DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit

Attackers have been going after various pieces of the DNS infrastructure for a long time now, and it’s not unusual for there to be somewhat organized campaigns that target certain vertical industries or geographic regions. But researchers lately have been seeing an interesting pattern of compromises in which attackers somehow add new names to existing domains and use those sub-domains to piggyback on the good reputation of the sites and push counterfeit goods, pills and other junk. And now they’re using the attack to push exploits via the Black Hole Exploit Kit.

BlackholeAttackers have been going after various pieces of the DNS infrastructure for a long time now, and it’s not unusual for there to be somewhat organized campaigns that target certain vertical industries or geographic regions. But researchers lately have been seeing an interesting pattern of compromises in which attackers somehow add new names to existing domains and use those sub-domains to piggyback on the good reputation of the sites and push counterfeit goods, pills and other junk. And now they’re using the attack to push exploits via the Black Hole Exploit Kit.

The attacks have been ongoing for at least a couple of months and while they’re fairly simple in theory, researchers haven’t necessarily been able to figure out how the attackers have managed to compromise the domains and get access to the DNS records to add their own sub-domains. What’s happened is that attackers have been able to alter the domain records of dozens of existing, legitimate sites, including local government agencies, small businesses, community banks and others and then inserted new sub-domain names into the records.

So the new sub-domains might look something like this: payday-loans.smalltownbank.com. This small bank would likely have a good reputation built up in the various blacklisting and reputation systems out there and the attackers are able to ride on top of that and give themselves more credibility in the search-engine rankings. That means more users will find their domains in search results and potentially land on the sites, winding up on an order page for fake Viagra or shady personal loans instead of whatever they were searching for.

The folks at the SANS Internet Storm Center have been looking into the attacks and have identified dozens of domains that have been affected and poisoned with the insertion of a slew of skeevy sub-domains pushing fake pharmaceuticals, loans and other Internet spam staples.

“How did this happen? Unsurprisingly, no one I talked to about this was standing at the front of the line, ready to take the blame for these issues: Domain owners swear they used good passwords and are sure that the DNS providers were hacked, DNS providers are certain that the Domain owners used lousy passwords on their accounts… ’round and ’round we go,” Tom Liston of the ISC wrote in an analysis of the attacks in October.
“My gut tells me that the truth lies somewhere in between: bad passwords combined with poor account lockout controls on something like a cPanel-type web interface probably led to successful brute force attacks on most of these… I could, however, be completely wrong.”

Now, it turns out that the attackers aren’t just using these fishy sub-domains to push their junk products, but also are using them to serve exploits, courtesy of the Black Hole Exploit Kit. Black Hole has turned into the Luis Sojo of exploit kits, a utility infielder putting in work in a variety of places for a menu of different taskmasters. It’s popping up all over the place these days, and it’s typically being used to push a handful of exploits, some of which may be newer and others could be months or years old.

“The problem is only slowly starting to surface in the Google search results, but it is plenty evident in passive DNS loggers like RUS-CERT’s: http://www.bfk.de/bfk_dnslogger.html?query=91.196.216.50#result

The domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit,” Daniel Wesemann of the SANS ISC wrote over the weekend. “The IP range used changes about every three, four days:

188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania
146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia
91.196.216.50 in use since Dec 6, AS43239, Spetsenergo, Russia

One of the many exploits launched by these sites is for the Java Vulnerability CVE2011-3544.”

That Java vulnerability was first reported about two months ago, and is one of many Java flaws that’s being used in targeted attacks and more general campaigns right now. Microsoft researchers found recently that Java exploits were the most common ones it observed in the first six months of 2011.

Suggested articles