Previously, we discussed how we regularly monitor our DNS traffic for malicious fast flux domains. One notable family of fast flux domains that we see every day are the “Kelihos” domains: A steady stream of DGA-like .ru domains (occasionally .com or .us), freshly registered, resolving to a single IP with a TTL of zero, and whose name servers are also fluxing with a TTL of zero. These domains have been covered numerous times recently  and been the subject of multiple takedowns , but despite this publicity and efforts, their malicious usage has not abated.
We observe that these domains are used for at least three purposes: as redirectors for Blackhole and Red kit exploit kits, as malware dropping domains for diverse trojan specimens (mainly the Kelihos trojan), and as CnC, appearing in the network traffic of trojan samples already installed on infected machines.
In this blog post, we’ll take a look at a few such domains from our perspective, show how they serve multiple purposes, and describe a few live cases of their malicious usage. Notice that all domains mentioned in bold in the tables are live at the time of this writing.
Domains’ activity in trojans’ traffic:
In the table below, we show a sample of recent .ru domains that were reported in the network communications of known trojans. We detect these domains in our DNS traffic either a few days before or on the same day that a related malware analysis report is published. Notice, the last two domains registered on July 11th stayed dormant for about 10 days, then started being DNS-active and were reported in samples’ reports. As of this moment, they are no longer resolving.
Domains’ usage as trojan downloaders:
We now show a sample of domains used as Kelihos payload downloaders via exploit kit infections. At the time of this writing, these domains are live, as are the payload URLs.
Domains’ usage in Iframe injections:
In the following table, we inspect another sample of “Kelihos” domains. These domains are used as Exploit redirectors in hidden iframe injection attacks against the listed web pages. At the time of this writing, many of these web pages are still compromised (several may have been cleaned or no longer resolve, or their Exploit landing domains may have stopped resolving). This list is just a small set for illustration purposes as we counted tens of such infected “innocent” sites still live (a number expected to reach the hundreds), with more systematically infected every day. The last domain of the table has been suspended, but we are showing it as we will discuss it in a following example.
Cookie bomb/iframe injection attack example:
We also observed that some webpages were infected multiple times with this attack; for example, hxxp://www.scouts108.org.mx/index.php had 9 injected exploit redirection/CookieBomb code blocks (with 9 redirection URLs) scattered across the page. These blocks pointed to 3 distinct exploit redirection URLs overall. The URLs at the time of analysis were:
We also noticed that compromised websites are multi-national, observing websites from Mexico, Peru, Russia, Poland, Turkey, India, and Thailand, etc. This could indicate that the bad guys target their “iframe injection” infections against sites in bulk, regardless of their origin, where these sites could have vulnerabilities in their web server setup, or whose administrative FTP credentials were leaked or purchased, etc. The end goal here is to infect as many user machines as possible and harvest the most accounts and personal data. Obviously, the attacks could also be targeted against a specific population or a business group.
Dual purpose domains:
We also observed that a lot of “Kelihos” domains are recycled for multiple uses: exploit redirectors and trojan droppers among them. Let’s take the example of powerwik.ru. At the time of this writing, this domain has been used as exploit redirector: hxxp://powerwik.ru/count3.php injected for example in this site http://www.bth-avocats.com/, and as a kelihos payload downloader with the following URLs: hxxp://powerwik.ru/userid2.exe, and hxxp://powerwik.ru/rasta01.exe. Below are the virustotal analysis reports of these two payloads:
The geography of the infections:
We will now discuss an interesting observation related to the geography of the client IPs querying Kelihos domains as we see it from our DNS traffic. Let’s take the example of afau.gajkukuc.ru: this domain shows a surge in DNS traffic between 10pm and 12am UTC on the night of July 24th.
We checked the client IPs that looked up this domain, and display their country distribution in the map below. Notice the high concentration of clients in Turkey (next are the US, Canada and Mexico). We speculate that either users in Turkey were targeted by a spam campaign leading to afau.gajkukuc.ru (as an Exploit redirector or payload downloader), or that several Turkish speaking websites were compromised with iframe injections also leading to afau.gajkukuc.ru.
We observe this behavior with other domains, for example: ca595.ximxamli.ru. This domain shows a spike of DNS queries between 6 and 8am UTC on July 24th from client IPs highly concentrated in Vietnam and Turkey.
To summarize, we observe that the attackers use randomness at several levels to evade detection and blocklisting:
1. The redirection URL changes between consecutive visits to the same compromised page.
2. The domain names (2LD) are randomly generated, as are the subdomain names (3LD).
3. The domains resolve to a single IP with a TTL=0, this in itself tries to simulate a random DNS resolution. We monitor the total number of unique IPs, and can confirm this number is continuously growing.
4. The “Kelihos” domains are wildcard domains. If you try to resolve a hostname formed by prepending a random string to the domain name, you will get a successful resolution. This seems like an artifact that serves the random generation of subdomains. We presume that the automated script installed on an infected server uses this artifact to generate new random Exploit landing urls, (i.e. the targets of the iframe injection blocks) or payload downloading URLs.