Tuesday, December 11, 2012

List of Name Server used by Blackhole (BHEK) v2 using Password Stealer Infector Bad Actors

We recently monitoring and analyzing the Trojan Password Infector Cridex based
Dropped by the Blackhole Exploit Kit (BHEK) v2, and ending up to the below domains
used by this group, which are currently ACTIVE infecting, UP and ALIVE:
aofngppahgor.ru ←[NEW!]
awoeionfpop.ru ←[NEW!]
aviaonlolsio.ru ←[NEW!]
As per posted in some posts previously, these domains are serving infection using Blackhole EK using many proxies(mostly TCP/8080) - by using the costant 14 NameServer (DNS servers) as per below IP:
IP             NETWORK                    Country
---------------------------------------------------    Clodo-Cloud/IT House, Ltd   RU, St. Petersburg     NET41/ AfriNIC              MU   UnivNacional Autonoma de-   Mexico   ENETNAP/eNET Inc.           OH, US    Clodo-Cloud/IT House, Ltd   RU, St. Petersburg   TRIPLETNET-TH/BB ISP        Thailand     NET41/ AfriNIC              MU   ENETNAP/eNET Inc.           OH, US     Clodo-Cloud/IT House, Ltd   RU, St. Petersburg     AR-CEUN-LACNIC CESPI,UNLP   AR   Psychz Networks             CA, US   Psychz Networks             CA, US  IDC-CS Loxinfo              Thailand     Psychz Networks             CA, US
As you see below, mainly they use NS server at below wellknown network:
US, ISP Service: Psychz Networks (CA) & eNET Inc. (Ohio) RU ISP at Clodo-Cloud/IT House, Ltd St. Petersburg *) others are just not significant services

What's the Point?

So if we can close the service at US & RU ISP, these BadActors will have - a weaker DNS to spread their infection, please someone help to inform related - ISP/Service in US & St. Petersburg.

Proof of Concept

As the PoC of this concept,if you lookup the NS the each domains (i.e. by using type=ANY), you'll see dump of the used NS servers as per following:
ns1.aofngppahgor.ru.   A 
ns2.aofngppahgor.ru.   A
ns3.aofngppahgor.ru.   A
ns4.aofngppahgor.ru.   A
ns5.aofngppahgor.ru.   A
ns6.aofngppahgor.ru.   A
ns7.aofngppahgor.ru.   A
ns8.aofngppahgor.ru.   A
ns9.aofngppahgor.ru.   A
ns10.aofngppahgor.ru.  A
ns11.aofngppahgor.ru.  A
ns12.aofngppahgor.ru.  A
ns13.aofngppahgor.ru.  A
ns14.aofngppahgor.ru.  A

ns1.ganiopatia.ru.   A
ns2.ganiopatia.ru.   A
ns3.ganiopatia.ru.   A
ns4.ganiopatia.ru.   A
ns5.ganiopatia.ru.   A
ns6.ganiopatia.ru.   A
ns7.ganiopatia.ru.   A
ns8.ganiopatia.ru.   A
ns9.ganiopatia.ru.   A
ns10.ganiopatia.ru.  A
ns11.ganiopatia.ru.  A
ns12.ganiopatia.ru.  A
ns13.ganiopatia.ru.  A
ns14.ganiopatia.ru.  A

ns1.pelumutrika.ru   A
ns2.pelamutrika.ru   A 
ns3.pelamutrika.ru   A
ns4.pelamutrika.ru   A
ns5.pelamutrika.ru   A
ns6.pelamutrika.ru   A
ns7.pelamutrika.ru   A
ns8.pelamutrika.ru   A
ns9.pelamutrika.ru   A
ns10.pelamutrika.ru  A
ns11.pelamutrika.ru  A
ns12.pelamutrika.ru  A
ns13.pelamutrika.ru  A

ns1.ganalionomka.ru  A
ns2.ganalionomka.ru  A
ns3.ganalionomka.ru  A
ns4.ganalionomka.ru  A
ns5.ganalionomka.ru  A
ns6.ganalionomka.ru  A
ns7.ganalionomka.ru  A
ns8.ganalionomka.ru  A
ns9.ganalionomka.ru  A
ns10.ganalionomka.ru A
ns11.ganalionomka.ru A
ns12.ganalionomka.ru A
ns13.ganalionomka.ru A
ns14.ganalionomka.ru A

ns1.genevaonline.ru  A
ns2.genevaonline.ru  A
ns3.genevaonline.ru  A
ns4.genevaonline.ru  A
ns5.genevaonline.ru  A
ns6.genevaonline.ru  A
ns7.genevaonline.ru  A
ns8.genevaonline.ru  A
ns9.genevaonline.ru  A
ns10.genevaonline.ru A
ns11.genevaonline.ru A
ns12.genevaonline.ru A
ns13.genevaonline.ru A
ns14.genevaonline.ru A

ns1.podarunoki.ru    A
ns2.podarunoki.ru    A
ns3.podarunoki.ru    A
ns4.podarunoki.ru    A
ns5.podarunoki.ru    A
ns6.podarunoki.ru    A
ns7.podarunoki.ru    A
ns8.podarunoki.ru    A
ns9.podarunoki.ru    A
ns10.podarunoki.ru   A
ns11.podarunoki.ru   A
ns12.podarunoki.ru   A
ns13.podarunoki.ru   A
ns14.podarunoki.ru   A

ns1.publicatorian.ru   A
ns2.publicatorian.ru   A
ns3.publicatorian.ru   A
ns4.publicatorian.ru   A
ns5.publicatorian.ru   A
ns6.publicatorian.ru   A
ns7.publicatorian.ru   A
ns8.publicatorian.ru   A
ns9.publicatorian.ru   A
ns10.publicatorian.ru  A
ns11.publicatorian.ru  A
ns12.publicatorian.ru  A
ns13.publicatorian.ru  A
ns14.publicatorian.ru  A

ns1.pitoniamason.ru    A
ns2.pitoniamason.ru    A
ns3.pitoniamason.ru    A
ns4.pitoniamason.ru    A
ns5.pitoniamason.ru    A
ns6.pitoniamason.ru    A
ns7.pitoniamason.ru    A
ns8.pitoniamason.ru    A
ns9.pitoniamason.ru    A
ns10.pitoniamason.ru   A
ns11.pitoniamason.ru   A
ns12.pitoniamason.ru   A
ns13.pitoniamason.ru   A
ns14.pitoniamason.ru   A

ns1.dimarikanko.ru     A
ns2.dimarikanko.ru     A
ns3.dimarikanko.ru     A
ns4.dimarikanko.ru     A
ns5.dimarikanko.ru     A
ns6.dimarikanko.ru     A
ns7.dimarikanko.ru     A
ns8.dimarikanko.ru     A
ns9.dimarikanko.ru     A
ns10.dimarikanko.ru    A
ns11.dimarikanko.ru    A
ns12.dimarikanko.ru    A
ns13.dimarikanko.ru    A
ns14.dimarikanko.ru    A

Update Evil DNS List as per 2012, Dec 25 infection

ns1.bilainkos.ru.       3599    IN      A
ns2.bilainkos.ru.       3599    IN      A
ns3.bilainkos.ru.       3599    IN      A
ns4.bilainkos.ru.       3599    IN      A
ns5.bilainkos.ru.       60      IN      A
ns6.bilainkos.ru.       60      IN      A
ns7.bilainkos.ru.       60      IN      A
ns8.bilainkos.ru.       60      IN      A
ns9.bilainkos.ru.       60      IN      A
ns10.bilainkos.ru.      60      IN      A
ns11.bilainkos.ru.      60      IN      A
ns12.bilainkos.ru.      60      IN      A
ns13.bilainkos.ru.      60      IN      A