Blue Coat Labs

Labs Blog

The Next Shady TLD: .kim

The Next Shady TLD: .kim

Chris Larsen

Last month, we recommended that customers consider blocking the entire ".country" top level domain (TLD) space, due to the fact that it appeared to be entirely devoted to shady stuff -- mostly a big scam network. That recommendation remains in place: looking back at the Top 40 .country sites in the last seven days, only about 10 of them appear to be legitimate.

This time, we're focusing on the ".kim" TLD, which has a wider variety of shady activities going on. (Interestingly, some of the scammers that used to live in .country have fled over the border, so to speak, and are now living here.)

In looking at the Top 40 .kim domains in our log traffic from the last seven days, 34 (85%) were shady in some way. That's a high enough ratio  to recommend blocking the whole space.

Besides the big scam network (which our analyst team has  linked to PUS-type software, so it's more than just an annoyance), there's at least one shady-looking DGA type domain (qjwrnjqwr.kim), and there's also an interesting malware attack going on:

Sites like buu.kim and newido.kim are serving up pages built of obfuscated Javascript:

obfuscated jscript page

that end up producing pages like this:

screenshot of fake youtube video

Most of the content on these pages actually consists of image files, hosted on a malicious site called fourapp.info. And I thought it was sloppy that they'd use images with a mix of languages (Turkish, Spanish, and English) -- there may be a good reason why the Turkish is in there (keep reading), but there's no obvious connection to Spanish content.

Since we've had fourapp.info in our database for over a month -- first with a Suspicious rating, later upgraded to Malware -- our users should be blocking the payload of this attack. (Although lots of them are clicking on the initial link. Sigh.)

 

Pretending to be a user who was not blocking the Suspicious category for some reason, I downloaded a copy of the Youtube_Watch_Video.exe file and ran it through VirusTotal. I was expecting a typical PUS-type payload, so I was a bit surprised to see a decidedly non-PUS set of detections:

www.virustotal.com/en/file/46f864f2d4aff23263adbfce0ac8760d9a845bf37659f9c2263f2 e5c3ccb7c0e/analysis/

33 detections is pretty good, and most called it some form of "Generic" or "Downloader".

 

Presenting Mr. Kim (Who?)

A couple of exceptions to the general recommendation of blocking .kim sites would be if you conduct Web business in Korea or Turkey.

One of the Top 20 .kim sites (#20, actually) was a Korean tech blog ("Kim" is a very common Korean family name).

Five of the Top 40 were legitimate Turkish sites, including three in the Top 20. ("Kim" means "who" in Turkish, so you can see why Turkish sites might naturally gravitate to this TLD.) The sites we checked included two Political sites and three Entertainment sites.

We've given appropriate ratings to the real sites with significant traffic, but there are certainly other legitimate Korean and Turkish sites lurking further down the list...

WebPulse will continue keeping an eye on the hiding places used by the Bad Guys in the "TLD Explosion".

--C.L.

@bc_malware_guy