ChangeIP (dynamic DNS) malware

If you look at the top domains distributing malware for the last days (and months), what do you see in common?

#numberofsitesinfected #type #malwaredomain
650 iframe
315 iframe
275 iframe
179 iframe
159 iframe
148 iframe
146 iframe
126 iframe
116 iframe
101 iframe
93  iframe
84  iframe
77  iframe
74  iframe
73  iframe
72  iframe

Most of them are using a (dynamic DNS) sub domain as the first level of injection. Just check,,,, etc, etc. They are all part of: Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.

Don\’t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.

*If you look past 6 months ago, was the main domain distributing malware, but since it was shut down, the attackers have migrated to Hopefully they will do something about it.

Leave a Reply