Over the past month or so we’ve seen quite a lot of malware coming from sub-domains of DynDNS.com, which is a dynamic DNS provider. A typical link might look like this:
http://upogoteluqike.scrapper-site.net/1111111ggg/get.php?name=Anal_Porn_Movie_162.mpeg
(scapper-site.net is a DynDNS site.)
The sub-domains are changing every hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:
80.91.176.172
The files coming down are typically detected as Trojan.Win32.Alureon,
Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file.
WhoIS data for DynDNS.com:
DynDNS.com
Hostmaster, DynDNS <hostmaster@dyndns.com
1230 Elm St.5th Floor
Manchester, NH 03101
The list of their domains that we’ve seen being used by the bad guys closely matches the list of available domains you see on their web site in the dropdown box for “Free Domain Name.” The ones we’ve seen in particular over the last couple of weeks are:
boldlygoingnowhere.org
dnsalias.com
dnsalias.net
dnsalias.org
dnsdojo.com
doesntexist.com
dynalias.net
doesntexist.org
dvrdns.org
dynalias.com
dynalias.org
dyndns.biz
dyndns.tv
dyndns.ws
endofinternet.net
endofinternet.org
game-host.org
getmyip.com
gotdns.com
gotdns.org
hobby-site.com
hobby-site.org
homedns.org
homeftp.org
homelinux.com
homelinux.net
homelinux.org
homeunix.net
homeunix.org
is-a-chef.com
is-a-geek.net
is-a-geek.org
isa-geek.org
kicks-ass.net
kicks-ass.org
scrapper-site.net
scrapping.cc
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
servebbs.com
servebbs.org
serveftp.net
serveftp.org
servegame.org
thruhere.net
webhop.biz
webhop.info
webhop.net
It should be noted that DynDNS.com’s services and those of No-IP.com have been used to distribute a variety of malware over the past year, but these “anal porn” malware files are the most recent and noteworthy examples.
Free file hosting sites (e.g., Rapidshare.com, FileAve.com), social media sites (Facebook, Twitter), and blog sites have been and still are being exploited by the bad guys in similar fashion.
Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services.
Alex Eckelberry
(With many thanks to Eric Howes)
Update: Great response from the DynDNS abuse team, the situation is now under control.