The Latest in IT Security

A Blackhole Exploiter Who Needs a Hug

10
Feb
2012

I’ve been keeping an eye out for a suitably interesting opportunity to comment on the current state of the Blackhole Exploit Kit (BHEK) attacks, and when I saw this in the malware logs, I just had to share…

In short, the Blackhole attacks continue, with new BHEK servers coming on line each day, hosting a variety of domains and subdomains, so not much has changed. One particular network of exkit servers has been bouncing around to various IP addresses for some time now, and WebPulse has been identifying the new servers as this happens.

Anyway, on Monday this week, the Bad Guy started a new group of domains on a fresh IP address, beginning with a set of “.in” domains:

  • unizk.in
  • plzeu.in
  • westn.in
  • pelor.in
  • geroe.in
  • pefag.in
  • lobuz.in
  • migos.in

Looks pretty normal so far. But after a couple of days, when migos.in had run for a while, the domain names changed to an interesting new pattern, shown in chronological order here (beginning late Tuesday night in Europe):

  • hatemyself.info
  • antipathyme.info
  • malevolenceme.info
  • hatredme.info
  • disgustme.info
  • revengeme.info
  • dislike-me.info
  • thehateme.info

What’s this? A Bad Guy filled with self-loathing, as he sees the error of his wicked ways? Or maybe he’s just having a couple of bad days (which we’re happy to be contributing to!), and needs a hug…

–C.L.

P.S. Well, it looks like he’s over his brief period of depression. As I was wrapping up this post, I re-checked, and there are a couple of fresh entries in the traffic logs, showing requests headed to eqers.in, so he’s back to his original domain naming style…

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments