Sponsored by..

Showing posts with label Dynamic DNS. Show all posts
Showing posts with label Dynamic DNS. Show all posts

Friday, 24 July 2015

Evil network: Malicious RATs (including milano.exe) on 185.19.85.128/26 (Datawire AG)

There's more to this spam than meets the eye:

From:    wholesale.uganda@anisuma.com
To:    "tariq@paramountdistributors.com" [wholesale.uganda@anisuma.com]
Date:    24 July 2015 at 13:31
Subject:    re:invoice

Attention
Please confirm your consignee name and address on the BL
http://a.pomf.se/cvpkgu.rar
please let update me
thanks 
"Anisuma Traders" is the name of a legitimate trading corporation with operations in several African countries, although they are not sending the spam. It looks like a phish, right? Wrong..

The apparent link to a .rar file caught my eye. In fact, the download location is not pomf.se (a defunct Swedish site) but the click chain goes like this:

http://ge.tt/api/1/files/1XjW10L2/0/blob?download
http://api.ge.tt/1/files/1XjW10L2/0/blob?download
http://ec2-54-155-123-115.eu-west-1.compute.amazonaws.com:9009/streams/1XjW10L2/stu.rar?sig=-U7AIHwQKNyk4BP6A2uOe9UYEFBYCm3SADo&type=download

The file downloaded is stu.rar which in turn contains an executable milano.exe. I'm going to take a guess and suggest that this is a Very Bad File, although the VirusTotal report give a detection rate of just 1/55 with McAfee flagging it as "BehavesLike.Win32.BackdoorNJRat.gc"

Both the Malwr and Hybrid Analysis reports show that it hooks into the OS and attempts to avoid detection. Crucially, they both show network traffic to gee.duia.eu on 185.19.85.138 (Datawire, Switzerland).

So, McAfee thinks this is a RAT and there's suspect network traffic, but what do the email headers tell us?
Received: from mail.anisuma.com (mail.jackys.com [83.111.201.118])
    (using TLSv1 with cipher AES128-SHA (128/128 bits))
    (No client certificate requested)
    by [redacted] (Postfix) with ESMTPS id A8CE2AF548
    for [redacted]; Fri, 24 Jul 2015 12:32:29 +0000 (UTC)
Received: from [10.85.138.34] by mail.jackys.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.3)
    with ESMTP id md50009556350.msg
    for [redacted]; Fri, 24 Jul 2015 16:33:59 +0400
X-Spam-Processed: mail.jackys.com, Fri, 24 Jul 2015 16:33:59 +0400
    (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 185.19.85.138
X-Return-Path: prvs=164718a849=wholesale.uganda@anisuma.com
X-Envelope-From: wholesale.uganda@anisuma.com
X-MDaemon-Deliver-To: [redacted]
Content-Type: multipart/alternative; boundary="===============0415218432=="
MIME-Version: 1.0
Subject: re:invoice
To: "tariq@paramountdistributors.com" <wholesale.uganda@anisuma.com>
From: wholesale.uganda@anisuma.com
Date: Fri, 24 Jul 2015 13:31:09 +0100
The "X-MDRemoteIP" header shows that the email originates from the same server it is phoning home to. This is unusual because most spam these days come from botnets, and if the originating server gets shut down for spam then the infected clients won't be able to phone home. The email routes through servers belong to jackys.com in the UAE, perhaps indicating that someone has altered their systems to allow the malicious traffic to route through.

185.19.85.138 is therefore a server of interest, but a quick look at the IP and the neighbourhood indicate that this isn't just a single popped server.. there are 58 IPs hosting what appears to be malicious data (listed at the end) taking up the entire 185.19.85.128/26 range.

I'm betting that renting a /26 slice of Swiss servers isn't cheap.

Out of all the malicious domains (listed at the end of the post), one stands out boss.milano22.com (because the binary is named milano.exe). That is related to this malware, but the WHOIS details reveal no clues.

Another one that also caught my eye because it is multihomed on so many IPs is zexio.no-ip.biz which is related to this malware from 2012 which is variously identified as Shakblades and/or Blackshades, both illicit RAT tools.

Looking at various other domains shows that they are connected with other malicious activity over the past two years or so. What that means is that this operation is not only big, but has been going on for some time.

For research purposes, a copy of the malware is here (Zip file, password=infected)

Personally, I would recommend that you block all dynamic DNS domains on a corporate network, and combined with the other potentially malicious domains gives the following recommended blocklist:

185.19.85.128/26
a5b4c3d2e1.com
3utilities.com
blogsyte.com
brasilia.me
chickenkiller.com
craftx.biz
ddns.me
ddns.net
dnsiskinky.com
duia.eu
dvrcam.info
eating-organic.net
game-server.cc
game-host.org
geekgalaxy.com
gotdns.com
homeip.net
isa-geek.net
glory297.org
hopto.org
linkpc.net
milano22.com
minecraftnoob.com
mlbfan.org
no-ip.biz
no-ip.info
no-ip.org
noip.me
noip.us
redirectme.net
serveblog.net
serveftp.com
sytes.net
zapto.org
zicoyanky.pw

Malicious IPs:
185.19.85.133
185.19.85.134
185.19.85.135
185.19.85.136
185.19.85.137
185.19.85.138
185.19.85.139
185.19.85.140
185.19.85.141
185.19.85.142
185.19.85.143
185.19.85.144
185.19.85.145
185.19.85.146
185.19.85.147
185.19.85.148
185.19.85.149
185.19.85.150
185.19.85.151
185.19.85.152
185.19.85.153
185.19.85.154
185.19.85.155
185.19.85.156
185.19.85.157
185.19.85.158
185.19.85.159
185.19.85.160
185.19.85.161
185.19.85.162
185.19.85.163
185.19.85.164
185.19.85.165
185.19.85.166
185.19.85.167
185.19.85.168
185.19.85.169
185.19.85.170
185.19.85.171
185.19.85.172
185.19.85.173
185.19.85.174
185.19.85.175
185.19.85.176
185.19.85.177
185.19.85.178
185.19.85.179
185.19.85.180
185.19.85.181
185.19.85.182
185.19.85.183
185.19.85.184
185.19.85.185
185.19.85.186
185.19.85.187
185.19.85.188
185.19.85.189
185.19.85.190

Malicious domains:
fort.ugo10.minecraftnoob.com
mtxcg.craftx.biz
6306921.no-ip.biz
1mathieucg.no-ip.biz
artengo.no-ip.biz
asawakath.no-ip.biz
asrxxx.no-ip.biz
bluemountain55.no-ip.biz
bluntmosphere.no-ip.biz
businessdb04.no-ip.biz
charssi693.no-ip.biz
chobitsshocks.no-ip.biz
daniel123k.no-ip.biz
debug.no-ip.biz
divin32.no-ip.biz
donkriss101.no-ip.biz
draynet1.no-ip.biz
fatal889321.no-ip.biz
freebandz.no-ip.biz
freeyou2014.no-ip.biz
gptman5.no-ip.biz
gptmanster5.no-ip.biz
ian1954.no-ip.biz
icediamant.no-ip.biz
ikemello.no-ip.biz
infosearch898.no-ip.biz
itisnotreal.no-ip.biz
jskvikel.no-ip.biz
kobsrat.no-ip.biz
lizzykane.no-ip.biz
lolwot.no-ip.biz
maicol.no-ip.biz
michael8776.no-ip.biz
miker790.no-ip.biz
milano22.no-ip.biz
mortexmutex.no-ip.biz
natilexx.no-ip.biz
nonysa.no-ip.biz
oezeokobe1.no-ip.biz
oneprouddad.no-ip.biz
rumberocalle.no-ip.biz
serenity786.no-ip.biz
sm3351.no-ip.biz
sslcertificates.no-ip.biz
stroperjilles.no-ip.biz
update28459.no-ip.biz
uzolion.no-ip.biz
windowsupdate995.no-ip.biz
wizard2002.no-ip.biz
wowyougotme.no-ip.biz
wuwksterboss.no-ip.biz
zexio.no-ip.biz
new.game-server.cc
nnicrosoft.3utilities.com
obinnabio.blogsyte.com
joeban.chickenkiller.com
ceedata.dnsiskinky.com
bio4kobs.geekgalaxy.com
kan3.gotdns.com
boss.milano22.com
microsoftcorp.serveftp.com
shadybiodata.dvrcam.info
izimother.no-ip.info
lopta10.no-ip.info
nzvat.no-ip.info
test13.no-ip.info
biodataczar.brasilia.me
streetdesciple.ddns.me
austinrat.noip.me
marct2702.noip.me
bigtoby35.ddns.net
businessdb00.ddns.net
layziebone009.ddns.net
mikey0147.ddns.net
cagbbio.eating-organic.net
new.homeip.net
pcuser.homeip.net
updated.homeip.net
spynet.homelinux.net
microdude.isa-geek.net
akconsult.linkpc.net
enitan.linkpc.net
server23.redirectme.net
serialcheck55.serveblog.net
obasanjo.sytes.net
sadsix.sytes.net
window.sytes.net
internet.game-host.org
coza.glory297.org
makingpay.hopto.org
tudorsdetails.mlbfan.org
ayool.no-ip.org
ayool1.no-ip.org
ayool2.no-ip.org
beastyyou.no-ip.org
business11.no-ip.org
chuks052.no-ip.org
cryptoesel.no-ip.org
dextercom.no-ip.org
divin32.no-ip.org
doingit108.no-ip.org
fazbar2013.no-ip.org
frankspecht.no-ip.org
immo506.no-ip.org
immo886.no-ip.org
jackro.no-ip.org
lizzykane.no-ip.org
micheal4fingax-07.no-ip.org
milano99.no-ip.org
morechedder.no-ip.org
mywaylife.no-ip.org
orangeroom.no-ip.org
papakamsi4moni7.no-ip.org
spongebob30.no-ip.org
ukon.no-ip.org
win7test.no-ip.org
zenithsales.no-ip.org
0tazbox.zapto.org
bellwiz2.zapto.org
bluemountain.zapto.org
bluemountain66.zapto.org
client.zapto.org
hessu.zapto.org
hessubs.zapto.org
izilife.zapto.org
sadsix.zapto.org
tazbox.zapto.org
tinubu.zapto.org
win7test.zapto.org
x631.zapto.org
xecuter.zapto.org
xecuter2.zapto.org
www.zicoyanky.pw
twitch.noip.us
a5b4c3d2e1.com
gee.duia.eu

Monday, 30 June 2014

Several no-ip.com domains seized by Microsoft

It appears that the nameservers for the following dynamic DNS domains belonging to no-ip.com may have been seized by Microsoft as the namesevers are pointing to NS7.MICROSOFTINTERNETSAFETY.NET and NS8.MICROSOFTINTERNETSAFETY.NET

3utilities.com
bounceme.net
hopto.org
myftp.biz
myftp.org
myvnc.com
no-ip.biz
no-ip.info
noip.me
no-ip.org
redirectme.net
servebeer.com
serveblog.net
servecounterstrike.com
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servemp3.com
servepics.com
servequake.com
sytes.net
zapto.org

This seems to have had the effect of taking down any sites using these dynamic DNS services. This will probably impact a lot of things like webcams, home security systems, personal VPNs any anything else that uses these domains.

Usually this happens when Microsoft gets a court order prior to legal proceedings. Now, although these domains are widely abused it is not no-ip.com themselves doing the abusing. I do recommend that businesses block access to dynamic DNS sites because of the high level of abuse, but I do feel that it something that network administrators should choose for themselves.

UPDATE 1:  Microsoft's statements on the takedowns is here along with details of an accompanying lawsuit targeting Mohamed Benabdellah, Naser Al Mutairi and  Vitalwerks Internet Solutions LLC (who operate no-ip.com).

UPDATE 2:  The Nevada lawsuit mentioned above also includes some domains that I have added in italics. Also, the domain noip.me has been seized which is specifically excluded from the Nevada lawsuit, which indicates that legal action has also been taken in Montenegro which indicates just how pissed-off Microsoft are.

Tuesday, 12 November 2013

Dynamic DNS sites you might want to block, 12/11/13

These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.

Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will block some legitimate sites, primarily webcams and access to home PCs.. so bear this in mind if you choose to do so.

Sites below listed in yellow  have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL. The links go to the Google diagnostic page.

at-band-camp.net
barrel-of-knowledge.info
barrell-of-knowledge.info
besteverydns.com
better-than.tv
bitferret.com
bitferret.net
bitferret.org
blogdns.com
blogdns.net
blogdns.org
blogsite.org
boldlygoingnowhere.org
broke-it.net

buyshouses.net
cechire.com
certaindns.com
certaindns.net
certaindns.org
damnserver.org
ddns-example-1.com
ddns-example-2.com
ddns-example-3.com
depower2go.com
dinedns.com
dinedns.net
dinedns.org
dns-gateway.net
dnsalias.com
dnsalias.net
dnsalias.org

dnscog.org
dnsdojo.com
dnsdojo.net
dnsdojo.org
dnsforall.net
dnsforall.org
dnsinc.org
dnssettings.com
dnssettings.info
dnssettings.net
dnssettings.org
dnssetup.info
does-it.net
doesntexist.com
doesntexist.org
dontexist.com
dontexist.net
dontexist.org
doomdns.com
doomdns.org
dvrdns.org
dyn-o-saur.com
dynalias.com
dynalias.net
dynalias.org

dynamic-dns-server.org
dynathome.net
dyndn.org
dyndns.biz

dyndns.cn
dyndns.info
dyndns.tv
dyndns.ws

dynds.org
dyndsn.net
dyndsn.org
editdns.net
edudns.org
est-a-la-maison.com
est-a-la-masion.com
est-le-patron.com
est-mon-blogueur.com
everydns.com
everydns.net
for-better.biz
for-more.biz
for-our.info
for-some.biz
for-the.biz
from-ak.com
from-al.com
from-ar.com

from-az.net
from-ca.com
from-co.net
from-ct.com
from-dc.com
from-de.com
from-fl.com
from-ga.com
from-hi.com

from-ia.com
from-id.com
from-il.com
from-in.com
from-ks.com

from-ky.com
from-la.net
from-ma.com
from-md.com
from-me.org
from-mi.com
from-mn.com
from-mo.com

from-ms.com
from-mt.com
from-nc.com
from-nd.com
from-ne.com
from-nh.com
from-nj.com
from-nm.com
from-nv.com

from-ny.net
from-oh.com
from-ok.com
from-or.com
from-pa.com
from-pr.com
from-ri.com
from-sc.com
from-sd.com
from-tn.com
from-tx.com
from-ut.com
from-va.com
from-vt.com
from-wa.com
from-wi.com
from-wv.com
from-wy.com
ftpaccess.cc
fuettertdasnetz.de
game-host.org
game-server.cc
getmyip.com
gets-it.net
gotdns.co.uk
gotdns.com
gotdns.org
groks-the.info
groks-this.info
guilded.org
ham-radio-op.net
here-for-more.info
hobby-site.com

hobby-site.org
homedns.org
homeftp.net
homeftp.org
homeip.net
homelinux.com
homelinux.net
homelinux.org
homeunix.com
homeunix.net
homeunix.org

in-the-band.net
invaliddns.com
ipupdate.org
is-a-anarchist.com
is-a-blogger.com
is-a-bookkeeper.com

is-a-bruinsfan.org
is-a-candidate.org
is-a-caterer.com
is-a-celticsfan.org
is-a-chef.com
is-a-chef.net

is-a-chef.org
is-a-conservative.com
is-a-cpa.com
is-a-cubicle-slave.com
is-a-democrat.com
is-a-designer.com
is-a-doctor.com

is-a-financialadvisor.com
is-a-geek.com
is-a-geek.net
is-a-geek.org

is-a-green.com
is-a-guru.com
is-a-hard-worker.com
is-a-hunter.com
is-a-knight.org

is-a-landscaper.com
is-a-lawyer.com
is-a-liberal.com
is-a-libertarian.com
is-a-linux-user.org
is-a-llama.com
is-a-musician.com
is-a-nascarfan.com
is-a-nurse.com
is-a-painter.com
is-a-patsfan.org
is-a-personaltrainer.com
is-a-photographer.com
is-a-player.com
is-a-republican.com
is-a-rockstar.com
is-a-socialist.com
is-a-soxfan.org
is-a-student.com

is-a-teacher.com
is-a-techie.com
is-a-therapist.com
is-an-accountant.com
is-an-actor.com

is-an-actress.com
is-an-anarchist.com
is-an-artist.com
is-an-engineer.com
is-an-entertainer.com
is-by.us
is-certified.com
is-found.org
is-gone.com
is-into-anime.com
is-into-cars.com
is-into-cartoons.com
is-into-games.com
is-leet.com
is-lost.org
is-not-certified.com
is-saved.org
is-slick.com
is-uberleet.com
is-very-bad.org
is-very-evil.org
is-very-good.org
is-very-nice.org
is-very-sweet.org
is-with-theband.com
isa-geek.com
isa-geek.net
isa-geek.org
isa-hockeynut.com
issmarterthanyou.com
isteingeek.de
istmein.de
it-geek.net
kicks-ass.net
kicks-ass.org
knowsitall.info
land-4-sale.us
lebtimnetz.de
leitungsen.de
likes-pie.com
likescandy.com
listhop.com
listhop.net
listhop.org
merseine.nu
mine.nu
misconfused.org
mydyndns.biz
mydyndns.com
mydyndns.info
mydyndns.net
mydyndns.org
mypets.ws
myphotos.cc
neat-url.com
no-ip.tv
office-on-the.net
on-the-web.tv
podzone.net
podzone.org
readmyblog.org
revyxorp.com
saves-the-whales.com
scrapper-site.net
scrapping.cc
scriptkiddie.net
sec-dns.net
secondary.net
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
sells-for-less.com
sells-for-u.com
sells-it.net
sellsyourhome.org
servebbs.com
servebbs.net
servebbs.org
serveftp.net
serveftp.org
servegame.org
shacknet.nu
simple-url.com
smallbizdns.com
smallbizdns.net
smallbizdns.org
space-to-rent.com
stuff-4-sale.org
stuff-4-sale.us
teaches-yoga.com
thruhere.net
tomdaly.org
traeumtgerade.de
webhop.biz
webhop.info
webhop.net
webhop.org
worse-than.tv
writesthisblog.com


Monday, 17 June 2013

Something evil on 85.214.64.153

85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example) which is being injected into hacked websites (specifically, malicious code is being appended to legitimate .js files on those site).

The follow Dynamic DNS domains are being abused in this attack, while they are not malicious in themselves they are abused so often that I would recommend blocking them anway:
dontexist.com
dvrdns.org
dynalias.org
gotdns.com
gotdns.org
gotdns.com
homeftp.net
mine.nu
podzone.net
selfip.biz
webhop.org

These sites appear to be legitimate, I cannot vouch for them being clean or not:
drachenschutzverein.de
rollenbeck.de
rollenbeck.eu
thefinalcut.eu
thefirstcut.de
triton-world.de

These sites are mostly flagged as malicious by Google, you can see some indicators of badness here and here:
004d28e2d38895c1245cab9b.dynalias.org
02b2b43ea1ba9bb9e72d3a69.selfip.biz
04e9e737a91bd31be2668861.mine.nu
08af1b8d55e2ba1f62732d85.gotdns.com
08ed70ff228cfd034f170d5a.mine.nu
0a935f252dd7c6a97658c956.dynalias.org
0c36d49d8ec82656db219bb5.dontexist.com
0ce19c234b42bfc3f5ae92cd.mine.nu
0ce54ec3d86cf07f5ac4640d.dontexist.com
101357ada1366203f8f3410e.podzone.net
10ffeb808d1a476d6ee06d2b.dontexist.com
11ec862e5fb9ec0762af7600.dynalias.org
128d4a163a90f543c259b1e5.mine.nu
1603db959a32f7b6f070e7b1.dontexist.com
166bb7f29be512bfc5d4c949.podzone.net
16b8286aab3437edeb846cf9.gotdns.com
17323cb4c3ff8ed8cbb0cf27.dvrdns.org
19329577e3905949b51c567c.dynalias.org
19941643733a38ef578bf12e.gotdns.org
1d26ff47b5aadad2d755979a.dvrdns.org
1d3beb9da9c09a58399e1d43.homeftp.net
1d946845b43b656d8f981e66.dynalias.org
1db064c3643e8c7cb6f89b54.gotdns.com
1f68faa21ae717bdda0536dc.dontexist.com
22c4daf753a7da024bf8b24e.mine.nu
250f1e3f1a2940aa4255deb5.dynalias.org
28d23e8ed4a6dfee2643ffce.dynalias.org
2e671f830928f031ff49f94c.dontexist.com
304ef8935293491f8259aebf.podzone.net
33409d12ccd5f348eb9e1d33.dontexist.com
33ab845252f3569c05a5ac70.dynalias.org
36a42ceaeee91822ecd84d1f.dynalias.org
37a9618442c3bd213d4877e2.gotdns.com
3896ca0bf37e183b734a6632.gotdns.org
3a009cd88f47dbd55a51ca0a.webhop.org
3b22c29409273c2ba45019e4.mine.nu
3cb79af7f0615a1eb638fd11.webhop.org
3e54c514284b705b4a6d8386.dynalias.org
3e91663455c489443d2ba75d.gotdns.com
3f80c8356bec83904a0a4b82.mine.nu
428836867237c5453a08da8e.webhop.org
43ea343452c7ac0f0846c988.podzone.net
448d3de8b830b70be22600bf.gotdns.com
44f32cf9971710b869a9e9c8.dontexist.com
47b10a4ab30e61e4b74aa661.gotdns.org
48e972108842e0d0c9e5fdf2.mine.nu
4916e2635dceb69776862390.dynalias.org
4a017cd6908b09d62c425718.selfip.biz
4c7e7dacb398c086c58d3faa.dynalias.org
4cac5eabb6a2214a81ad0760.selfip.biz
4e874edeea1e68fc792bdae2.gotdns.org
5328e9f6069f470758a00acc.dvrdns.org
549b11272b8a4b3095b0537e.dontexist.com
571ea1436338cc0d99eb8078.dynalias.org
58e74d65a3cc4fe035dbbda2.gotdns.com
5adde68d3bc12bb5e625cabb.homeftp.net
5c9d25cc7cd882479a609796.mine.nu
60a25d608e4a649e4af444e0.podzone.net
60e2af3686d06f21f3020026.homeftp.net
665b44722928d6bfbeaf988b.webhop.org
66bc311918791a6794866f50.dvrdns.org
67c97cbed3d264d19d8e5b27.dvrdns.org
6b2eb59711013d300e880d1c.dynalias.org
6b3c3cc0b4dd780c2fec2f6f.gotdns.com
6b52de135dc1495e89c0ab58.dontexist.com
6b60af16dc1d0e8ea821fdbc.gotdns.org
725a523df99960216bcfbffa.homeftp.net
73c5db9904cc52e4eace0764.webhop.org
779c26501c761d5e919a6624.homeftp.net
794b5ca01bb64c48754faf0c.dynalias.org
7e0a9746bba240206beb0fd0.homeftp.net
7e781346baa3a3bce70aa5bf.webhop.org
80cb766e88b70c906ecbefd3.dontexist.com
8140d66059dfec6425f71131.podzone.net
818644b1831c84e0798f9ee0.mine.nu
856990d5b0456a8ba9dbeb32.dontexist.com
88444afacffba122547670d1.mine.nu
8cd2b11586888ecb52ffd053.gotdns.com
8e3468104627c54bc068dd44.selfip.biz
8ec80631144f0fbc1eaa8f68.mine.nu
900139eaffbcd38018876df0.homeftp.net
90499263ca224ca95ff01024.webhop.org
909e65f061017672744285f3.dontexist.com
90d52c7d0c92f6ddacf68711.dontexist.com
910396ce5254bef0819e633d.selfip.biz
92afd94d55a6da9d1f519a7c.podzone.net
94488376b5d8d3f6c6a40bc5.webhop.org
95191465ad24aa061517253a.dynalias.org
95482702ed214a4b556619c6.selfip.biz
970fdfd18df4813f52d2472b.selfip.biz
9b212ac718b2e1235943adec.dynalias.org
9b4358c823382cbb4e82bf41.dontexist.com
9c850ba00e51786140490a36.mine.nu
9d2e959724edd7f66cec301e.selfip.biz
9eae6ea1c34249c042bf0037.podzone.net
a26f23656bab8dc4508eb5a2.mine.nu
a4c2b706b85923bb957823c2.mine.nu
a6197eccdfe18ef2ca06e48c.webhop.org
a798f98455df470c0b29b34f.mine.nu
a828fe5c598dc865e924fbb9.webhop.org
aae039e0629bd1614947f0f0.dynalias.org
ab690c910c49ad2bef9cce75.dynalias.org
b0a357b5735f902bdff042c1.podzone.net
b22d5de582060e586061f15b.homeftp.net
b66583b617d2d7b6a1dded9f.gotdns.com
b6e0134b7d7da747fe0c74e0.dynalias.org
b793df5e348aeb2c7dd5b7cc.podzone.net
ba028a028a38fcd8443e5c8f.dynalias.org
bb6e1f75f8fe369d7971ecdb.dynalias.org
bc1837ebe4d995b08079df38.mine.nu
bd7421fee539607f46f1f26a.dontexist.com
bdb7e7001bfbf6865e0e5fc7.dontexist.com
bf14f07423a53dc55ea35535.mine.nu
c1642b97da37c657a97bd848.mine.nu
c467917ae834519814e0d49a.dontexist.com
c58e1b1edc0e04195f01017a.dynalias.org
c6492763968289bebce065cf.gotdns.com
c8870d5fa9727a8d5fa2b5a8.gotdns.org
d1bfb154de06cbd381ef9751.mine.nu
d827f2ea240954322849260f.dynalias.org
d83c3de86bed61e7fb14d7b1.dynalias.org
dae7fb32afe3c0f9dc6d5ad2.mine.nu
db8c62855fb701cd676004e5.dynalias.org
dcbf23097800332e59ac4def.selfip.biz
dcc4374eda96873afb137b44.dynalias.org
dff3a271573578b6cc43c725.dontexist.com
e08bcee3f8586e0d3f3a8e31.gotdns.com
e119b0eb7fc7cb31bf64c66d.dvrdns.org
e2706818cafcdf67ea2552cb.gotdns.com
e64d445987e618bea6482938.podzone.net
eb3f72f1952b17acf62ee80d.selfip.biz
eb578347b30a518687364a9e.podzone.net
f0834c7ec0926ebe78029dc0.dynalias.org
f555bf015261100d38e0f2de.webhop.org
f5e647d0a9aa2dda4898fd2f.dynalias.org
f671629e0f16049db9ccd856.mine.nu
f777e097f711778ec22426a1.selfip.biz
fa0ccbcf1b5f74984a9530d7.mine.nu
fb857508b0c9cc35e3bab1e2.gotdns.org
fd7d46aa07ab0406560b4126.mine.nu
fd8c8f5b6a2867f79d1b8e71.gotdns.com
fe753d5f9ea4f311d1d14cc2.gotdns.com
fe8b7219896da7dbd4e28520.dynalias.org
ff5267331e22549fde4ca643.mine.nu


Wednesday, 24 April 2013

Something evil on 151.248.123.170

151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1, example 2). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.

Recommended blocklist:
151.248.123.170
ns3.name
zapto.org
hopto.org
no-ip.org
changeip.org
myftp.org
servemp3.com
dns04.com
itemdb.com
ikwb.com
myvnc.com
mefound.com
servehalflife.com
servequake.com
servecounterstrike.com
servegame.com
youdontcare.com
4mydomain.com
otzo.com
organiccrap.com
serveftp.com
dsmtp.com
servehttp.com
servebeer.com
servepics.com
3utilities.com
freeddns.com
mysecondarydns.com
jetos.com
serveusers.com
4pu.com
ocry.com
xxuz.com
ns01.info
mypicture.info
no-ip.info
ddns.ms
ns02.us
ddns.us
myfw.us
redirectme.net
serveblog.net
lflinkup.net
sytes.net
dynamic-dns.net
no-ip.biz

Detected domains (almost all of these are marked as unsafe by Google)
1aj1l2.redirectme.net
2l9cy2.myftp.org
3lejjwtbog.no-ip.info
4g8v7cg.no-ip.org
598l7qdz.3utilities.com
71dalp61hx.servequake.com
78mudv.redirectme.net
7fht7r.redirectme.net
81jtjlit.3utilities.com
8bqve7sn.servebeer.com
8mau1o8kl7.servepics.com
93rpglw.servequake.com
agapcpaa.ns01.info
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
akkly1t.servemp3.com
aqbpswfpj.myfw.us
arhecexdij.mypicture.info
aturlejd.dns04.com
aupmbeutcbr.myfw.us
azxbxx.organiccrap.com
bdkvtjss.mysecondarydns.com
bdtrehpi.dsmtp.com
bfmkeke.servebeer.com
bgmya4t.no-ip.biz
bietzhsh.mefound.com
biirnrxhz.mypicture.info
bksthi5.servegame.com
briirddzbn.myfw.us
bzyphcsjcrhs.myfw.us
ckbqvlouqe.serveusers.com
ckowva.mypicture.info
clwjaqmz.ocry.com
ctgqrapvt.4pu.com
cxubqrtqv.dynamic-dns.net
cybaqwzoai.jetos.com
cyt4n83.zapto.org
djrarpcpp.organiccrap.com
dousvpd.mysecondarydns.com
dwsfdgem.mysecondarydns.com
ecrbtc.mefound.com
efterbiwkc.freeddns.com
ehvrwxyev.ns3.name
elxvpf6prq.myvnc.com
eojriwvpt.serveusers.com
esmiqsq.mysecondarydns.com
exrjzleph.myfw.us
fgcnxamjp.ddns.us
fm7vxw.serveblog.net
fmdetqh.dsmtp.com
fqguhzwcasmj.myfw.us
fxbjpg.itemdb.com
fyuccxbvon.jetos.com
fz1a9crr7i.no-ip.info
gbeonh.servehttp.com
gclpzkt.mefound.com
gcojpbiwb.mefound.com
getbwoedccls.myfw.us
gipjuqnyp.mysecondarydns.com
gpbqicpq.ns01.info
gpqhomgo.ocry.com
gtpjrnkte.itemdb.com
gwhwyvf.ocry.com
gykobwnn.ddns.ms
gyxjclzy.dsmtp.com
hbjadoipd.mefound.com
hdbbzvxejqn.myfw.us
hdygywog.youdontcare.com
hidzgz.otzo.com
hiweya.lflinkup.net
hmkdmjn.ikwb.com
hsqyvzz.ddns.ms
iolwnr.freeddns.com
iuvrmzszjx.ns02.us
j7h9c34fip.servehalflife.com
jayrkypqxx.ns02.us
jkjehvt4k6.servegame.com
jnsvbykd.ns02.us
joukprhng.ocry.com
jpwhgfrc.dynamic-dns.net
jwufzame.youdontcare.com
jxrxuuqs.ddns.ms
jxxaoeufjs.serveusers.com
k05c1jx3lm.sytes.net
k23901iiv.no-ip.org
k40q5bx.servemp3.com
k6fgu8.hopto.org
klmgaqrtem.jetos.com
kmxxvdey.dsmtp.com
krnwhhhtwvh.myfw.us
kuebyfoh.ddns.us
kukxizdui.4mydomain.com
kunwxont.ikwb.com
kzbeyyvkl.jetos.com
kzfxvrz.ns02.us
ladmbbwxmm.no-ip.info
lrymhkrah.dsmtp.com
m938c18.no-ip.info
meaymayetx.organiccrap.com
meuquma.ddns.us
mfbovxps.serveftp.com
mgz0bf6g46.servehttp.com
mpqeydocoiq.myfw.us
mpwtwer.ns01.info
mrnmqdsxfyze.myfw.us
mvdqmecbf.myfw.us
mztlzbd.dynamic-dns.net
ncopbisrmn.xxuz.com
ndmvpgslci.itemdb.com
ngyuwfpaa.dsmtp.com
nmwikbwrxia.myfw.us
nngbpjevv.mefound.com
nuzmis.itemdb.com
nxcgynyedfs.myfw.us
odybreg.ikwb.com
ojew5yj.servecounterstrike.com
okbriapkfb.mefound.com
opxphpg.dns04.com
oqpslwchym.ns3.name
ortqptto.organiccrap.com
ou5hiad9.redirectme.net
owljtjpwb.myfw.us
ozyiivww.youdontcare.com
pbsezsidc.ns01.info
peifdnc.4pu.com
pmjqkxgxz.ddns.us
pmkihqq.mypicture.info
ppmdbwqxcrv.myfw.us
pwemctzvq.ns02.us
pwkwxztpaj.myfw.us
pzcbqmnxv.ddns.ms
qfnisv1h.servehttp.com
qgfs3q0.redirectme.net
qntfwt.changeip.org
qnwycifjfl.myfw.us
qsbmgof.ns3.name
qtbxjkot.ocry.com
quludwdcaq.mypicture.info
qzlkluald.myfw.us
r6x4yz.no-ip.org
rbnumsmbygqb.myfw.us
rcezlgb.ns3.name
rcumgx.jetos.com
rkaseooypl.myfw.us
rkhcyhk4o3.servecounterstrike.com
rnrbdynkblyb.myfw.us
rpbdqzdemsu.myfw.us
seronwzic.myfw.us
sgcdujudgzm.myfw.us
sglrpbgnvl.freeddns.com
sjsw9ne.servecounterstrike.com
slcvzheogxph.myfw.us
sozsybvook.myfw.us
sppbfcemw.jetos.com
synvmclp.dynamic-dns.net
tfqvhdg.otzo.com
tgckjiq.mysecondarydns.com
tin57d1.sytes.net
tlq8aw7lxc.servequake.com
tlvayh.4mydomain.com
tmipoitnfj.myfw.us
tnfzfdd.mypicture.info
trgcrumzlo.xxuz.com
tuewfxrwos.xxuz.com
uegnytqslcm.myfw.us
uftmrikaydi.myfw.us
umhlefsfo.dynamic-dns.net
uniomlciyi.otzo.com
uttptbyvgr.organiccrap.com
uucnwdbptssb.myfw.us
uureflcf.lflinkup.net
vbhxqbwpt.myfw.us
vesooyzw.serveusers.com
vewvfb.ikwb.com
vgyxuawyxb.myfw.us
voskghrg.ns3.name
vpogbb.ns01.info
vpxnbn.organiccrap.com
wdpyffpv.dsmtp.com
whaumhrm.organiccrap.com
whpiiimwpodx.myfw.us
wmnrrskry.myfw.us
wobxsdlv5r.no-ip.info
wrnkzkxjea.servemp3.com
wtriylabiccu.myfw.us
wucsutja.servecounterstrike.com
wwrhxrrvx2.serveftp.com
wywiapwvh.dns04.com
xkfrazfa.changeip.org
xlumergew.ns02.us
xugjnwfw.dsmtp.com
xxyneb.4pu.com
xygvilyksie.myfw.us
xzbqujbaj.ocry.com
ybdrgilms.4pu.com
ybywobw.mysecondarydns.com
yywgvpqrpeym.myfw.us
zakiie.ocry.com
zhudyeczk.myfw.us
zihoqd.ns3.name
zkgctmm4h.myftp.org
znhkad.xxuz.com
zqieuqgwt.ns3.name
zylzvbn.ns02.us
zyzniusdlq.ns01.info

Thursday, 29 November 2012

Dynamic DNS sites you might want to block II

These Dynamic DNS domains belong to a mystery outfit called dnsdynamic.org, and several of them seem to be in the process of being abused by third parties (for example). The registrations seem to be anonymised, some poking around at the recent WHOIS history of one of these domains (freedynamicdns.com) reveals ownership details of:

      Manager, Domain  manager@invertebrateisp.com
      Invertebrate ISP
      PO Box 405
      Glenmont, New York 12077
      United States
      +1.2623946781

More digging at invertabrateisp.com comes up with a real name:

      Wilde, Tim  [redacted]
      [redacted]
      Glenmont, New York 12077
      United States
      [redacted]      Fax -- 

Anyway, Mr Wilde is  not connected with the malicious activity going on with these domains, but he is providing a service that is being abused. Interestingly he founded DynDNS before selling it on.

Dynamic DNS services can be useful, but my personal recommendation is that you should consider blocking them as the bad guys are very good at abusing them. Overall, these are not as bad as the ones run by ChangeIP.com (see here).

There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (yellow highlighted ones have some malware, red highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely.

adultdns.net [report]
andrewhaberman.com [report]
ddns01.eu [report]
ddnsd.eu [report]
dns53.biz [report]
dnsapi.info [report]
dnsd.info [report]
dnsd.me [report]
dnsdynamic.com [report]
dnsdynamic.net [report]
dnsdynamic.org [report]
fe100.net [report]
freedynamicdns.com [report]
ftp21.net [report]
http80.info [report]
https443.com [report]
imap01.com [report]
ns360.info [report]
ole32.com [report]
ssh01.com [report]
ssh22.net [report]
tftpd.net [report]
ttl60.com [report]
ttl60.org [report]
user32.com [report]
voip01.com [report]
wow64.net [report]

Plain list for copy-and-pasting:
adultdns.net
andrewhaberman.com
ddns01.eu
ddnsd.eu
dns53.biz
dnsapi.info
dnsd.info
dnsd.me
dnsdynamic.com
dnsdynamic.net
dnsdynamic.org
fe100.net
freedynamicdns.com
ftp21.net
http80.info
https443.com
imap01.com
ns360.info
ole32.com
ssh01.com
ssh22.net
tftpd.net
ttl60.com
ttl60.org
user32.com
voip01.com
wow64.net

Monday, 5 November 2012

Dynamic DNS sites you might want to block

These domains belong to ChangeIP.com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP.com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.

There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (yellow highlighted ones have some malware, red highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely.

You might notice one of the domains is called b0tnet.com which is a peculiar name for a legitimate business to register.

1dumb.com [report]
25u.com [report]
2waky.com [report]
3-a.net [report]
4dq.com [report]
4mydomain.com [report]
4pu.com [report]
acmetoy.com [report]
almostmy.com [report]
americanunfinished.com [report]
anastasion.com [report]
authorizeddns.net [report]
authorizeddns.org [report]
authorizeddns.us [report]
b0tnet.com [report]
bigmoney.biz [report]
changeip.biz [report]
changeip.co.uk [report]
changeip.me [report]
changeip.name [report]
changeip.net [report]
changeip.org [report]
changeip.us [report]
cleansite.biz [report]
cleansite.info [report]
cleansite.us [report]
compress.to [report]
ddns.com.co [report]
ddns.info [report]
ddns.me.uk [report]
ddns.mobi [report]
ddns.ms [report]
ddns.name [report]
ddns.us [report]
dhcp.biz [report]
dns-dns.com [report]
dns-report.com [report]
dns-stuff.com [report]
dns04.com [report]
dns05.com [report]
dns1.us [report]
dns2.us [report]
dnsfailover.net [report]
dnsrd.com [report]
dnyp.com [report]
dsmtp.com [report]
dumb1.com [report]
dynamicdns.biz [report]
dynamicdns.co [report]
dynamicdns.co.uk [report]
dynamicdns.com.co [report]
dynamicdns.me.uk [report]
dynamicdns.org.uk [report]
dyndns.pro [report]
edns.biz [report]
epac.to [report]
esmtp.biz [report]
ezua.com [report]
faqserv.com [report]
fartit.com [report]
freeddns.com [report]
freetcp.com [report]
freewww.biz [report]
freewww.info [report]
ftp1.biz [report]
ftpserver.biz [report]
gettrials.com [report]
got-game.org [report]
gr8domain.biz [report]
gr8name.biz [report]
https443.net [report]
https443.org [report]
instanthq.com [report]
iownyour.biz [report]
iownyour.org [report]
isasecret.com [report]
itemdb.com [report]
itsaol.com [report]
jetos.com [report]
jkub.com [report]
jungleheart.com [report]
justdied.com [report]
lflink.com [report]
lflinkup.com [report]
lflinkup.net [report]
lflinkup.org [report]
longmusic.com [report]
mefound.com [report]
misecure.com [report]
moneyhome.biz [report]
monitorip.com [report]
mrbasic.com [report]
mrbonus.com [report]
mrface.com [report]
mrnorris.com [report]
mrslove.com [report]
my03.com [report]
mydad.info [report]
myddns.com [report]
myftp.info [report]
myftp.name [report]
mymom.info [report]
mynumber.org [report]
mypicture.info [report]
mypop3.net [report]
mypop3.org [report]
mysecondarydns.com [report]
mywww.biz [report]
myz.info [report]
ninth.biz [report]
ns01.biz [report]
ns01.info [report]
ns01.us [report]
ns02.biz [report]
ns02.info [report]
ns02.us [report]
ns1.name [report]
ns2.name [report]
ns3.name [report]
ocry.com [report]
onedumb.com [report]
onmypc.biz [report]
onmypc.info [report]
onmypc.net [report]
onmypc.org [report]
onmypc.us [report]
organiccrap.com [report]
otzo.com [report]
ourhobby.com [report]
pcanywhere.net [report]
poppop.com [report]
port25.biz [report]
portrelay.com [report]
privatename.org [report]
proxydns.com [report]
qhigh.com [report]
qpoe.com [report]
rebatesrule.net [report]
sellclassics.com [report]
sendsmtp.com [report]
serveuser.com [report]
serveusers.com [report]
sexidude.com [report]
sexxxy.biz [report]
sixth.biz [report]
squirly.info [report]
ssl443.org [report]
ssmailer.com [report]
theblacklist.org [report]
toh.info [report]
toythieves.com [report]
trickip.net [report]
trickip.org [report]
vizvaz.com [report]
wha.la [report]
wikaba.com [report]
www1.biz [report]
wwwhost.biz [report]
x24hr.com [report]
xxuz.com [report]
xxxy.biz [report]
xxxy.info [report]
ygto.com [report]
youdontcare.com [report]
yourtrap.com [report]
zaantek.com [report]
zyns.com [report]
zzux.com [report]


If you want to block all of these sites, then the domains I can find are as follows:
1dumb.com
25u.com
2waky.com
3-a.net
4dq.com
4mydomain.com
4pu.com
acmetoy.com
almostmy.com
americanunfinished.com
anastasion.com
authorizeddns.net
authorizeddns.org
authorizeddns.us
b0tnet.com
bigmoney.biz
changeip.biz
changeip.co.uk
changeip.me
changeip.name
changeip.net
changeip.org
changeip.us
cleansite.biz
cleansite.info
cleansite.us
compress.to
ddns.com.co
ddns.info
ddns.me.uk
ddns.mobi
ddns.ms
ddns.name
ddns.us
dhcp.biz
dns-dns.com
dns-report.com
dns-stuff.com
dns04.com
dns05.com
dns1.us
dns2.us
dnsfailover.net
dnsrd.com
dnyp.com
dsmtp.com
dumb1.com
dynamicdns.biz
dynamicdns.co
dynamicdns.co.uk
dynamicdns.com.co
dynamicdns.me.uk
dynamicdns.org.uk
dyndns.pro
edns.biz
epac.to
esmtp.biz
ezua.com
faqserv.com
fartit.com
freeddns.com
freetcp.com
freewww.biz
freewww.info
ftp1.biz
ftpserver.biz
gettrials.com
got-game.org
gr8domain.biz
gr8name.biz
https443.net
https443.org
instanthq.com
iownyour.biz
iownyour.org
isasecret.com
itemdb.com
itsaol.com
jetos.com
jkub.com
jungleheart.com
justdied.com
lflink.com
lflinkup.com
lflinkup.net
lflinkup.org
longmusic.com
mefound.com
misecure.com
moneyhome.biz
monitorip.com
mrbasic.com
mrbonus.com
mrface.com
mrnorris.com
mrslove.com
my03.com
mydad.info
myddns.com
myftp.info
myftp.name
mymom.info
mynumber.org
mypicture.info
mypop3.net
mypop3.org
mysecondarydns.com
mywww.biz
myz.info
ninth.biz
ns01.biz
ns01.info
ns01.us
ns02.biz
ns02.info
ns02.us
ns1.name
ns2.name
ns3.name
ocry.com
onedumb.com
onmypc.biz
onmypc.info
onmypc.net
onmypc.org
onmypc.us
organiccrap.com
otzo.com
ourhobby.com
pcanywhere.net
poppop.com
port25.biz
portrelay.com
privatename.org
proxydns.com
qhigh.com
qpoe.com
rebatesrule.net
sellclassics.com
sendsmtp.com
serveuser.com
serveusers.com
sexidude.com
sexxxy.biz
sixth.biz
squirly.info
ssl443.org
ssmailer.com
theblacklist.org
toh.info
toythieves.com
trickip.net
trickip.org
vizvaz.com
wha.la
wikaba.com
www1.biz
wwwhost.biz
x24hr.com
xxuz.com
xxxy.biz
xxxy.info
ygto.com
youdontcare.com
yourtrap.com
zaantek.com
zyns.com
zzux.com