Attackers Hijacking Solid Domains

Wednesday, December 14, 2011 @ 02:12 PM gHale


Attackers are now adding new names to existing domains and use those sub-domains to piggyback on the reputation of the sites and push counterfeit goods. In addition, they are using the attack to push exploits via the Black Hole Exploit Kit.

The attacks have been going on for a couple of months and while they’re fairly simple in theory, researchers are having a difficult time figuring out how the attackers compromise the domains and get access to the DNS records to add their own sub-domains, security researchers said.

RELATED STORIES
Control Systems on Alert
Adobe Woes Bring Malware Offerings
Adobe Hit with Zero Day
Attackers Clean Out Duqu Servers
Attackers Hijack MIT Server

Attackers have been able to alter the domain records of dozens of existing, legitimate sites, including local government agencies, small businesses, community banks and others and then insert new sub-domain names into the records.

So the new sub-domains might look like: payday-loans.smalltownbank.com. This small bank would likely have a good reputation built up in the various blacklisting and reputation systems out there and the attackers are able to ride on top of that and give themselves more credibility in the search-engine rankings. That means more users will find their domains in search results and potentially land on the sites, winding up on an order page for fake pills or shady personal loans instead of whatever they were searching for.

The folks at the SANS Internet Storm Center have been looking into the attacks and have identified dozens of domains affected and poisoned with the insertion of sub-domains pushing fake pharmaceuticals, loans and other Internet spam staples.

It turns out that the attackers aren’t just using these fishy sub-domains to push their products, but also are using them to serve exploits, courtesy of the Black Hole Exploit Kit. It is occurring all over and it’s typically pushing exploits, some of which may be newer and others could be months or years old.

“The domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit,” said Daniel Wesemann of the SANS ISC. “The IP range used changes about every three, four days:
188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania
146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia
91.196.216.50 in use since Dec 6, AS43239, Spetsenergo, Russia
One of the many exploits launched by these sites is for the Java Vulnerability CVE2011-3544.”

That Java vulnerability first came out two months ago, and is one of many Java flaws seeing use in targeted attacks and more general campaigns in play right now.



Leave a Reply

You must be logged in to post a comment.