Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Networking The Internet Technology

Malware on Hijacked Subdomains, a New Trend? 24

Posted by Soulskill from the hiding-in-plain-sight dept.
The Unmask Parasites blog discusses a technique attackers are using more and more often recently: modifying a compromised site's DNS settings to redirect various subdomains to different IPs that serve up malware, often leaving site administrators none the wiser. Quoting: "It is clear that hackers have figured out that subdomains of legitimate websites are an almost infinite source of free domain names for their attack sites. With access to DNS settings, they can create arbitrary subdomains that point to their own servers. Such subdomains can hardly be noticed by domain owners who rarely check their DNS records after the initial domain configuration. And they cost nothing to hackers. I wonder if using hijacked subdomains of legitimate websites is a new trend in malware distribution or just a temporarily solution that won't be widely adopted by cybercriminals in the long run (like dynamic DNS domains last September)."
This discussion has been archived. No new comments can be posted.

Malware on Hijacked Subdomains, a New Trend? More

Malware on Hijacked Subdomains, a New Trend?

Comments Filter:

  • Also done with 404 Error Documents (Score:5, Informative)

    by Anonymous Coward on Saturday May 22, 2010 @12:24PM (#32306148)

    This is also done with 404 Error pages. They change it to redirect to their spam, and then point people at what looks like a legitimate URL. Then they get redirected to the spam and are none the wiser. www.slashdot.org/thisdoesntexist could redirect anywhere.

  • Re:Also done with 404 Error Documents (Score:4, Informative)

    by Anonymous Coward on Saturday May 22, 2010 @12:32PM (#32306226)

    Agreed 404, 301, 302. Anything that you can drop a .htaccess file into an account.

    Ideally, web servers (not just DNS) have a lot of holes, allowing NS access to the user isn't the problem like the TFA implies. Because most automation software doesn't allow for too much sub domain specific flexibility, most times you still need to be in root to redirect at a dns level.

    The exception is say parking (godaddy etc) or zoneedit but usually once its hosted it's pretty much in the hands of the admin to delegate externally.

  • Re:Also done with 404 Error Documents (Score:4, Informative)

    by DeadPixels ( 1391907 ) on Saturday May 22, 2010 @01:12PM (#32306486)
    While I've yet to personally see any subdomain hijacking, I have come across 404 pages that have been turned into drive-by-downloads. Otherwise legitimate sites have all of these extra pages created (www.example.com/search_query_here) that actually just point to malware. While most of them are still fairly easy to pick out because the domain is entirely unrelated to the search term, it's still dangerous and could easily catch many unobservant users.

  • As a malware defense professional.. (Score:5, Informative)

    by ma1wrbu5tr ( 1066262 ) on Saturday May 22, 2010 @02:40PM (#32307292) Journal
    I can verify that this trend has been building for months. It only seems to be getting worse. We've logged literally hundreds of compromised sites ranging from the very high traffic to the very obscure. This is one case where even vigilant users are undermined by the lack of security awareness of the site admins.

Slashdot Top Deals

Mystics always hope that science will some day overtake them. -- Booth Tarkington

Close