Over the past month or so we’ve seen quite a lot of malware coming from sub-domains of DynDNS.com, which is a dynamic DNS provider. A typical link might look like this:
(scapper-site.net is a DynDNS site.)
The sub-domains are changing every hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:
The files coming down are typically detected as Trojan.Win32.Alureon,
Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file.
WhoIS data for DynDNS.com:
Hostmaster, DynDNS <firstname.lastname@example.org
1230 Elm St.5th Floor
Manchester, NH 03101
The list of their domains that we’ve seen being used by the bad guys closely matches the list of available domains you see on their web site in the dropdown box for “Free Domain Name.” The ones we’ve seen in particular over the last couple of weeks are:
It should be noted that DynDNS.com’s services and those of No-IP.com have been used to distribute a variety of malware over the past year, but these “anal porn” malware files are the most recent and noteworthy examples.
Free file hosting sites (e.g., Rapidshare.com, FileAve.com), social media sites (Facebook, Twitter), and blog sites have been and still are being exploited by the bad guys in similar fashion.
Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services.
(With many thanks to Eric Howes)
Update: Great response from the DynDNS abuse team, the situation is now under control.