DynDNS Abused by Malware Pushers

Security researchers from Sunbelt Software have observed an increasing abuse of DynDNS services. Malware distributors are constantly registering and rotating DynDNS-hosted sub-domains that are subsequently used to spread computer trojans.

DynDNS is a DNS (Domain Name System) hosting provider best known for its free dynamic DNS service, which allows Internet users with dynamic IP addresses to automatically point a sub-domain to their new IP every time it changes. DynDNS offers almost 90 free domain names to choose from when creating a sub-domain for dynamic DNS purposes.

According to Sunbelt malware pushers are registering pseudo-random sub-domains and are rotating them every hour. The malicious URLs are of the form http://[random_sub-domain].[DynDNS_domain.tld]/1111111ggg/get.php?name=[CENSORED]_Movie_162.mpeg and it seems that the /1111111ggg/ directory and the .mpeg file name generally remain the same.

All sub-domains are pointing to the same IP address, 80.91.176.172, however, this might change in the future. Some of the most heavily abused domains during the past few weeks include boldlygoingnowhere.org, dnsalias.com, dnsalias.net, dnsalias.org, dnsdojo.com, doesntexist.com, dynalias.net, doesntexist.org, dvrdns.org, dynalias.com, dynalias.org, dyndns.biz, dyndns.tv, dyndns.ws, endofinternet.net, endofinternet.org, game-host.org, getmyip.com, gotdns.com, gotdns.org, hobby-site.com, hobby-site.org, homedns.org, homeftp.org, homelinux.com, homelinux.net, homelinux.org, homeunix.net, homeunix.org, is-a-chef.com, is-a-geek.net, is-a-geek.org, isa-geek.org, kicks-ass.net, kicks-ass.org, scrapper-site.net, scrapping.cc, selfip.biz, selfip.com, selfip.info, selfip.net, selfip.org, servebbs.com, servebbs.org, serveftp.net, serveftp.org, servegame.org, thruhere.net, webhop.biz, webhop.info, webhop.net.

Sunbelt detects the malicious files distributed from these rogue sub-domains as Trojan.Win32.Alureon, Trojan-Downloader.Win32.FraudLoad and Trojan.Win32.FakeAlert. However, the vendor warns that AV detection for these files across major antivirus vendors is many times inconsistent.

Obviously, DynDNS is not the only DNS hosting company who's free DNS services are abused by cyber criminals. No-IP.com or freedns.afraid.org have also been targeted in a similar fashion in the past. Free file hosting providers like RapidShare or MediaFire and even Google Code are also constantly abused to host malicious files.

“Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services,” Alex Eckelberry, the CEO of Sunbelt Software, writes on the company's blog.

You can follow the editor on Twitter @lconstantin