02 Nov Is .info the new .cc? Kurt Baumgartner
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In April, the .co.cc and .cz.cc sub-domains were absolutely littered with malware distributing web sites, and the unusually telling DNS registration setup on .co.cc and .cz.cc had forecast the previously upcoming Apple FakeAv. That DNS setup later led to FakeAv downloads for the Mac as forecast. But FakeAv distribution has been steadily declining since the beginning of the year, and a few related major events have occurred over the past six months. Blackhole operators have migrated to .info domains, along with other related malicious site operators. Have they pushed .info to become the new .cc?
So, what has this dispersion looked like? Well, let's look back to the beginning of the year. .co.cc and .cz.cc domain registrars offered free dns registration and cheap or free hosting. Malware distributors abused these cheap resources and staged the Blackhole exploit pack using these URL names, serving up FakeAv and other nastiness. Java exploits became the most effective and most popular in the Blackhole set, followed by exploits targeting vulnerable Adobe Reader and Microsoft HCP software. Traffic was directed to these kits by Google Image Search Poisoning, by compromising legitimate sites and redirecting browsers to the kit sites with injected iframe and img src tags, and by successful malvertizing campaigns on major webmail providers. But, what goes up must come down.