Thursday, July 15, 2010

.co.cc is the new place for viruses, free proxies, spam, etc.

Co.cc offers free domain names with full DNS management. They claim more than 5 million .co.cc domains names. .CC is for Cocos (Keiling) Islands. The sub-domain co.cc is managed by a Korean company.

I've never seen a registrar with such prominent links to reports of "Spam or Abuse", but there is a good reason for this: most of the malicious sites (fake AV, browser exploits, etc.), spam and free proxies seen in recent weeks use co.cc domains.

One of the 3 links to report spam and abuse at www.co.cc


All of  the fake AV sites we've seen since July 1st are .co.cc domains, including sunclear.co.cc, avsolution20.co.cc, truefind49p.co.cc, oksave5.co.cc, fillfree21.co.cc, etc.

37% of all free proxies we've seen from our customers in the past 5 days are .co.cc including: surflife.co.cc, feelmuchbetter.co.cc, pickupsurf.co.cc, surfday.co.cc, etc.


Example of a malicious co.cc domain

Here is an example of malicious co.cc site: hxxp://flashupdate.co.cc/ As its name suggests,  the sites tries to lure users into thinking they are downloading a never version of the Flash plugin. The page was made for Internet Explorer users. It displays a fake IE warning that the  flash version is too old, and automatically attempt to download a malicious executable v11_adobe_flash_update.exe. This executable is flagged by only 9 antivirus vendors out of 41.

Malicious site faking a Flash upgrade


-- Julien

No comments: