A few days ago the Internet Storm Center raised a question about activity on 37.58.73.42 (Softlayer, Netherlands / Techpreneurs India Pvt Ltd, India), 95.156.228.69 (Game Company, Germany) and 195.210.43.42 (Syntis, France).
I hadn't seen the attack in question until today with this injection attack on a legitimate site, using a Cookie Bomb script [1] [2] to send victims to a site [donotclick]11p1rjqaahmp7asqbeqd5fx.bouwslim.be via an intermediary hacked site. The malicious domain is hosted on 95.156.228.69 which forms part of this cluster of three servers.
Reverse DNS indicates tens of thousands of malicious sites, mostly subdomains of domains hijacked from customers of a Belgian company called SpeedPacket, but there are also some other malicious .ru domains some of which I have spotted before on a server in Romania.
The SpeedPacket hijacks are interesting. They have been going on since at least July, and it appears that they are being hijacked in alphabetical order. From my perspective, it looks like one domain gets hijacked, used for evil purposes.. and then it either gets cleaned up by SpeedPacket, or the bad guys are returning it once they have used it. I've never seen anything like that before. For example, using the data from VirusTotal, we can map it out as follows:
04/07/2013 antwerpen-drukkerij.be
13/08/2013 behangwerk.be
15/08/2013 belgianpowersystem.be
21/08/2013 benzino.be
22/08/2013 besparen-isoleren.be
22/08/2013 beste-frankiermaschine
31/08/2013 beveiligingen-vergelijken.be
01/09/2013 bevloerders.be
01/09/2013 bewakingsvideo.be
03/09/2013 binnen-deuren.be
05/09/2013 binnenhuisarchitecten-vergelijken.be
07/09/2013 bizgo.be
07/09/2013 bizzdir.be
08/09/2013 bleachen.be
09/09/2013 blocnotes-drukken.be
09/09/2013 bobbo.be
11/09/2013 bodyhealth.be
11/09/2013 boeddhabeelden.be
11/09/2013 boekbinderijen.be
11/09/2013 boeken-tweedehands.be
12/09/2013 boeken-tweedehands.be
12/09/2013 boiler-op-zonne-energie.be
13/09/2013 boilershop.be
13/09/2013 boiler-warmtepomp.be
14/09/2013 boldea.ro
14/09/2013 boniface.be
16/09/2013 bourgondischschild.be
16/09/2013 bouwcorrect.be
17/09/2013 bouw-materialen.be
17/09/2013 bouwslim.be
At the time of writing, only the domain bouwslim.be seems to be resolving, the rest appear to have been cleaned up.
These domains [pastebin] all appear to have been hijacked from SpeedPacket's customers and have been used in CookieBomb attacks. We can count 138 SpeedPacket domains that have been abused so far.
So, how may domains do SpeedPacket look after? We traced back the hijacked domains to their originating servers and found these 2318 domains [pastebin]. 138 out of 2318 doesn't sound too bad, until you realise that the hijack is happening alphabetically and bouwslim.be is the 316th domain on the list.. so, from that date it looks like a shocking 138/316 (44%) of SpeedPacket domains have been compromised so far.
As I said, there are also some other domains hosted on these servers including some malicious .ru domains. I don't recommend that you block the SpeedPacket customers listed, simply because blocking the IPs is simpler and less likely to block a legitimate site.. but still, if it is your network then it is your rules that apply.
Recommended blocklist:
37.58.73.42
95.156.228.69
195.210.43.42
datingbay.eu
datingbay.us
arcgyj.ru
gmzuwr.ru
gnlhxr.ru
gqwgup.ru
gwggjs.ru
hiitok.ru
hjjjtp.ru
hljnpn.ru
hoqvmh.ru
hrgvrl.ru
htgkyl.ru
ihjxyw.ru
ilpkyu.ru
ivxwzs.ru
ixwsnw.ru
jpkkyy.ru
jtgqqt.ru
kinyng.ru
kjlluq.ru
klzwlz.ru
ksmhwj.ru
lqohmk.ru
lryuuy.ru
luiwmt.ru
lulpqm.ru
lvyrts.ru
lwxzuj.ru
mzjtwz.ru
nsggtm.ru
nsnikn.ru
nsnwzr.ru
nxtmrg.ru
ohskou.ru
olpnso.ru
onjmzs.ru
orjoik.ru
ovhirm.ru
oxxukz.ru
pguirk.ru
plvzjy.ru
ppvyot.ru
pvmkzn.ru
pvzvnp.ru
qroxil.ru
qugpiw.ru
qyloyh.ru
rgqvgm.ru
rhpxwr.ru
rszqxv.ru
rvwwko.ru
rwrkhx.ru
silotw.ru
toqizs.ru
tpxhpz.ru
trlnps.ru
ugjkxh.ru
ugvsmt.ru
umpynu.ru
vpzpkh.ru
vtqkmh.ru
vwjitv.ru
wltmpm.ru
wmhxul.ru
wqgzuo.ru
wstnog.ru
wvgyjr.ru
ximoql.ru
xqixtr.ru
xxpqzs.ru
ylypln.ru
ynjskx.ru
ynxgys.ru
yzxxtj.ru
zhkmgj.ru
zjqtih.ru
zromwk.ru
zrzuhj.ru
ztlwwm.ru
zuihwg.ru
zuknsr.ru