e-netprotections.su ?

Published: 2013-05-17
Last Updated: 2013-05-17 00:02:07 UTC
by Daniel Wesemann (Version: 1)
5 comment(s)


Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well.

Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats.cc, emstats.su, ehistats.su, e-protections.su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections.cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer. The similarity of the names was too much of a coincidence, and it meant bad news for Michael.

Looking at what was captured by some of our network sensors allowed to reconstruct a (partial) picture of the IPs and ASN's involved in today's malware wave

Domain IP AS Provider Country
ppetoc.iestats.cc 30517 Great Lakes Comnet USA
ppetoc.iestats.cc 8972 PlusServer Intergenia AG Germany
ppetoc.iestats.cc 40676 Psychz Networks USA
ppetoc.iestats.cc 24940 Hetzner Online AG Germany
ppetoc.iestats.cc 57172 Global Layer B.V. Netherlands

The host name portion for some of the domains looks like it is time dependent (incrementing ascii) whereas other domains use (apparently) random names like d3acofzi7hjft.e-protections.su. Name servers involved today include ns1.abercrombienfr.net (currently - AS1426) and ns1.semi-spa.net (currently - AS50300). I doubt the former has anything to do with the clothing store, the domain was created four months ago.

Closer inspection of Michael's PCs revealed that each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far.

If you have information to add on this particular malware or the domains mentioned, please comment below, or use our contact form.


Keywords: malware
5 comment(s)


Run it through Anubis http://anubis.iseclab.org/
I've never seen anything worthwhile come out of .pw either.
Attackers never used the evil bit, but at least they're using evil TLDs.
- https://www.abuse.ch/?p=3581

Medfos sites to block 31/5/13
- http://blog.dynamoo.com/2013/05/medfos-sites-to-block-31513.html
31 May 2013
[Look-alike .su and .cc sites]

Diary Archives