Security bods liberate EITest malware slaves
Miscreants' command and control network traffic sent down sinkhole
One of the world's longest-lived malware networks, EITest, has gone offline.
EITest was part of several infection chains, used by attackers to redirect users from legitimate sites to compromised sites that shipped exploit kits. In 2016, for example, it was part of an attack that used shampoo brand Just for Men to push the RIG exploit kit.
To get rid of EITest, Proofpoint says it worked with researchers from BrilliantIT and Abuse.ch to sinkhole the infection chain.
Proofpoint's researchers wrote that EITest emerged in 2011, took a brief hiatus between 2013 and 2014, then re-emerged as a traffic seller in malware markets: “In 2014, we found that the actor was selling traffic in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.”
More recently, it changed focus to concentrate on social engineering and technical support scams.
Proofpoint says it worked with its partners through March to redirect EITest command and control to four domains controlled by Abuse.ch, acting as the sinkhole.
“As a result of generating those new domains, we were able to substitute the malicious server with a sinkhole. We are now receiving the traffic from the backdoors on the compromised websites, freeing them from the EITest C&Cs and their visitors from the resulting malicious traffic and injects”
Between March 15, 2018 and April 4, the post said, the sinkhole received “44 million requests from roughly 52,000 servers”, most of which were compromised WordPress sites. The three top sources of infection were the USA, the Ukraine, and China. ®