Last week blackhat hackers posted a translated advertisement, which was targeted to criminals. The offer was an upgraded, stealthier version of the very popular kit labeled “Blackhole”. Same price, better features, bigger exploits.


OpenDNS security researchers share below our analysis of new malware domains associated with this new threat. For reference on what “Blackhole” is or has recently exploited, read our past blog posts (here and here).

We have collected 47 new domains associated with Blackhole. Some domains may be used for malware distribution hosts (i.e. websites) whereas others may be botnet controller hosts. Most of these domains have had DNS request activity over the last two weeks.

We have visualized the unique client IP addresses attempting to access these domains on a heat map.
[show-script script=”blackhole-client-ips”]

Two domains — and — were observed to be queried within seconds of each other from one of these networks.

Infection chains (i.e. a succession of DNS requests within a short time interval) is a good indicator for detecting infected devices, or devices visiting infected websites. We are currently analyzing the 40+ billion DNS queries we receive daily (and billions archived in the past) to determine if such DNS activity patterns exist on other networks. Such patterns can then be automatically detected to more proactively protect clients and their networks from being exploited by Blackhole.

The benefit of harnessing the OpenDNS Internet-Wide Security Network to turn big data into useful big information is to prevent new infections and/or contain leaks from existing infections. And today all OpenDNS business customers are protected from connecting to known bad hosts associated with Blackhole.

This post is categorized in: