pyrhox.eu
The domains all resolve to the same IP address, a server located in the Czech Republic.
They are short-lived; the names only resolve to the target server for a brief period before the attackers move on to the next.
This type of tactic is pretty common, used by many threats in their attempts to evade security filtering.
Normally however, it is TLDs other an .eu that are abused.
Digging a little further into the WHOIS information for these registrations reveals some interesting observations. A Finnish connection in fact, based on the registrant details provided.
We can go back a few more months, and see a similar spate of activity, again used for Blackhole hosting, but on .IN domains.
zjmnwv.in
yyssyr.in
wkhmyk.in
hwhjgj.in
As you can see, the domain names follow the same 6-character, seemingly random pattern.
Looking at the WHOIS information for some of these again throws up our Finnish connection!
And guess what? When active, these .IN domain names resolved to the very same IP address as above!
And what of this IP address? It has something of a long history of questionable activity, extending over many months. It currently hosts over 100 domains, whose purpose ranges from porn site gateways (referenced in spam) through to exploit sites.
This episode raises an important question. Is there more that Registrars could or should be doing to prevent the bad guys abusing their services?
Some of the very same techniques that we use to join the dots between data, linking attacks and highlighting malicious activity could be very useful to Registrars attempting to block malicious activity earlier.
History tells us that the European domain name authority, EurID, are no strangers to decisive action when it comes to protecting the reputation of the TLD.
I have reported the current spate of abuse to the appropriate people, so time will tell how effectively they can snub out this activity.
Follow @SophosLabs.EU domain image from Shutterstock.
Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats. var OBCTm='1328889400668'; jQuery(document).ready(function($){ Gravatar.profile_cb = function( h, d ) { WPGroHo.syncProfileData( h, d );}; Gravatar.my_hash = WPGroHo.my_hash; Gravatar.init( 'body', '#wp-admin-bar-my-account' ); });
