« PoC Released for Safari on Windows Flaw | Main | Blacklisting: More Marketing Than Muscle »

Registrars Release Suspended Domains to Attackers

A new outbreak of SQL attacks began on the 8th. Not that they ever really go away, but new waves replace the old ones. The attackers are using a much larger number of domains than seen in previous months. Just 11 days into June, and already 54 of these domains have been observed. Many of these are previously suspended domains that registrars have released back to the attackers. The end result, some of the domains involved in the late May and early June attacks are now active again. Thus not only newly compromised sites are foisting the malware, but any sites previously compromised that have not cleaned up their pages (and properly parameterized their SQL queries) will now once again be serving as conveyor belts for password stealing trojans. (Description of how SQL injection attacks work)

This combination has led to the largest traffic to compromised sites to date. On June 9th, ScanSafe STAT observed a 121% increase in malware blocks, 59% of which were the result of this latest wave of SQL injection attacks (breaking May's record average of 46%). More disturbing (except for ScanSafe customers), only 2% of the latest SQL injection attacks were detected via signature-based methods; 98% of the June 9th attacks were detected via our zero-day threat protection.

As discussed in the June 5th blog post, some of the June attack domains have IP addresses that appear to be constantly changing. The following is an updated list of domains involved in SQL injection attacks in June. As noted, even those previously suspended may now be active.

cat92.net
client46.com
en-us18.com
guid86.com
libid53.com
locale48.com
logid83.com
redir94.com
refer68.com
rexec39.com
rundll41.com
rundll92.com
script46.com
sysid72.com
tag95.com
tagid42.com
trace88.com
user93.com
xml48.com
1817520.cn
encode72.com
err68.com
exe94.com
exec51.com
o7n9.cn
rundll841.com
siteid38.com
soft666666.cn
sslnet72.com
sslput4.com
tag58.com
msi7ka.cn
fire321.cn
kehu99.cn
live322.cn
mmboi.cn
user1.hao752.cn
view89.com
win496.com
advertbnr.com
cookieadw.com
user1.hao501.cn
cuteqq.cn
9user.cn
bannerupd.com
catlsolu.co.uk
cpreec.org
g0ogle.net.cn
killpp.cn
psp666.cn
w32.9966.org
6888ip.cn
mm.6w6w6w.com
ww.1d1d1d.com

Posted on Tuesday, June 10, 2008 at 02:11PM by Registered CommenterMary Landesman | CommentsPost a Comment

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.