• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

“Blackhole” Exploit Kit DGA Analysis

By OpenDNS Security Research
Posted on July 7, 2012
Updated on July 23, 2020

Share

FacebookTweetLinkedIn

[ Editor’s note: Our new security research team is cranking out information faster than we can create a security blog.  So for now, we’re sharing some of the cool stuff they are doing here. Here’s one of their first pieces, dissecting the “Blackhole” exploit kit. ]

What is the “Blackhole” Exploit Kit?

  • A very popular and customizable kit to exploit a range of client vulnerabilities via the Web.
  • Hackers license the kit (or rent an already exploited site) to cyber criminals.
  • Cyber criminals compromise Web pages and embed an invisible iFrame.
  • Potential victims visit a compromised Web page and are redirected to the hosted exploit.
  • If the victim has one of the targeted client vulnerabilities, their device is infected.
  • OpenDNS’s enforcement is device-, application-, protocol- and port-agnostic so all our users with OpenDNS malware protection are protected.
secresearch1

Redirect to malware host site within invisible iframe.

What is a (DGA) Domain Generation Algorithm?

  • Multiple, frequently generated domains are used to host the exploit kit to prevent the security community from easily blocking the site or the site’s DNS record.
  • This technique has been used since 2004 for botnet controllers, but appears by many in the security community, to now be an emerging trend for malware sites.
  • This new “Blackhole” variation generates one unique second-level domain every 12 hours.
  • The machine’s timestamp seeds a fixed cryptographic algorithm.
  • The algorithm produces 16-character domain labels with a .ru top-level domain.
  • Domain names using this algorithm are registered in advance of dates about 2 months from now.
  • OpenDNS blocks all such domains for users of our service.
secresearch2

Snapshot taken on July 6 shows domains generated in the past week and two future days.

What did OpenDNS discover?

  • Domain name analysis can detect strings in domain labels that have entropy or a lack of order that is a strong indicator that an algorithm was used to create the domain versus a human.
  • Very random domain name strings have a high lexical complexity.
  • These are often software generated with potential malicious origin.
  • Blackhole DGA domain complexity is graphed in red below.
  • Human-readable domain strings have a low lexical complexity.
  • These are often legitimate sites.
  • The top 1 million accessed domains’ complexity is graphed in green below.
secresearch3

Lexical analysis on the domain names.

  • These domain names were observed to have concentrated DNS queries with short life spans, and exhibited a temporal progression every 12 hours.
  • We saw abnormally high levels of activity at the time of domain generation, which quickly faded to near zero within a day or two.
  • The few DNS queries outside this time window may be due machines with an incorrect date set or security research activity.
  • More than a half million connections were attempted to these malicious domains within one week (June 29-July 5, 2012).
secresearch4

Trending query counts for six consecutive generated domains.

  • Sampled a range of domain names generated for May 5 – Sept 23 at two times (July 5 & July 9).
  • The authoritative name servers used to resolve the A records for the generated domains have changed twice.
  • On July 5, three domains (https443.org, https443.net, compress.to) were hosted from a free dynamic DNS provider (https443.net via www.changeip.com).
  • On July 9, one domain (otlard.kz) was hosted from a ccTLD (country-code top-level domain).
  • The previously used name servers are no longer resolving A records for generated domains corresponding to dates before July 3rd.
  • The new name servers are not resolving A records for generated domains today or into the future.
  • We propose that the findings indicate that the operation is being brought online gradually for technical reasons or to avoid detection.
  • There has been significant press coverage regarding this new DGA technique over the last week, which may have prompted the hackers to change the name servers which is more lax in their registration requirements (e.g. Kazakhstan) and suspend active use.
secresearch5

Blackhole DGA DNS resolution changes from May 5 thru September 23.

  • We also searched the public portion of the malware domain list (http://www.malwaredomainlist.com) using these ASNs and found that ASNs 16265 and 39743 were flagged multiple times for hosting malicious domains or IPs in the past.
secresearch6

Malware domain list search results.

OpenDNS found conclusive evidence that the domain names discovered were generated by software with malicious intent.

  • All future domains using this DGA are included in our inbound malware protection for OpenDNS Enterprise Insights and Enterprise customers.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella