Sometimes even I am surprised at efforts these bad-guys put in order to ensure that the computer systems of unsuspecting victims are infected.
In the past we have seen, a simple straight forward method of registering domains , IP addresses and renting servers to dish out malware.
However for past few weeks I have come across quite a huge number of legitmate domain-names serving malware. Let us sneak into one of the reputed online service “URLQuery.net” and pick up any one of the report from the entire list.
You will find that URLQuery.net reports are between the time-span 2013-04-08 14:25:42 and 2013-04-16 08:47:34 ie. 8 days of constant activity.All the malicious activity is being carried out from IP Address : 192.111.144.13 Port No: 2390 and Sweet Orange Exploit Kit is being served.
SweetOrange Exploit Kit hosted on 192.111.144.13
What is different in the method of delivery of Malware ?
Using the Passive DNS data made available by Virustotal for the IP address 192.111.144.13, we extract the domains which are being used.
1911.mhm1932.ru asfsg.ordex.com.ar bye.kahrs.us coujoid.phim3x.biz dimannarkoman.aartofacts.co.za domain.batebatepapopapo.com flash.sleeping.to forum.campaniatravel.it forum.surukle.me hash.topblu.com.br holybible.hexorcist.com ice.itceb.org job.netscaler.ru lumia.nokz.ca socks.vpgconsulting.com.br weekeiw.cnymqp.com xyurojioba.oklahomatrain.info
All the above mentioned FQDNs at some point of time in the recent past were pointing to 192.111.144.13 and the urls being accessed were different however the Port remained the same ie. 2390.
You may read more about Passive DNS over here and here.
Moreover, when we look into the domains then they are pointing to different IP addresses. It is the sub-domains which were pointing to the malicious IP.
In these scenario, it is very difficult to sinkhole the entire domain as these domains are legit. The bad-guys in this case, hacked into the domain control panel of these legit domains and added their own sub-domain pointing to the malicious IP.
It seems, these guys wanted to save the domain registration cost and also make life difficult to those who sinkhole malware domains.
We have seen hacked servers which provide drive-by downloads but in this case, the DNS entries have been fiddled around with and a rogue sub-domain entry is being added.
Effectively, these bad-guys , hack into Domain-Control panels , add their own sub-domains, and then start serving the malware. Due to which, the Web-admin doesnt even know that something has gone wrong, as most of the online services will either block the entire URL or the IP address , as for the Web-Admin is concerned, none of his web-site users are going to complain.
This gives the bad-guys, much needed time to ensure that their malware – campaign is executed without any hindrance with least amount of RED-Flags of suspicion being raised.
To end it up, bad-guys have invested in an IP address and a Server , in addition to this they have a very successful undetected campaign, with the only effort of adding a rogue subdomain and with every successful infection, their profits will show an upward trend.
Aveces me sorprendo en como las personas malas pueden hacer todo lo que puedan para asegurar que un computador se infecta.
En el pasado hemos visto un método de dominios registrados, direcciones IPs y alquiler de servidores para distribuir malware.
Sin embargo en las semanas pasadas, me di cuenta que hay un gran número de nombres de dominios legitimo que distribuyen malware. Vamos mirar a un servicio en línea reputado “URLQuery.net”.
Encontraras abajo en el reporte de URLQuery.net que toda actividad maliciosa se realiza a través de la dirección IP: 192.111.144.13 Numero de Puerto: 2390 y el Sweet Orange Exploit Kit está siendo distribuido.
Que es la diferencia en la entrega de Malware?
Usando el dato de DNS Pasivo que está disponible por Virus total para la dirección IP 192.111.144.13, sacamos los dominios que están siendo utilizados.
1911.mhm1932.ru
Asfsg.ordex.com.ar
Bye.kahrs.us
Coujoid.phim3x.biz
Dimannarkoman.aartofacts.co.za
Domain.batebatepapopap.com
Flash.sleeping.to
Fórum.campaniatravel.it
Forum.surukle.me
Hash.topblu.com.br
Holybible.hexorcist.com
Ice.itceb.org
Job.netscaler.ru
lumia.nokz.ca
socks.vpgconsulting.com.br
weekeiw.cnymqp.com
xyurojioba.oklahomatrain.info
En un tiempo todos los FQDNs (Nombre de Dominio Completo) se estaban apuntando a 192.111.144.13 y los URLs que se estaban accediendo eran diferente sin embargo el puerto se mantenía igual por ejemplo 2390.
Usted puede leer más sobre DNS Pasivo aquí y aquí.
Cuando miramos dentro los dominios entonces se apuntan a diferentes direcciones IPs. Son los sub-dominios que se estaban apuntando al IP malicioso.
En este tema, las personas malas hackearon dentro el panel de control de dominio de estos dominios legítimos y agregaron su propio sub-dominio apuntando al IP malicioso.
Hemos visto servidores hackeados lo cual ofrecen descargas maliciosas pero en este caso, las entradas de DNS han sido modificadas y la entrada de sub-dominio de rogué se agrega.
Efectivamente estas personas malas hackean los Paneles de Control de Dominio, agregan su propio sub-dominio y distribuyen malware. Aveces los administradores de Web no saben acerca de esto así que los servicios en línea bloquean completamente el URL o la dirección IP.
Estas personas malas tienen bastante tiempo para asegurar que sus malwares se ejecutan con éxito y sin los usuarios de ser sospechoso.
Para terminar, estas personas han invertido en una dirección IP y Servidor, en adición con esto, ellos han distribuido malware con éxito por solo agregando un sub-dominio de rogué y con toda infección con éxito.
