Interesting Subdomain Technique – Popads Exploit Kit

Popads is using some interesting domains lately…

tech.net.microsoft.windows.update.system.release.vukzy.1targetdayanalize.info
tech.net.microsoft.windows.update.system.release.sg.1zitargoh.info
tech.net.microsoft.windows.update.system.release.jxtbc.1zitargoh.info
tech.net.microsoft.windows.update.system.release.gxsha.1zitargoh.info
tech.net.microsoft.windows.update.system.release.fp.12targetdayanalize.info
tech.net.microsoft.windows.update.system.release.bv.12targetdayanalize.info
tech.net.microsoft.windows.update.system.release.aldmd.1tickersonball.info

critical.microsoft.windows.software.update.patch.tu.7personalidoffuskerts.info
critical.microsoft.windows.software.update.patch.jdkwv.7personalidoffuskerts.info

emergency.microsoft.security.software.update.patch.oqska.1yebatek.info
emergency.microsoft.security.software.update.patch.nv.1yebatek.info

looks like 6 keywords (tech.net counts as 1) then a 2-5 random value then the domain.

Easy to find in DNS logs.

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows

— Update 4/16 —

Still at it, slightly different

net.tech.windows.internet.7c23a7f1d978eaac81d9d3049f22a59c.wfyjp.4qastorb.info
net.tech.windows.internet.92181dc1ad75243ace8a1aee4cfa74be.gimi.12qastorb.info

Still easy to find in DNS logs.

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows OR net.tech

Can also regex part of the domain for [a-f0-9]{32}\.[a-z]{3,6}\.[0-9]+[a-z]+\.info$

— Update 4/17 —

Still easy to find in DNS logs. LOL 🙂

Domain = *.info
Query contains
emergency OR critical OR microsoft OR security OR software OR update OR patch OR system OR release OR tech.net OR windows OR net.tech OR internet OR explorer

Comments are closed.