Attackers Moving to .CE.MS Domain For Attack Sites

Searching_ _ _ · Nov 1, 2011

ttackers have been making a mess of some of the smaller country-code top-level domains for a while now, registering random domain names en masse and then using them deliver malware and rogue AV. The most infamous example of this is the .co.cc domain, which had become so infested with malicious domains that Google removed the entire domain from its search results earlier this year. Now the bad guys have moved on to the mountainous West Indies isle of Montserrat.

The island nation's .ms TLD has recently become a target of groups of attackers looking for fresh territory in which to plant their malicous binaries and rogue AV domains. Researchers at Zscaler have found that attackers are now registering massive numbers of randomly generated .ce.ms domains and using them as part of campaigns that involve JavaScript redirectors and the Black Hole exploit pack. The attackers are setting up malicious scripts on random URLs that, when visited by a user, uses the familiar tactic of obfuscated JavaScript to hide a malicious HTML file.
Click to expand...

Attackers Moving to .CE.MS Domain For Attack Sites - ThreatPost

Rmus · Nov 1, 2011

From the article:

The attackers are setting up malicious scripts on random URLs that, when visited by a user, uses the familiar tactic of obfuscated JavaScript to hide a malicious HTML file.

The ultimate payload of the attack is the Black Hole exploit kit,

The kit includes exploits for a number of known vulnerabilities in browsers and other common applications. Attackers use Black Hole to deliver other pieces of malware to victims' machines, such as rootkits and banker Trojans.
Click to expand...

In fact, no malware is delivered if the user has scripting enabled per site. And, of course, this applies to web based attacks, no matter the domain used.

These random URLs are usually arrived at through redirection. So, even if redirected from a compromised site with scripting enabled, the site with malicious scripts will just sit there and do nothing. Part of the obfuscated (disquised) code is included below:

Whereas, if scripting is enabled, then the code can attempt to do its dirty work.
(Note above the reference to JAVA in the first line of the code: content/field.jar)

People have argued that keeping scripting enabled just per trusted sites is aggrevating when a site you go to requires javascript so that you have to enable it and then reload the page.

No disagreement there, but you can't deny that whitelisting scripting of sites is a good preventative measure.

regards,

-rich

m00nbl00d · Nov 1, 2011

Rmus said:

[...] but you can't deny that whitelisting scripting of sites is a good preventative measure.

regards,

-rich
Click to expand...

Indeed. I got not issues doing it that way. It's as simple as clicking the javascript icon in the address bar, and choose allow for this domain and refresh.

Easier than that, only if Chromium starts showing a tip bar asking to click "Reload", at the image of what happens when allowing cookies. It makes things faster... a bit.

Log in or Sign up

Attackers Moving to .CE.MS Domain For Attack Sites

Searching_ _ _ Registered Member

Rmus Exploit Analyst

m00nbl00d Registered Member

Log in or Sign up

Attackers Moving to .CE.MS Domain For Attack Sites

Searching_ _ _ Registered Member

Rmus Exploit Analyst

m00nbl00d Registered Member

Useful Searches