Tuesday, February 25, 2014

Tango Down: The takedown of 209,306 .IN.NET Nuclear Pack DGA domains

This post is the tribute to the hard working invidivuals and professionals who made the impossible happened.

The Report

As one of the result of a persistent collaboration between security researchers and domain registration process. Following the previous suspension effort of Nuclear Pack Exploit Kit domains (link). On behalf of individuals & professionals involved in the process, we dare to announced the suspension process of 209,306 Nuclear Pack domains on TLD: ".IN.NET". Is the biggest Tango Down score in the history of MalwareMustDie.

For the security purpose we can not say much details about this matter yet, except that all of the domains are positively "verdicted" for its involvement in the DGA scheme of the malicious infection toolkit, and are positively confirmed to their preliminary registration investigation suspicious facts beforehand. The bad actor(s) is preparing these domains to serve malware, and the usage of these domains are blocked with the currently spotted active domains are all suspended.

We announced the tango news here to signal the law enforcement and authority to start investigating the listed suspended domains, that contains the data which can be used as cyber crime evidence on malware infection effort through software exploitation by abusing mass .IN.NET internet domains.

The full list of the DGA domains used and the checking report is very long that we can not paste them all here in the post or pastes (yet), but this is the link of the extracted DGA domains -->[here] < Thank you @jedisct1 and Gist!

Good Work Credit

Special thank's for the great cooperation from DOMAINS.IN.NET Team, what a speedy and solid work! It is a very long list but you checked it instantly following to the swift suspension.
The special credit goes to our friend Mr. Frank Denis of OpenDNS for the DGA decoding and its report, our Tango Department leads by Mr. Sachin Raste of eScan, side by side with Mr. Conrad Longmore, Mr. Dhia Mahjoub of OpenDNS and other managers from varied entities that we can not mention you all here, who are actually silently fighting this threat in a tough daily routine, Salud!

The process is not stopping in here. There will be more follow up.

Tweets & Comments