If you look at the top domains distributing malware for the last days (and months), what do you see in common?
#numberofsitesinfected #type #malwaredomain
650 iframe http://cvrtyi.ddns.info/nighttrend.cgi?8
315 iframe http://byiegfs.ddns.info/nighttrend.cgi?8
275 iframe http://ileshdg.qhigh.com/nighttrend.cgi?8
179 iframe http://sdcmd.freewww.info/nighttrend.cgi?8
159 iframe http://lmybv.ddns.name/nighttrend.cgi?8
148 iframe http://wstckewb.freewww.biz/nighttrend.cgi?8
146 iframe http://zqajsv.qhigh.com/nighttrend.cgi?8
126 iframe http://avvof.sellClassics.com/nighttrend.cgi?8
116 iframe http://wnevt.pcanywhere.net/nighttrend.cgi?8
101 iframe http://acijwfr.freewww.info/nighttrend.cgi?8
93 iframe http://cqcsk.ddns.name/facebook.cgi?8
84 iframe http://thcolxbbt.qhigh.com/facebook.cgi?8
77 iframe http://bwnzgtv.qhigh.com/facebook.cgi?8
74 iframe http://anmvmhz.ddns.info/facebook.cgi?8
73 iframe http://hbuwmx.myddns.com/facebook.cgi?8
72 iframe http://qizkfd.mynumber.org/facebook.cgi?8
Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com,mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.
Don\’t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.
However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.
*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.