Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Malware Domains, & co SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Domains, & co

Those of you watching the malware universe have no doubt noticed the recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to (AS24965) and (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965,AS50877), Zeustracker, Spamhaus (AS24965,AS50877) and many other sites that maintain filter lists of malicious hosts. 

An URL block system that can do regular expressions comes in pretty handy for these - \d{4}\.in and \d{7}\.in takes care of the whole lot, likely with minimal side effects, since (benign) all-numerical domain names under ".in" are quite rare. If you're into blocking entire network ranges, zapping and should nicely take care of this current as well as future badness (though with unknown side effects - we have no idea whether your neighborhood Pizza shack happens to host its perfectly harmless web site amidst all the malware in one of these netblocks :)


385 Posts
ISC Handler
Dec 29th 2010
Why use two when you can just combine? For example, an even simpler pattern match, if we're assuming 4 to 7 characters:

Thanks for this info, we are using the following regex in DNS Redirector to block this nonsense...
or simply...
...if your company doesn't have any business with India at all.

For those who are interested IE URL Lock would also be another method to accomplish the block.
Been wondering can this kind of blocking be achieved in MS TMG?

32 Posts

Sign Up for Free or Log In to start participating in the conversation!