Attackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.
The island nation’s .ms TLD has recently become a target of groups of attackers looking for fresh territory in which to plant their malicious binaries and rogue AV domains. Researchers at Zscaler have found that attackers are now registering massive numbers of randomly generated .ce.ms domains and using them as part of campaigns that involve JavaScript redirectors and the Black Hole exploit pack. The attackers are setting up malicious scripts on random URLs that, when visited by a user, uses the familiar tactic of obfuscated JavaScript to hide a malicious HTML file.
“Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines,” Zscaler’s researchers said in an analysis of the attack.
The ultimate payload of the attack is the Black Hole exploit kit, which has been in use for a long time now and is available for purchase in several locations online for anyone who wants a copy. The kit includes exploits for a number of known vulnerabilities in browsers and other common applications. Attackers use Black Hole to deliver other pieces of malware to victims’ machines, such as rootkits and banker Trojans.
Attackers have been taking advantage of the fact that there are a slew of free domain-registration companies that will register sub-domains of smaller TLDs such as the one owned by Montserrat. The move by Google in June to de-index all of the domains hosted on .co.cc drew quite a bit of criticism, but the subdomain had become infested with malware and spam pages, and after Google’s action, the attackers simply moved on to other subdomains, such as Montserrat’s.