Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Malware Domains 2234.in, 0000002.in & co SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Domains 2234.in, 0000002.in & co

Those of you watching the malware universe have no doubt noticed the recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to 91.204.48.52 (AS24965) and 195.80.151.83 (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965,AS50877), Zeustracker, Spamhaus (AS24965,AS50877) and many other sites that maintain filter lists of malicious hosts. 

An URL block system that can do regular expressions comes in pretty handy for these - \d{4}\.in and \d{7}\.in takes care of the whole lot, likely with minimal side effects, since (benign) all-numerical domain names under ".in" are quite rare. If you're into blocking entire network ranges, zapping 91.204.48.0/22 and 195.80.148.0/22 should nicely take care of this current as well as future badness (though with unknown side effects - we have no idea whether your neighborhood Pizza shack happens to host its perfectly harmless web site amidst all the malware in one of these netblocks :)

Daniel

367 Posts
ISC Handler
Why use two when you can just combine? For example, an even simpler pattern match, if we're assuming 4 to 7 characters:

\d{4-7}\.in
Anonymous
Thanks for this info, we are using the following regex in DNS Redirector to block this nonsense...
^(.*\.)?\d*\.in$
or simply...
^.*\.in$
...if your company doesn't have any business with India at all.

For those who are interested IE URL Lock would also be another method to accomplish the block.
Anonymous
Been wondering can this kind of blocking be achieved in MS TMG?
Michael

32 Posts

Sign Up for Free or Log In to start participating in the conversation!