This week in our malware intelligence meeting, our analysts brought up DNS abuse by cybercriminals. Two malware samples were seen this week which had the domain “chickenkiller.com” in their infrastructure.
I thought this sounded familiar, but my first guess was wrong. Chupacabra means “goat sucker” not “chicken killer”. So, we did a search in the PhishMe Intelligence database and were surprised to see not only that “chickenkiller.com” was used in two different malware samples in the past week, but that there were also more than sixty phishing sites that linked to that domain!
What we’re seeing here is a combination of “Free subdomains” and “Dynamic DNS.”
The Anti-Phishing Working Group reports on the use of Subdomain Services for Phishing in its twice yearly Global Phishing Survey. In their last report, released on May 27, 2015, they found that free Subdomain services were used for phishing in approximately 6% of all reports. About half (49.5%) of all those occurrences involve DNS abuse by cybercriminals, specifically, free “altervista.org” subdomains.
PhishMe’s Phishing Operations team would certainly agree that Altervista.org hosts a large quantity and variety of phishing subdomains! Already in 2015, we’ve seen altervista.org used in eleven different malware campaigns delivered via spam email, the majority of which distributed fake antivirus software and CryptoLocker ransomware. Additionally, 724 phishing sites on 424 different hostnames have been identified. Those phishing sites spoof 42 different online brands, and all are freely provided by Altervista.org.
When a “Free subdomain” is provided, it just means that rather than registering your own domain name and having to pay for it, you can add a hostname to an existing domain name that the free subdomain provider is giving out. Often the quid pro quo for the free subdomain is that advertising may appear on the website that offers the free service.
“Dynamic DNS” is something else. For various reasons, people may want to have a name for their computer which follows them wherever they go. This is common, for instance, with the online gaming community. If I’d like my fellow gamers to be able to use a gaming server on my computer and I have DHCP, it is possible that my IP address might change from time to time. I could therefore register my computer with a Dynamic DNS service. If I were to register a box for gaming, I may name it something like “GaryGamingBox.hopto.org”. Each time my computer came online, it would reach out to the Dynamic DNS service at “hopto.org” and let that Dynamic DNS service know my current IP address. The Dynamic DNS service would then publish a record so that anyone looking for “GaryGamingBox.hopto.org” would know my current IP address and could play a game.
While the service is valuable, it is open to DNS abuse by cybercriminals. Rather than having to risk exposing their identity by purchasing a domain name, cybercriminals can set up a phishing site on a laptop computer, link that computer to a Dynamic DNS service, and visit a nearby Internet café or hack someone’s Wi-Fi and connect anonymously to the Internet. The problem is also very common with cybercriminals who run a class of malware called Remote Administration Trojans or RATs.
In June of 2014, there was a great deal of controversy when the Microsoft Digital Crimes Unit disrupted two very large Remote Administration Trojan groups which they called Bladabinid (more commonly known as njRAT) and Jenxcus (better known as H-Worm.)
In order to disrupt the RATs, the Microsoft Digital Crimes Unit obtained a court order allowing them to seize control of the Dynamic DNS service Vitalwerks Internet Solutions, d/b/a NO-IP.com. While the seizure was quickly reversed due to public outcry, the truth remained that many hacking websites and documents on how to set up your own RAT begin with instructions on how to link your Botnet Controller to a Dynamic DNS service.
The “builder” that lets a malware author create his own customized RAT prompts the criminal for the hostname that an infected victim should “call back” to in order to provide the Botnet criminal with remote control of the targeted machine. These RATs are used for a variety of purposes, including in many cases, controlling the webcam and microphone of the victim which can lead to “sextortion” and blackmail.
While the Microsoft takedown and the APWG report identify many of the most popular domain names used for Dynamic DNS, ChickenKiller.com is a gateway to a much larger and more varied community. When we visit “ChickenKiller.com” we are provided with this screen, informing us that ChickenKiller.com is one of the 90,000 Free DNS domains operated by Afraid.org, currently serving 3.7 million subdomains and processing 2,000 DNS queries per second.
The Afraid.org domain list provides 91,647 domains that users can choose to host their free subdomain. Since they are ordered by popularity, we checked the most popular ones against our phishing database:
mooo.com = 21 phishing campaigns, the most recent of which was a Wells Fargo phish wellsfargo.com-login-online.mooo.com. Others included Poste Italiene, Paypal, Carta Si, Bank of America, QuickBooks (Malware), Netflix, and Banco de Reservas.
chickenkiller.com = 59 phishing campaigns for a variety of brands, most recently Poste Italiane and Taobao.
us.to = 311 phishing campaigns, most of which were Paypal related, including some PayPal phishing campaigns from today on info-limit.us.to. Others included Facebook (warnku.us.to) and National Australia Bank.
strangled.net= 10 phishing campaigns, most recently a PayPal phish on www.paypal.service.com.strangled.net, but also Apple, Sicredi, Visa, MasterCard, and Taobao.
crabdance.com = 8 phishing campaigns, most recently an Apple iTunes phish.
info.tm = 75 phishing campaigns, including a Paypal phish from this week, paypal-serviced.info.tm and paypal.verfield.info.tm
While many of the phishers are taking advantage of Afraid.org’s offer of “Free subdomain AND domain hosting!” others are being more subtle with their use of the free services. For example, a recent Paypal phisher used the host “pplitalyppl.chickenkiller.com” in order to avoid having the true location of his phishing site shared in the spam emails that he was sending. The spam contained the ChickenKiller link, which had a simple PHP forwarder that redirected the user to the phisher’s hacked website in the Netherlands. In other cases the phishing page is on a “normal” hacked website, but the ACTION script that processes the stolen credentials, usually emailing them to a criminal, is hosted on a Free or Dynamic DNS subdomain.
The bottom line is that business customers need to be aware of DNS abuse by cybercriminals. Free subdomain and dynamic DNS services are often used by criminals for their Trojans AND their phishing pages. These types of domains are also fairly unlikely to be used for legitimate B2B purposes, so their presence in your log files are likely to be highly suspect. Also, be aware that Afraid.org is a white hat hacking group. Josh Anderson who runs a wide variety of interesting DNS services at that site, hates to have his domains abused as much as anyone else. If you see a suspicious subdomain address and the nameservers are set to “NS1.AFRAID.ORG” be sure to report it by emailing “email@example.com”. It could be yet another case of DNS abuse by cybercriminals.