< Stock Spam | WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web" >

Fast-Flux Techniques in .mobi

Danmec/Asprox is an SQL injection attack tool that is responsible for some aspects of the recent wave of SQL injections (full list maintained by ShadowServer). This malware also uses fast-flux techniques to host some facets of the attacks. Since a few days, the attackers also use the .mobi TLD - the first time I see this TLD being abused this way by malware. The following listing shows the results of a DNS lookup for one of the .mobi domains:
$ dig allocbn.mobi

; <<>> DiG 9.3.4 <<>> allocbn.mobi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26203
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;allocbn.mobi. IN A

;; ANSWER SECTION:
allocbn.mobi. 600 IN A 200.167.230.85
allocbn.mobi. 600 IN A 69.247.175.135
allocbn.mobi. 600 IN A 71.56.42.87
allocbn.mobi. 600 IN A 72.187.108.240
allocbn.mobi. 600 IN A 74.138.199.132
allocbn.mobi. 600 IN A 75.66.193.0
allocbn.mobi. 600 IN A 75.143.150.108
allocbn.mobi. 600 IN A 76.175.178.111
allocbn.mobi. 600 IN A 98.165.213.34
allocbn.mobi. 600 IN A 98.192.74.13
allocbn.mobi. 600 IN A 98.223.61.12
allocbn.mobi. 600 IN A 99.233.217.232
allocbn.mobi. 600 IN A 118.160.173.122
allocbn.mobi. 600 IN A 190.18.116.54

The DNS answer has a short time to live (600 seconds - 10 minutes) and the IP addresses are located in many different networks - a typical sign for fast-flux techniques. Most IP addresses are located in dial-up networks like Comcast and Roadrunner, presumably these machines are infected and compromised machines. When doing a DNS lookup a couple of minutes later, a different set of IP addresses is returned:
;; ANSWER SECTION:
allocbn.mobi. 493 IN A 208.107.82.31 [NEW]
allocbn.mobi. 493 IN A 71.56.42.87
allocbn.mobi. 493 IN A 72.177.224.125 [NEW]
allocbn.mobi. 493 IN A 72.187.175.42 [NEW]
allocbn.mobi. 493 IN A 75.143.150.108
allocbn.mobi. 493 IN A 76.171.151.145 [NEW]
allocbn.mobi. 493 IN A 76.175.178.111
allocbn.mobi. 493 IN A 81.203.14.159 [NEW]
allocbn.mobi. 493 IN A 92.233.227.123 [NEW]
allocbn.mobi. 493 IN A 98.165.213.34
allocbn.mobi. 493 IN A 98.192.74.13
allocbn.mobi. 493 IN A 98.223.61.12
allocbn.mobi. 493 IN A 99.233.217.232
allocbn.mobi. 493 IN A 156.34.132.62 [NEW]

This indicates the "fluxiness" of the domain. By DNS mining, i.e., performing DNS lookups of this domain every TTL +1 seconds, we can observe the botnet behind this attack. In the past week, we found about 1,000 unique bot IP addresses this way.
This entry was posted by Thorsten Holz on Thursday, July 3. 2008 at 16:00. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.