Latest attack strategy: Create subdomains to deliver malware

IT security professionals need to be on the lookout for signs their organization’s domains have been hijacked with the discovery of a new exploit kit that delivers malware though ads to unsuspecting Web site visitors,

Organizations particularly at risk are those using GoDaddy as their provider because — at least initially — the majority of the compromised domains are registered through it.

Cisco Systems’ Talos security research group  gave the warning this week that danger is the result of the spread among attackers of the Angler exploit kit, which it describes as having a high level of sophistication.

The kit is being used to hijack domain registrant accounts, create subdomains which shift rapidly and are then used to deliver malicious content. Cisco calls this technique domain shadowing, and it is increasing — it has found almost 10,000 unique subdomains are being used this way. The advantage of using subdomains is they avoid typical detection techniques such as blacklisting of Web sites or IP addresses.

These subdomains can point to a single IP or a small group of IP addresses.

This lastest outbreak of Angler has been seen exploiting both Adobe Flash and Microsoft Silverlight vulnerabilities.

“This is an increasingly effective attack vector since most individuals don’t monitor their domain registrant accounts regularly,” says Cisco. “These accounts are typically compromised through phishing. The threat actor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple domains this can provide a nearly endless supply of domains.”

This recent campaign by attackers has been running since late December and coupled with the recent Flash zero day exploits has shown to be a new evolution in exploit kits, Cisco researchers say. “Utilizing 0-days and advanced evasion techniques were once reserved for targeted attacks and are now being packaged as the next evolution in the productized industrialization of hacking.  This illustrates how products like Angler have raised the bar for the effectiveness of user driven exploit frameworks putting it in the same arena as the advanced threat market.”

“Previously, the information security industry has been trying to focus on detecting the threats like common, user targeted attacks while taking an “its not if, but when” approach to the advanced threats.  Angler is now in the category of “not if, but when your organization will be impacted.”

The first defence is making sure your organization’s domain registration credentials haven’t been compromised. The second is effective malware protection.

Other weapons Cisco says CISOs can use include looking for multiple subdomains resolving for a single second level domain and looking for multiple subdomains resolving to a single IP address. Looking for random string subdomains could be effective as well, says Cisco, although there are lots of legitimate services — especially cloud based hosting — that make use of quasi-random subdomains causing high FP rates.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web