The Bad Guys Can't Shake WebPulse

May 1, 2012 - By Chris Larsen, Jon Dinerstein

[A nice post from Dr. Jon in our internal blog a week ago, that deserves a larger audience. -- C.L.]

The Bad Guys are well-known for rapidly changing domain names in an effort to avoid being blocked. They're like bank robbers fleeing the scene of a crime before the police can arrive -- they're betting that speed and recklessness will allow them to get away with the crime.  Typically, the Bad Guys change domain names once every few hours to once every few days. However, there are some occassional examples that take me by surprise.

While analyzing recent logs, I found 1,361 different host names in a single day, all on one server.  The domain names were cycled so quickly that most only had one request.

Examples of the names included:

  • 02xg3xnd470vlg.sl10.me
  • 03dzytydpkdjlz.pm6.me
  • 03jwrfm0c7khup.ri0.me
  • 04hx9w1ejg06oz.ri0.me
  • 05xlxndtsg21dn.ri0.me
  • 095cbn20ullasv.ri0.me
  • 09dem9xwzi8dex.pm6.me
  • 0arqtde1lc7wlw.ri0.me
  • 0ctge6o87ywhtk.ri0.me

 

Upon inspection it becomes clear that there are only a few actual domains (such as ri0.me and pm6.me), but there are many, many subdomains.  The Bad Guys are attempting to be ultra agile by randomly creating a new subdomain for nearly every phone-home attempt.  But were they successful? No, I'm pleased to report that WebPulse successfully protected our customers by flagging every one of these domains. [When you've been logging good and bad Web sites for over a decade, you've got enough data to reject obviously bogus domain names, and that's what Jon's weapon does, very effectively.]

The Bad Guys can't run fast enough to shake WebPulse!

~J.D.