During an investigation, two weeks ago, we discovered a malware sample that used a new malicious domain: auth-update.ru. The domain pointed to multiple suspicious, rotating IP's.
We are still tracking this large fastflux network and keep finding more domains associated with it. Some of these domains include:
- auth-update.ru (down)
- smartfoodsglutenfree.kz (down)
- emptyarray.ru (live)
- dorttlokolrt.com (live)
- downs1.ru (live) new!
Each domain has been observed serving multiple types of Malware and CnC servers:
- CryptoWall 3
- FAREIT Spyware
- Dyre + Dridex
We have obtained thousands of IP address from this network, mostly from Ukraine & Russia. Running dig this morning revealed more addresses:
$> date Thu 26 Mar 2015 09:55:50 EDT $> dig downs1.ru +short 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
Here are some IP reports on Cymon:
Below is a simple script that you can use for tracking and scraping IP addresses that are part of the FastFlux domain: