We recently monitoring and analyzing the Trojan Password Infector Cridex based Dropped by the Blackhole Exploit Kit (BHEK) v2, and ending up to the below domains used by this group, which are currently ACTIVE infecting, UP and ALIVE:#MalwareMUSTDie!ganiopatia.ru pelamutrika.ru ganalionomka.ru genevaonline.ru podarunoki.ru publicatorian.ru pitoniamason.ru dimarikanko.ru aofngppahgor.ru ←[NEW!] awoeionfpop.ru ←[NEW!] aviaonlolsio.ru ←[NEW!]As per posted in some posts previously, these domains are serving infection using Blackhole EK using many proxies(mostly TCP/8080) - by using the costant 14 NameServer (DNS servers) as per below IP:IP NETWORK Country --------------------------------------------------- 62.76.178.233 Clodo-Cloud/IT House, Ltd RU, St. Petersburg 41.168.5.140 NET41/ AfriNIC MU 132.248.49.112 UnivNacional Autonoma de- Mexico 209.51.221.247 ENETNAP/eNET Inc. OH, US 62.76.177.104 Clodo-Cloud/IT House, Ltd RU, St. Petersburg 110.164.58.250 TRIPLETNET-TH/BB ISP Thailand 41.168.5.140 NET41/ AfriNIC MU 209.51.221.247 ENETNAP/eNET Inc. OH, US 62.76.189.72 Clodo-Cloud/IT House, Ltd RU, St. Petersburg 163.10.12.83 AR-CEUN-LACNIC CESPI,UNLP AR 216.99.149.226 Psychz Networks CA, US 208.87.243.196 Psychz Networks CA, US 203.146.208.180 IDC-CS Loxinfo Thailand 74.117.61.66 Psychz Networks CA, USAs you see below, mainly they use NS server at below wellknown network:US, ISP Service: Psychz Networks (CA) & eNET Inc. (Ohio) RU ISP at Clodo-Cloud/IT House, Ltd St. Petersburg *) others are just not significant servicesWhat's the Point?
So if we can close the service at US & RU ISP, these BadActors will have - a weaker DNS to spread their infection, please someone help to inform related - ISP/Service in US & St. Petersburg.Proof of Concept
As the PoC of this concept,if you lookup the NS the each domains (i.e. by using type=ANY), you'll see dump of the used NS servers as per following:ns1.aofngppahgor.ru. A 62.76.189.72 ns2.aofngppahgor.ru. A 62.76.177.104 ns3.aofngppahgor.ru. A 41.168.5.140 ns4.aofngppahgor.ru. A 209.51.221.247 ns5.aofngppahgor.ru. A 42.121.116.38 ns6.aofngppahgor.ru. A 110.164.58.250 ns7.aofngppahgor.ru. A 41.168.5.140 ns8.aofngppahgor.ru. A 209.51.221.247 ns9.aofngppahgor.ru. A 62.76.189.72 ns10.aofngppahgor.ru. A 163.10.12.83 ns11.aofngppahgor.ru. A 216.99.149.226 ns12.aofngppahgor.ru. A 208.87.243.196 ns13.aofngppahgor.ru. A 203.146.208.180 ns14.aofngppahgor.ru. A 74.117.61.66 ns1.ganiopatia.ru. A 62.76.178.233 ns2.ganiopatia.ru. A 41.168.5.140 ns3.ganiopatia.ru. A 132.248.49.112 ns4.ganiopatia.ru. A 209.51.221.247 ns5.ganiopatia.ru. A 62.76.177.104 ns6.ganiopatia.ru. A 110.164.58.250 ns7.ganiopatia.ru. A 41.168.5.140 ns8.ganiopatia.ru. A 209.51.221.247 ns9.ganiopatia.ru. A 62.76.189.72 ns10.ganiopatia.ru. A 163.10.12.83 ns11.ganiopatia.ru. A 216.99.149.226 ns12.ganiopatia.ru. A 208.87.243.196 ns13.ganiopatia.ru. A 203.146.208.180 ns14.ganiopatia.ru. A 74.117.61.66 ns1.pelumutrika.ru A 69.64.89.82 ns2.pelamutrika.ru A 41.168.5.140 ns3.pelamutrika.ru A 132.248.49.112 ns4.pelamutrika.ru A 209.51.221.247 ns5.pelamutrika.ru A 208.87.243.196 ns6.pelamutrika.ru A 216.99.149.226 ns7.pelamutrika.ru A 41.168.5.140 ns8.pelamutrika.ru A 209.51.221.247 ns9.pelamutrika.ru A 62.76.189.72 ns10.pelamutrika.ru A 163.10.12.83 ns11.pelamutrika.ru A 216.99.149.226 ns12.pelamutrika.ru A 208.87.243.196 ns13.pelamutrika.ru A 203.146.208.180 ns1.ganalionomka.ru A 62.76.178.233 ns2.ganalionomka.ru A 41.168.5.140 ns3.ganalionomka.ru A 132.248.49.112 ns4.ganalionomka.ru A 209.51.221.247 ns5.ganalionomka.ru A 62.76.177.104 ns6.ganalionomka.ru A 110.164.58.250 ns7.ganalionomka.ru A 41.168.5.140 ns8.ganalionomka.ru A 209.51.221.247 ns9.ganalionomka.ru A 62.76.189.72 ns10.ganalionomka.ru A 163.10.12.83 ns11.ganalionomka.ru A 216.99.149.226 ns12.ganalionomka.ru A 208.87.243.196 ns13.ganalionomka.ru A 203.146.208.180 ns14.ganalionomka.ru A 74.117.61.66 ns1.genevaonline.ru A 62.76.178.233 ns2.genevaonline.ru A 41.168.5.140 ns3.genevaonline.ru A 132.248.49.112 ns4.genevaonline.ru A 209.51.221.247 ns5.genevaonline.ru A 62.76.177.104 ns6.genevaonline.ru A 110.164.58.250 ns7.genevaonline.ru A 41.168.5.140 ns8.genevaonline.ru A 209.51.221.247 ns9.genevaonline.ru A 62.76.189.72 ns10.genevaonline.ru A 163.10.12.83 ns11.genevaonline.ru A 216.99.149.226 ns12.genevaonline.ru A 208.87.243.196 ns13.genevaonline.ru A 203.146.208.180 ns14.genevaonline.ru A 74.117.61.66 ns1.podarunoki.ru A 62.76.178.233 ns2.podarunoki.ru A 41.168.5.140 ns3.podarunoki.ru A 132.248.49.112 ns4.podarunoki.ru A 209.51.221.247 ns5.podarunoki.ru A 62.76.177.104 ns6.podarunoki.ru A 110.164.58.250 ns7.podarunoki.ru A 41.168.5.140 ns8.podarunoki.ru A 209.51.221.247 ns9.podarunoki.ru A 62.76.189.72 ns10.podarunoki.ru A 163.10.12.83 ns11.podarunoki.ru A 216.99.149.226 ns12.podarunoki.ru A 208.87.243.196 ns13.podarunoki.ru A 203.146.208.180 ns14.podarunoki.ru A 74.117.61.66 ns1.publicatorian.ru A 62.76.189.72 69.64.89.82 ns2.publicatorian.ru A 41.168.5.140 ns3.publicatorian.ru A 132.248.49.112 ns4.publicatorian.ru A 209.51.221.247 ns5.publicatorian.ru A 208.87.243.196 ns6.publicatorian.ru A 216.99.149.226 ns7.publicatorian.ru A 41.168.5.140 ns8.publicatorian.ru A 209.51.221.247 ns9.publicatorian.ru A 62.76.189.72 ns10.publicatorian.ru A 163.10.12.83 ns11.publicatorian.ru A 216.99.149.226 ns12.publicatorian.ru A 208.87.243.196 ns13.publicatorian.ru A 203.146.208.180 ns14.publicatorian.ru A 74.117.61.66 ns1.pitoniamason.ru A 62.76.189.72 ns2.pitoniamason.ru A 41.168.5.140 ns3.pitoniamason.ru A 132.248.49.112 ns4.pitoniamason.ru A 209.51.221.247 ns5.pitoniamason.ru A 208.87.243.196 ns6.pitoniamason.ru A 216.99.149.226 ns7.pitoniamason.ru A 41.168.5.140 ns8.pitoniamason.ru A 209.51.221.247 ns9.pitoniamason.ru A 62.76.189.72 ns10.pitoniamason.ru A 163.10.12.83 ns11.pitoniamason.ru A 216.99.149.226 ns12.pitoniamason.ru A 208.87.243.196 ns13.pitoniamason.ru A 203.146.208.180 ns14.pitoniamason.ru A 74.117.61.66 ns1.dimarikanko.ru A 62.76.178.233 ns2.dimarikanko.ru A 41.168.5.140 ns3.dimarikanko.ru A 132.248.49.112 ns4.dimarikanko.ru A 209.51.221.247 ns5.dimarikanko.ru A 62.76.177.104 ns6.dimarikanko.ru A 110.164.58.250 ns7.dimarikanko.ru A 41.168.5.140 ns8.dimarikanko.ru A 209.51.221.247 ns9.dimarikanko.ru A 62.76.189.72 ns10.dimarikanko.ru A 163.10.12.83 ns11.dimarikanko.ru A 216.99.149.226 ns12.dimarikanko.ru A 208.87.243.196 ns13.dimarikanko.ru A 203.146.208.180 ns14.dimarikanko.ru A 74.117.61.66#MalwareMustDie - #Tips: Easy Way to Check Spam linked bad URL was cases of BHEK exposed in MMD/not: pastebin.com/raw.php?i=q1NF… Cc: @tdotwhitehat
— Malware Crusaders (@MalwareMustDie) December 14, 2012Update Evil DNS List as per 2012, Dec 25 infection
ns1.bilainkos.ru. 3599 IN A 62.76.186.24 ns2.bilainkos.ru. 3599 IN A 110.164.58.250 ns3.bilainkos.ru. 3599 IN A 42.121.116.38 ns4.bilainkos.ru. 3599 IN A 41.168.5.140 ns5.bilainkos.ru. 60 IN A 110.164.58.250 ns6.bilainkos.ru. 60 IN A 41.168.5.140 ns7.bilainkos.ru. 60 IN A 62.76.186.24 ns8.bilainkos.ru. 60 IN A 209.51.221.247 ns9.bilainkos.ru. 60 IN A 163.10.12.83 ns10.bilainkos.ru. 60 IN A 216.99.149.226 ns11.bilainkos.ru. 60 IN A 208.87.243.196 ns12.bilainkos.ru. 60 IN A 203.146.208.180 ns13.bilainkos.ru. 60 IN A 74.117.61.66
The MalwareMustDie Blog (blog.malwaremustdie.org)
Tuesday, December 11, 2012
List of Name Server used by Blackhole (BHEK) v2 using Password Stealer Infector Bad Actors
