Attackers Moving to .CE.MS Domain For Attack Sites

Attackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.

Attackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.

The island nation’s .ms TLD has recently become a target of groups of attackers looking for fresh territory in which to plant their malicious binaries and rogue AV domains. Researchers at Zscaler have found that attackers are now registering massive numbers of randomly generated .ce.ms domains and using them as part of campaigns that involve JavaScript redirectors and the Black Hole exploit pack. The attackers are setting up malicious scripts on random URLs that, when visited by a user, uses the familiar tactic of obfuscated JavaScript to hide a malicious HTML file.

Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines,” Zscaler’s researchers said in an analysis of the attack.

The ultimate payload of the attack is the Black Hole exploit kit, which has been in use for a long time now and is available for purchase in several locations online for anyone who wants a copy. The kit includes exploits for a number of known vulnerabilities in browsers and other common applications. Attackers use Black Hole to deliver other pieces of malware to victims’ machines, such as rootkits and banker Trojans.

Attackers have been taking advantage of the fact that there are a slew of free domain-registration companies that will register sub-domains of smaller TLDs such as the one owned by Montserrat. The move by Google in June to de-index all of the domains hosted on .co.cc drew quite a bit of criticism, but the subdomain had become infested with malware and spam pages, and after Google’s action, the attackers simply moved on to other subdomains, such as Montserrat’s.

Suggested articles

Exploit Kits Now Updated With New Wares Before Patches Are Ready

The creators and maintainers of exploit kits often rely on public reports of new exploits and proof-of-concept exploit code in order to be able to add new exploits to their software. And in many cases, the exploits included in kits such as Black Hole and Eleonore and others will be for vulnerabilities that are older and have long since been patched. But, if recent events are any indication, that could be changing.

New Version of REMnux Malware-Analysis Linux Distribution Released

A new version of the REMnux specialized Linux distribution has been released, and it now includes a group of new tools for reverse-engineering malware. The new additions include a tool for memory forensics as well as one for analyzing potentially malicious PDFs.

Microsoft Unveils New Windows Defender Offline Tool

Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don’t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.

Discussion

  • Anonymous on

    BAN JAVA and save the Internet!

  • Anonymous on

    Banning JAVA would be like burning down your house bit by bit to stay warm in the winter. JAVA serves very many useful purposes. For example it allows a website to send the user an applet that will encrypt his/her password BEFORE sending it over the internet. packet sniffers and other internet slime are defeated. Even the JAVA administrators can't get the plaintext password and read the message used to encrypt it.

    Please don't bring up the (I think) little-known fact that law enforcement can order sites that use this technique to send down fake JAVA encrypting applets that allow Java administrators (and the authorities) to get the plaintext passwords.

    ...and most likely moles in JAVA administration do the same on their own (for an appropriate fee, of course.)

    And even if JAVA reduces encryption key theft by 80% (no hard figures available to me) it's a boon rather than a bane.

    This is only ONE of the great JAVA capabilities that would be difficuilt if not impossible to replace, except, perhaps, by a JAVA clone that would have the same vulnerabilities as Java itself.

    BOTTOM LINE: Don't ban JAVA, fix it and fortify it just like they do with OS's.

    This kind of battle has been going on since ancient times. First they made ship-borne cannons, then they made cladding, then armor piercing shells, and now submarine-launched nuclear missiles. The destroy-protect war is still going on today. Why give up? Why not wage the same kind of war in the IT environment? Why give up and let the bad guys win by a cowardly retreat!

     

     

     

  • Alexander Dupuy on

    Umm, the attack used Java*script* not Java - they are utterly unrelated (except for the name).

     

  • Anonymous on

    The writer said:

    "Attackers have been taking advantage of the fact that there are a slew of free domain-registration companies that will register sub-domains of smaller TLDs such as the one owned by Montserrat."

    What is the vulnerability that a smaller TLD has that a larger TLD does not have?

    The fact is that persons Register a second level domain name and just like with every other domain name in the world they are then free to register names in the third level.

    This can be done with a .com, .uk , .au, or any other GTLD or ccTLD.

    What exactly makes a small ccTLD more vulnerable?

     

  • Ce.MS Admin on

    It is completely inaccurate and unfair to say that attackers are abusing ce.ms. As the owner of ce.ms, I can say that I take abuse requests very seriously. In the previous week, we implemented a solution that works directly with Spamhaus to ensure that any domain listed in their database is deleted from ce.ms. We have also limited the number of free domains to discourage abusers. Moreover, we have a powerful spam detection system in place that is able to identify abusers and delete their accounts. Finally, we deal with submitted abuse requests very promptly.

     

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.