Attackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.
The ultimate payload of the attack is the Black Hole exploit kit, which has been in use for a long time now and is available for purchase in several locations online for anyone who wants a copy. The kit includes exploits for a number of known vulnerabilities in browsers and other common applications. Attackers use Black Hole to deliver other pieces of malware to victims’ machines, such as rootkits and banker Trojans.
Attackers have been taking advantage of the fact that there are a slew of free domain-registration companies that will register sub-domains of smaller TLDs such as the one owned by Montserrat. The move by Google in June to de-index all of the domains hosted on .co.cc drew quite a bit of criticism, but the subdomain had become infested with malware and spam pages, and after Google’s action, the attackers simply moved on to other subdomains, such as Montserrat’s.