This is slightly more difficult post than usual to write. We have been seeing large email based malware campaigns over the last few days. All the emails are coming from a handful of hosting companies/ servers either in Russia, Ukraine or India. So far that is nothing really unusual. What is difficult to accept is the number of what appear to be legitimate domains that are sending these emails. There are hundreds, if not thousands of domains involved in these campaigns. Almost all the domains have been registered for many years, some for more than 10 years. That makes it less likely that they are knowingly involved or actually are knowingly hosted on the servers sending the emails.
Update 23 January 2019: I knew I couldn’t be the only one who had noticed this strange behaviour. Earlier today I was pointed to a post by Brian Krebs that confirms my suspicions about the DNS compromise or vulnerabilities in Godaddy’s DNS system. And there is slightly more detailed write up on ArsTechnica .
The only thing I can find in common between all the domains is that they are using Godaddy name servers “Domaincontrol.com“. The domains are all registered using a range of registrars. My belief is that Godaddy’s name severs are somehow compromised allowing these domains to be pointed at these malicious servers. From the quick lookups I have done on some of the domains, they still appear to be registered to the original registrants, so it is unlikely that the malware bad actors have actually purchased the domains when they expired.
It really looks like we have a massive worldwide problem with the Domain name systems and registrars somehow if my beliefs are correct. I hope somebody better than me at analysing these trends can take a look & if I am wrong, correct me and tell me how these criminals are using “legitimate” domains and managing to redirect them, if there is no compromise to the Domain Name system either on Godaddy or elsewhere.
I thought that you couldn’t use Godaddy’s name servers unless you were a godaddy customer in someway. That would normally mean either registering the domain through them or hosting with them. What is most unusual about this set of campaigns is that none of the registration information including name servers have been updated for several months and in some cases a lot longer. Either the criminals have been steadily preparing these campaigns for an extremely long time or there is a bug somewhere that allows the DNS entries to be changed without registering the time & date of the changes on the systems.
This is a screenshot from one example today
I am posting a few screenshots from my mailserver showing some of the domains, subjects and the ranges of IP addresses involved.
The actual malware is described in these posts and tweets ( with links to samples)
First though lets give details about the servers and IP ranges involved
- 103.242.116.* AS133296 Web Werks India Pvt. Ltd.
- 103.242.117.* AS133296 Web Werks India Pvt. Ltd.
- 193.233.30.* mgnhost.ru AS202423 PE Viktor Tyurin.
- 109.106.2.* AS48352 IP Starcev Eugenii Borisovich
- 185.239.51.* mgnhost.ru AS202423 PE Viktor Tyurin
- 91.222.237.* AS202423 PE Viktor Tyurin