 WORLDSTREAM
31252 195.5.161.0/24 STARNET-AS StarNet Moldova
47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities
If you've not already, feel free to blackhole the lot of them (and until dot.tk change their policy, you might want to consider a blanket block on the entire Tokelau TLD - money should never come before user safety).
References
dot.tk: Use and abuse us as you wish
http://hphosts.blogspot.com/2009/12/dottk-use-and-abuse-us-as-you-wish.html
Crimeware friendly ISPs: xorg.pl
http://hphosts.blogspot.com/2010/04/crimeware-friendly-isps-xorgpl.html
Posts
No comments:
Post a Comment