Numerous malicious .eu domains have been registered during November which are being used to infect PCs with malware via the Blackhole exploit kit. Here are some examples:
owzshm.eu
mpxuth.eu
ngpsjy.eu
wlwhhz.eu
jhzopj.eu
jqwwgm.eu
pmgugq.eu
jkiwhy.eu
nrxpxq.eu
vjtjpy.eu
xzjvhs.eu
xipuww.eu
kngipu.eu
ptkqzo.eu
pyrhox.eu
The domains all resolve to the same IP address, a server located in the Czech Republic.
They are short-lived; the names only resolve to the target server for a brief period before the attackers move on to the next.
This type of tactic is pretty common, used by many threats in their attempts to evade security filtering.
Normally however, it is TLDs other an .eu that are abused.
Digging a little further into the WHOIS information for these registrations reveals some interesting observations. A Finnish connection in fact, based on the registrant details provided.
Read more: http://nakedsecurity.sophos.com/2012/11/22/eu-blackhole-exploit-kit/
