Intermediaries to Torpig Attack Sites

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»