Malware Domains 2234.in, 0000002.in & co

Published: 2010-12-29
Last Updated: 2010-12-29 00:04:58 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

Those of you watching the malware universe have no doubt noticed the recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to 91.204.48.52 (AS24965) and 195.80.151.83 (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965,AS50877), Zeustracker, Spamhaus (AS24965,AS50877) and many other sites that maintain filter lists of malicious hosts. 

An URL block system that can do regular expressions comes in pretty handy for these - \d{4}\.in and \d{7}\.in takes care of the whole lot, likely with minimal side effects, since (benign) all-numerical domain names under ".in" are quite rare. If you're into blocking entire network ranges, zapping 91.204.48.0/22 and 195.80.148.0/22 should nicely take care of this current as well as future badness (though with unknown side effects - we have no idea whether your neighborhood Pizza shack happens to host its perfectly harmless web site amidst all the malware in one of these netblocks :)

Keywords: malware
3 comment(s)

Comments

Why use two when you can just combine? For example, an even simpler pattern match, if we're assuming 4 to 7 characters:

\d{4-7}\.in
Thanks for this info, we are using the following regex in DNS Redirector to block this nonsense...
^(.*\.)?\d*\.in$
or simply...
^.*\.in$
...if your company doesn't have any business with India at all.

For those who are interested IE URL Lock would also be another method to accomplish the block.
Been wondering can this kind of blocking be achieved in MS TMG?

Diary Archives