The Connection

We had some time on hands this weekend so we took a closer look at the IPs used by the fast flux network supporting the Blackhole Exploit Kits used to drop Bugat/Feodo banking trojans. If you recall from our previous posts “United Postal Service Tracking Number H7614058739” and “Rejection of your tax appeal” the following IP addresses were apart of a fast-flux network that hosted Blackhole Exploit Kits:

The IP is of particular interest. In mid-January 2012 the domain cxredret[.]ru resolved to this IP. This domain was apart of the family of * domains that plagued the internet at the end of last year. The boys over at the Internet Storm Center blogged about the * domains back on 2011-12-06. It should come as no surprise that the * domains also hosted Blackhole Exploit Kits that dropped Bugat/Feodo banking trojans.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: