By Kurt Baumgartner
In April, the .co.cc and .cz.cc sub-domains were absolutely littered with malware distributing web sites, and the unusually telling DNS registration setup on .co.cc and .cz.cc had forecast the previously upcoming Apple FakeAv. That DNS setup later led to FakeAv downloads for the Mac as forecast. But FakeAv distribution has been steadily declining since the beginning of the year, and a few related major events have occurred over the past six months. Blackhole operators have migrated to .info domains, along with other related malicious site operators. Have they pushed .info to become the new .cc?
So, what has this dispersion looked like? Well, let’s look back to the beginning of the year. .co.cc and .cz.cc domain registrars offered free dns registration and cheap or free hosting. Malware distributors abused these cheap resources and staged the Blackhole exploit pack using these URL names, serving up FakeAv and other nastiness. Java exploits became the most effective and most popular in the Blackhole set, followed by exploits targeting vulnerable Adobe Reader and Microsoft HCP software. Traffic was directed to these kits by Google Image Search Poisoning, by compromising legitimate sites and redirecting browsers to the kit sites with injected iframe and img src tags, and by successful malvertizing campaigns on major webmail providers. But, what goes up must come down.
These campaigns couldn’t last. Google figured out that their image and other search services were badly poisoned by the malware distributors hosting their attacks from .cc subdomains, and de-indexed .co.cc and .cz.cc altogether in July. An alleged FakeAv king and Chronopay founder was arrested in August and allegedly associated operations disrupted. And Microsoft took the owner/operator of the .cc domains to court after our Kaspersky researchers took control of the Hlux botnet that partly was being controlled from the .cc space. All of these things sent the rats running from the sinking ship. But these rats need a place to go and the place they are headed looks to be .info. While tens of thousands of Trojan.JS.Darduk hits that were heavily trending in the US and RU (Darduk detects the main page of some specific, recent versions of the Blackhole exploit pack), almost half of the Darduk pages are being served from .info domains. The heavy trending began on the 28th and continues…
The hundreds of thousands of browsers producing malicious url hits coming from .info aren’t just redirected there from bizarre porn sites, which can be more common. This time, the list includes more legitimate sites.
There are things that can be done – if you are a system admin, do you really need to let your users browse .info sites? If you are stuck with an old version of Java, Adobe, or your users are all running Flash in their browsers, do they need to access content on .info domains?
The .cc domains were a cheap (often free), automated, easy place to set up shop for exploit pack operators serving up Blackhole exploit web pages, FakeAv, ZeroAccess trojans and Zbot spyware, just to name a few. Coincidentally, the operators were unresponsive in proportion to the sizeable volume of users being impacted by the sites, and the Hlux botnet partly was being controlled from those domains. At some point, they gathered too much attention. It is notable that there are only a dozen Darduk hits or so in the past 48 hours from .cu.cc and .co.cc domains, and most hits coming from subdomains of dyndns.info. Darduk hits are coming in from .name, .org, and others, but the steeper trends are popping up from .info. And .ms sites are serving up plenty of malicious nastiness, just not necessarily Blackhole exploit sites. Of course, we are monitoring these migrations of concentrated malicious web activity, and only time will tell if .info can be kept clean and other gTLDs will be more abused.
*Kurt Baumgartner is a Senior Security Researcher for the Global Research and Analysis Team at Kaspersky Lab.