Tuesday, December 11, 2012

List of Name Server used by Blackhole (BHEK) v2 using Password Stealer Infector Bad Actors

We recently monitoring and analyzing the Trojan Password Infector Cridex based
Dropped by the Blackhole Exploit Kit (BHEK) v2, and ending up to the below domains
used by this group, which are currently ACTIVE infecting, UP and ALIVE:
ganiopatia.ru
pelamutrika.ru
ganalionomka.ru
genevaonline.ru
podarunoki.ru
publicatorian.ru
pitoniamason.ru
dimarikanko.ru
aofngppahgor.ru ←[NEW!]
awoeionfpop.ru ←[NEW!]
aviaonlolsio.ru ←[NEW!]
As per posted in some posts previously, these domains are serving infection using Blackhole EK using many proxies(mostly TCP/8080) - by using the costant 14 NameServer (DNS servers) as per below IP:
IP             NETWORK                    Country
---------------------------------------------------
62.76.178.233    Clodo-Cloud/IT House, Ltd   RU, St. Petersburg
41.168.5.140     NET41/ AfriNIC              MU
132.248.49.112   UnivNacional Autonoma de-   Mexico
209.51.221.247   ENETNAP/eNET Inc.           OH, US
62.76.177.104    Clodo-Cloud/IT House, Ltd   RU, St. Petersburg
110.164.58.250   TRIPLETNET-TH/BB ISP        Thailand
41.168.5.140     NET41/ AfriNIC              MU
209.51.221.247   ENETNAP/eNET Inc.           OH, US
62.76.189.72     Clodo-Cloud/IT House, Ltd   RU, St. Petersburg
163.10.12.83     AR-CEUN-LACNIC CESPI,UNLP   AR
216.99.149.226   Psychz Networks             CA, US
208.87.243.196   Psychz Networks             CA, US
203.146.208.180  IDC-CS Loxinfo              Thailand
74.117.61.66     Psychz Networks             CA, US
As you see below, mainly they use NS server at below wellknown network:
US, ISP Service: Psychz Networks (CA) & eNET Inc. (Ohio) RU ISP at Clodo-Cloud/IT House, Ltd St. Petersburg *) others are just not significant services

What's the Point?

So if we can close the service at US & RU ISP, these BadActors will have - a weaker DNS to spread their infection, please someone help to inform related - ISP/Service in US & St. Petersburg.

Proof of Concept

As the PoC of this concept,if you lookup the NS the each domains (i.e. by using type=ANY), you'll see dump of the used NS servers as per following:
ns1.aofngppahgor.ru.   A       62.76.189.72 
ns2.aofngppahgor.ru.   A       62.76.177.104
ns3.aofngppahgor.ru.   A       41.168.5.140
ns4.aofngppahgor.ru.   A       209.51.221.247
ns5.aofngppahgor.ru.   A       42.121.116.38
ns6.aofngppahgor.ru.   A       110.164.58.250
ns7.aofngppahgor.ru.   A       41.168.5.140
ns8.aofngppahgor.ru.   A       209.51.221.247
ns9.aofngppahgor.ru.   A       62.76.189.72
ns10.aofngppahgor.ru.  A       163.10.12.83
ns11.aofngppahgor.ru.  A       216.99.149.226
ns12.aofngppahgor.ru.  A       208.87.243.196
ns13.aofngppahgor.ru.  A       203.146.208.180
ns14.aofngppahgor.ru.  A       74.117.61.66

ns1.ganiopatia.ru.   A  62.76.178.233
ns2.ganiopatia.ru.   A  41.168.5.140
ns3.ganiopatia.ru.   A  132.248.49.112
ns4.ganiopatia.ru.   A  209.51.221.247
ns5.ganiopatia.ru.   A  62.76.177.104
ns6.ganiopatia.ru.   A  110.164.58.250
ns7.ganiopatia.ru.   A  41.168.5.140
ns8.ganiopatia.ru.   A  209.51.221.247
ns9.ganiopatia.ru.   A  62.76.189.72
ns10.ganiopatia.ru.  A  163.10.12.83
ns11.ganiopatia.ru.  A  216.99.149.226
ns12.ganiopatia.ru.  A  208.87.243.196
ns13.ganiopatia.ru.  A  203.146.208.180
ns14.ganiopatia.ru.  A  74.117.61.66

ns1.pelumutrika.ru   A   69.64.89.82
ns2.pelamutrika.ru   A   41.168.5.140 
ns3.pelamutrika.ru   A   132.248.49.112
ns4.pelamutrika.ru   A   209.51.221.247
ns5.pelamutrika.ru   A   208.87.243.196
ns6.pelamutrika.ru   A   216.99.149.226
ns7.pelamutrika.ru   A   41.168.5.140
ns8.pelamutrika.ru   A   209.51.221.247
ns9.pelamutrika.ru   A   62.76.189.72
ns10.pelamutrika.ru  A   163.10.12.83
ns11.pelamutrika.ru  A   216.99.149.226
ns12.pelamutrika.ru  A   208.87.243.196
ns13.pelamutrika.ru  A   203.146.208.180

ns1.ganalionomka.ru  A   62.76.178.233
ns2.ganalionomka.ru  A   41.168.5.140
ns3.ganalionomka.ru  A   132.248.49.112
ns4.ganalionomka.ru  A   209.51.221.247
ns5.ganalionomka.ru  A   62.76.177.104
ns6.ganalionomka.ru  A   110.164.58.250
ns7.ganalionomka.ru  A   41.168.5.140
ns8.ganalionomka.ru  A   209.51.221.247
ns9.ganalionomka.ru  A   62.76.189.72
ns10.ganalionomka.ru A   163.10.12.83
ns11.ganalionomka.ru A   216.99.149.226
ns12.ganalionomka.ru A   208.87.243.196
ns13.ganalionomka.ru A   203.146.208.180
ns14.ganalionomka.ru A   74.117.61.66

ns1.genevaonline.ru  A    62.76.178.233
ns2.genevaonline.ru  A    41.168.5.140
ns3.genevaonline.ru  A    132.248.49.112
ns4.genevaonline.ru  A    209.51.221.247
ns5.genevaonline.ru  A    62.76.177.104
ns6.genevaonline.ru  A    110.164.58.250
ns7.genevaonline.ru  A    41.168.5.140
ns8.genevaonline.ru  A    209.51.221.247
ns9.genevaonline.ru  A    62.76.189.72
ns10.genevaonline.ru A    163.10.12.83
ns11.genevaonline.ru A    216.99.149.226
ns12.genevaonline.ru A    208.87.243.196
ns13.genevaonline.ru A    203.146.208.180
ns14.genevaonline.ru A    74.117.61.66

ns1.podarunoki.ru    A    62.76.178.233
ns2.podarunoki.ru    A    41.168.5.140
ns3.podarunoki.ru    A    132.248.49.112
ns4.podarunoki.ru    A    209.51.221.247
ns5.podarunoki.ru    A    62.76.177.104
ns6.podarunoki.ru    A    110.164.58.250
ns7.podarunoki.ru    A    41.168.5.140
ns8.podarunoki.ru    A    209.51.221.247
ns9.podarunoki.ru    A    62.76.189.72
ns10.podarunoki.ru   A    163.10.12.83
ns11.podarunoki.ru   A    216.99.149.226
ns12.podarunoki.ru   A    208.87.243.196
ns13.podarunoki.ru   A    203.146.208.180
ns14.podarunoki.ru   A    74.117.61.66

ns1.publicatorian.ru   A     62.76.189.72 69.64.89.82
ns2.publicatorian.ru   A     41.168.5.140
ns3.publicatorian.ru   A     132.248.49.112
ns4.publicatorian.ru   A     209.51.221.247
ns5.publicatorian.ru   A     208.87.243.196
ns6.publicatorian.ru   A     216.99.149.226
ns7.publicatorian.ru   A     41.168.5.140
ns8.publicatorian.ru   A     209.51.221.247
ns9.publicatorian.ru   A     62.76.189.72
ns10.publicatorian.ru  A     163.10.12.83
ns11.publicatorian.ru  A     216.99.149.226
ns12.publicatorian.ru  A     208.87.243.196
ns13.publicatorian.ru  A     203.146.208.180
ns14.publicatorian.ru  A     74.117.61.66

ns1.pitoniamason.ru    A    62.76.189.72
ns2.pitoniamason.ru    A    41.168.5.140
ns3.pitoniamason.ru    A    132.248.49.112
ns4.pitoniamason.ru    A    209.51.221.247
ns5.pitoniamason.ru    A    208.87.243.196
ns6.pitoniamason.ru    A    216.99.149.226
ns7.pitoniamason.ru    A    41.168.5.140
ns8.pitoniamason.ru    A    209.51.221.247
ns9.pitoniamason.ru    A    62.76.189.72
ns10.pitoniamason.ru   A    163.10.12.83
ns11.pitoniamason.ru   A    216.99.149.226
ns12.pitoniamason.ru   A    208.87.243.196
ns13.pitoniamason.ru   A    203.146.208.180
ns14.pitoniamason.ru   A    74.117.61.66

ns1.dimarikanko.ru     A   62.76.178.233
ns2.dimarikanko.ru     A   41.168.5.140
ns3.dimarikanko.ru     A   132.248.49.112
ns4.dimarikanko.ru     A   209.51.221.247
ns5.dimarikanko.ru     A   62.76.177.104
ns6.dimarikanko.ru     A   110.164.58.250
ns7.dimarikanko.ru     A   41.168.5.140
ns8.dimarikanko.ru     A   209.51.221.247
ns9.dimarikanko.ru     A   62.76.189.72
ns10.dimarikanko.ru    A   163.10.12.83
ns11.dimarikanko.ru    A   216.99.149.226
ns12.dimarikanko.ru    A   208.87.243.196
ns13.dimarikanko.ru    A   203.146.208.180
ns14.dimarikanko.ru    A   74.117.61.66

Update Evil DNS List as per 2012, Dec 25 infection

ns1.bilainkos.ru.       3599    IN      A       62.76.186.24
ns2.bilainkos.ru.       3599    IN      A       110.164.58.250
ns3.bilainkos.ru.       3599    IN      A       42.121.116.38
ns4.bilainkos.ru.       3599    IN      A       41.168.5.140
ns5.bilainkos.ru.       60      IN      A       110.164.58.250
ns6.bilainkos.ru.       60      IN      A       41.168.5.140
ns7.bilainkos.ru.       60      IN      A       62.76.186.24
ns8.bilainkos.ru.       60      IN      A       209.51.221.247
ns9.bilainkos.ru.       60      IN      A       163.10.12.83
ns10.bilainkos.ru.      60      IN      A       216.99.149.226
ns11.bilainkos.ru.      60      IN      A       208.87.243.196
ns12.bilainkos.ru.      60      IN      A       203.146.208.180
ns13.bilainkos.ru.      60      IN      A       74.117.61.66
#MalwareMUSTDie!

No comments:

Post a Comment