SophosLabs Finds .EU Domains Exploited Through Blackhole Exploit Kit

Recently there has been a spate of .EU domain name registration abuse, SophosLabs have claimed on their Naked Security blog

Recently there has been a spate of .EU domain name registration abuse, SophosLabs have claimed on their Naked Security blog.

In their blog posting, SophosLabs claim there have been “numerous malicious .eu domains have been registered during November which are being used to infect PCs with malware via the Blackhole exploit kit.” Examples given of the exploit are:

  • owzshm.eu
  • mpxuth.eu
  • ngpsjy.eu
  • wlwhhz.eu
  • jhzopj.eu
  • jqwwgm.eu
  • pmgugq.eu
  • jkiwhy.eu
  • nrxpxq.eu
  • vjtjpy.eu
  • xzjvhs.eu
  • xipuww.eu
  • kngipu.eu
  • ptkqzo.eu
  • pyrhox.eu

All of the domains resolve to the same IP address, a server located in the Czech Republic and are short-lived – the names only resolve to the target server for a brief period before the attackers move on to the next.

SophosLabs note this type of tactic is pretty common, used by many threats in their attempts to evade security filtering.

But it is unusual for .eu domains to be abused as normally it is TLDs.

Having dug a little further into the WHOIS information for these registrations, SophosLabs found some interesting observations. One is a Finnish connection based on the registrant details provided.

Going back a few months, SophosLabs found the same pattern for a number of .in (India) domains, and when active, the .IN domains resolved to the very same IP address as the .eu domains!

For further information, check out the SophosLabs Naked Security blog posting at nakedsecurity.sophos.com/2012/11/22/eu-blackhole-exploit-kit/

There is also an IDG report with additional information titled Cybercriminals are increasingly abusing .eu domains in attacks here.