List of Name Server used by Blackhole (BHEK) v2 using Password Stealer Infector Bad Actors
11 Dec 2012#MalwareMUSTDie!
We recently monitoring and analyzing the Trojan Password Infector Cridex based
Dropped by the Blackhole Exploit Kit (BHEK) v2, and ending up to the below domains
used by this group, which are currently ACTIVE infecting, UP and ALIVE:ganiopatia.ruAs per posted in some posts previously, these domains are serving infection using Blackhole EK using many proxies(mostly TCP/8080) - by using the costant 14 NameServer (DNS servers) as per below IP:
pelamutrika.ru
ganalionomka.ru
genevaonline.ru
podarunoki.ru
publicatorian.ru
pitoniamason.ru
dimarikanko.ru
aofngppahgor.ru ←[NEW!]
awoeionfpop.ru ←[NEW!]
aviaonlolsio.ru ←[NEW!]IP NETWORK CountryAs you see below, mainly they use NS server at below wellknown network:
---------------------------------------------------
62.76.178.233 Clodo-Cloud/IT House, Ltd RU, St. Petersburg
41.168.5.140 NET41/ AfriNIC MU
132.248.49.112 UnivNacional Autonoma de- Mexico
209.51.221.247 ENETNAP/eNET Inc. OH, US
62.76.177.104 Clodo-Cloud/IT House, Ltd RU, St. Petersburg
110.164.58.250 TRIPLETNET-TH/BB ISP Thailand
41.168.5.140 NET41/ AfriNIC MU
209.51.221.247 ENETNAP/eNET Inc. OH, US
62.76.189.72 Clodo-Cloud/IT House, Ltd RU, St. Petersburg
163.10.12.83 AR-CEUN-LACNIC CESPI,UNLP AR
216.99.149.226 Psychz Networks CA, US
208.87.243.196 Psychz Networks CA, US
203.146.208.180 IDC-CS Loxinfo Thailand
74.117.61.66 Psychz Networks CA, USUS, ISP Service: Psychz Networks (CA) & eNET Inc. (Ohio) RU ISP at Clodo-Cloud/IT House, Ltd St. Petersburg *) others are just not significant servicesWhat's the Point?
So if we can close the service at US & RU ISP, these BadActors will have - a weaker DNS to spread their infection, please someone help to inform related - ISP/Service in US & St. Petersburg.Proof of Concept
As the PoC of this concept,if you lookup the NS the each domains (i.e. by using type=ANY), you'll see dump of the used NS servers as per following:ns1.aofngppahgor.ru. A 62.76.189.72
ns2.aofngppahgor.ru. A 62.76.177.104
ns3.aofngppahgor.ru. A 41.168.5.140
ns4.aofngppahgor.ru. A 209.51.221.247
ns5.aofngppahgor.ru. A 42.121.116.38
ns6.aofngppahgor.ru. A 110.164.58.250
ns7.aofngppahgor.ru. A 41.168.5.140
ns8.aofngppahgor.ru. A 209.51.221.247
ns9.aofngppahgor.ru. A 62.76.189.72
ns10.aofngppahgor.ru. A 163.10.12.83
ns11.aofngppahgor.ru. A 216.99.149.226
ns12.aofngppahgor.ru. A 208.87.243.196
ns13.aofngppahgor.ru. A 203.146.208.180
ns14.aofngppahgor.ru. A 74.117.61.66
ns1.ganiopatia.ru. A 62.76.178.233
ns2.ganiopatia.ru. A 41.168.5.140
ns3.ganiopatia.ru. A 132.248.49.112
ns4.ganiopatia.ru. A 209.51.221.247
ns5.ganiopatia.ru. A 62.76.177.104
ns6.ganiopatia.ru. A 110.164.58.250
ns7.ganiopatia.ru. A 41.168.5.140
ns8.ganiopatia.ru. A 209.51.221.247
ns9.ganiopatia.ru. A 62.76.189.72
ns10.ganiopatia.ru. A 163.10.12.83
ns11.ganiopatia.ru. A 216.99.149.226
ns12.ganiopatia.ru. A 208.87.243.196
ns13.ganiopatia.ru. A 203.146.208.180
ns14.ganiopatia.ru. A 74.117.61.66
ns1.pelumutrika.ru A 69.64.89.82
ns2.pelamutrika.ru A 41.168.5.140
ns3.pelamutrika.ru A 132.248.49.112
ns4.pelamutrika.ru A 209.51.221.247
ns5.pelamutrika.ru A 208.87.243.196
ns6.pelamutrika.ru A 216.99.149.226
ns7.pelamutrika.ru A 41.168.5.140
ns8.pelamutrika.ru A 209.51.221.247
ns9.pelamutrika.ru A 62.76.189.72
ns10.pelamutrika.ru A 163.10.12.83
ns11.pelamutrika.ru A 216.99.149.226
ns12.pelamutrika.ru A 208.87.243.196
ns13.pelamutrika.ru A 203.146.208.180
ns1.ganalionomka.ru A 62.76.178.233
ns2.ganalionomka.ru A 41.168.5.140
ns3.ganalionomka.ru A 132.248.49.112
ns4.ganalionomka.ru A 209.51.221.247
ns5.ganalionomka.ru A 62.76.177.104
ns6.ganalionomka.ru A 110.164.58.250
ns7.ganalionomka.ru A 41.168.5.140
ns8.ganalionomka.ru A 209.51.221.247
ns9.ganalionomka.ru A 62.76.189.72
ns10.ganalionomka.ru A 163.10.12.83
ns11.ganalionomka.ru A 216.99.149.226
ns12.ganalionomka.ru A 208.87.243.196
ns13.ganalionomka.ru A 203.146.208.180
ns14.ganalionomka.ru A 74.117.61.66
ns1.genevaonline.ru A 62.76.178.233
ns2.genevaonline.ru A 41.168.5.140
ns3.genevaonline.ru A 132.248.49.112
ns4.genevaonline.ru A 209.51.221.247
ns5.genevaonline.ru A 62.76.177.104
ns6.genevaonline.ru A 110.164.58.250
ns7.genevaonline.ru A 41.168.5.140
ns8.genevaonline.ru A 209.51.221.247
ns9.genevaonline.ru A 62.76.189.72
ns10.genevaonline.ru A 163.10.12.83
ns11.genevaonline.ru A 216.99.149.226
ns12.genevaonline.ru A 208.87.243.196
ns13.genevaonline.ru A 203.146.208.180
ns14.genevaonline.ru A 74.117.61.66
ns1.podarunoki.ru A 62.76.178.233
ns2.podarunoki.ru A 41.168.5.140
ns3.podarunoki.ru A 132.248.49.112
ns4.podarunoki.ru A 209.51.221.247
ns5.podarunoki.ru A 62.76.177.104
ns6.podarunoki.ru A 110.164.58.250
ns7.podarunoki.ru A 41.168.5.140
ns8.podarunoki.ru A 209.51.221.247
ns9.podarunoki.ru A 62.76.189.72
ns10.podarunoki.ru A 163.10.12.83
ns11.podarunoki.ru A 216.99.149.226
ns12.podarunoki.ru A 208.87.243.196
ns13.podarunoki.ru A 203.146.208.180
ns14.podarunoki.ru A 74.117.61.66
ns1.publicatorian.ru A 62.76.189.72 69.64.89.82
ns2.publicatorian.ru A 41.168.5.140
ns3.publicatorian.ru A 132.248.49.112
ns4.publicatorian.ru A 209.51.221.247
ns5.publicatorian.ru A 208.87.243.196
ns6.publicatorian.ru A 216.99.149.226
ns7.publicatorian.ru A 41.168.5.140
ns8.publicatorian.ru A 209.51.221.247
ns9.publicatorian.ru A 62.76.189.72
ns10.publicatorian.ru A 163.10.12.83
ns11.publicatorian.ru A 216.99.149.226
ns12.publicatorian.ru A 208.87.243.196
ns13.publicatorian.ru A 203.146.208.180
ns14.publicatorian.ru A 74.117.61.66
ns1.pitoniamason.ru A 62.76.189.72
ns2.pitoniamason.ru A 41.168.5.140
ns3.pitoniamason.ru A 132.248.49.112
ns4.pitoniamason.ru A 209.51.221.247
ns5.pitoniamason.ru A 208.87.243.196
ns6.pitoniamason.ru A 216.99.149.226
ns7.pitoniamason.ru A 41.168.5.140
ns8.pitoniamason.ru A 209.51.221.247
ns9.pitoniamason.ru A 62.76.189.72
ns10.pitoniamason.ru A 163.10.12.83
ns11.pitoniamason.ru A 216.99.149.226
ns12.pitoniamason.ru A 208.87.243.196
ns13.pitoniamason.ru A 203.146.208.180
ns14.pitoniamason.ru A 74.117.61.66
ns1.dimarikanko.ru A 62.76.178.233
ns2.dimarikanko.ru A 41.168.5.140
ns3.dimarikanko.ru A 132.248.49.112
ns4.dimarikanko.ru A 209.51.221.247
ns5.dimarikanko.ru A 62.76.177.104
ns6.dimarikanko.ru A 110.164.58.250
ns7.dimarikanko.ru A 41.168.5.140
ns8.dimarikanko.ru A 209.51.221.247
ns9.dimarikanko.ru A 62.76.189.72
ns10.dimarikanko.ru A 163.10.12.83
ns11.dimarikanko.ru A 216.99.149.226
ns12.dimarikanko.ru A 208.87.243.196
ns13.dimarikanko.ru A 203.146.208.180
ns14.dimarikanko.ru A 74.117.61.66#MalwareMustDie - #Tips: Easy Way to Check Spam linked bad URL was cases of BHEK exposed in MMD/not: pastebin.com/raw.php?i=q1NF… Cc: @tdotwhitehat
— Malware Crusaders (@MalwareMustDie) December 14, 2012Update Evil DNS List as per 2012, Dec 25 infection
ns1.bilainkos.ru. 3599 IN A 62.76.186.24
ns2.bilainkos.ru. 3599 IN A 110.164.58.250
ns3.bilainkos.ru. 3599 IN A 42.121.116.38
ns4.bilainkos.ru. 3599 IN A 41.168.5.140
ns5.bilainkos.ru. 60 IN A 110.164.58.250
ns6.bilainkos.ru. 60 IN A 41.168.5.140
ns7.bilainkos.ru. 60 IN A 62.76.186.24
ns8.bilainkos.ru. 60 IN A 209.51.221.247
ns9.bilainkos.ru. 60 IN A 163.10.12.83
ns10.bilainkos.ru. 60 IN A 216.99.149.226
ns11.bilainkos.ru. 60 IN A 208.87.243.196
ns12.bilainkos.ru. 60 IN A 203.146.208.180
ns13.bilainkos.ru. 60 IN A 74.117.61.66