Attackers Moving to .CE.MS Domain For Attack Sites

Attackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.

Attackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.

The island nation’s .ms TLD has recently become a target of groups of attackers looking for fresh territory in which to plant their malicious binaries and rogue AV domains. Researchers at Zscaler have found that attackers are now registering massive numbers of randomly generated .ce.ms domains and using them as part of campaigns that involve JavaScript redirectors and the Black Hole exploit pack. The attackers are setting up malicious scripts on random URLs that, when visited by a user, uses the familiar tactic of obfuscated JavaScript to hide a malicious HTML file.

Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines,” Zscaler’s researchers said in an analysis of the attack.

The ultimate payload of the attack is the Black Hole exploit kit, which has been in use for a long time now and is available for purchase in several locations online for anyone who wants a copy. The kit includes exploits for a number of known vulnerabilities in browsers and other common applications. Attackers use Black Hole to deliver other pieces of malware to victims’ machines, such as rootkits and banker Trojans.

Attackers have been taking advantage of the fact that there are a slew of free domain-registration companies that will register sub-domains of smaller TLDs such as the one owned by Montserrat. The move by Google in June to de-index all of the domains hosted on .co.cc drew quite a bit of criticism, but the subdomain had become infested with malware and spam pages, and after Google’s action, the attackers simply moved on to other subdomains, such as Montserrat’s.

Suggested articles

Exploit Kits Now Updated With New Wares Before Patches Are Ready

The creators and maintainers of exploit kits often rely on public reports of new exploits and proof-of-concept exploit code in order to be able to add new exploits to their software. And in many cases, the exploits included in kits such as Black Hole and Eleonore and others will be for vulnerabilities that are older and have long since been patched. But, if recent events are any indication, that could be changing.

New Version of REMnux Malware-Analysis Linux Distribution Released

A new version of the REMnux specialized Linux distribution has been released, and it now includes a group of new tools for reverse-engineering malware. The new additions include a tool for memory forensics as well as one for analyzing potentially malicious PDFs.

Microsoft Unveils New Windows Defender Offline Tool

Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don’t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.