msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Dynamic DNS and Botnet of Zombie Web Servers

11 Sep 09   Filed in Website exploits with 44 Comments

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

  • They started with gambling-related .cn domains (like cheapslotplay .cn).
  • They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
  • They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
  • They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
  • In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
  • And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details »»