We’ve covered the topic of Exploit kits from a DNS perspective on this blog several times before [1][2][3]. In today’s post, we’ll look at another threat, the Nuclear Pack Exploit Kit, which is currently targeting users through malvertising campaigns. In addition, we’ll share information about our efforts to monitor, block, and eradicate these malicious domains – such as the recent take down campaign carried out in conjunction with the team at MalwareMustDie, which resulted in 174 Nuclear Exploit Kit domains being shut down thus far [4] (the operation is still ongoing).

First, a quick review of malvertising, a regular infection vector for Internet users. During this type of attack, malicious ads are injected into legitimate online advertising networks, leading unsuspecting users to sites hosting exploit kits and eventually dropping malware onto victims’ machines. A few advertising networks like Clicksor and Klixfeed are occasionally abused, and recent campaigns involving PopOnClick and Klixfeed leading to Nuclear Exploit Kit and Zbot trojan dropping were reported by security researcher @malekal_morte on Feb 11th and 13th [5].

The exploit landing sites in question correspond to a known stream of Nuclear Pack Exploit Kit domains abusing the .pw ccTLD – a list of domains we have been monitoring and blocking as soon as they go live (see the “Predicting the Emergence of Exploit Kit and Malware Domains” section in [6] and [7] for more information).

Monitoring the Evasive Patterns

For the past few months, the bad actors behind these Nuclear Pack domains have been abusing OVH’s (hosting provider) IP space by hosting subdomains on small sub-allocated blocks of contiguous IPs. We have been observing a similar pattern across several IP ranges recently, e.g. [8][9], patterns which were also reported by other security researchers [10].

As an example, let’s look at the range ( i.e. to In this case, the set of 16 IPs had actively hosted about 9790+ Nuclear Pack subdomains between Jan 11th and Feb 2nd. Subsequently, new IP ranges have been used to host Nuclear Pack, for example, and

Recent efforts by security researchers in reporting this abuse lead OVH to neutralize this stream of malicious IPs on their IP space. The bad actors then switched to a Ukrainian hosting provider, besthosting.ua. At the time of publication, the bad actors have been using the range to and since Feb 7th [11]. Notice these IPs are hosting nginx web server 0.7.67 as the exploit kit webserver. The IPs are not brought online by the bad actors all at once, but in small blocks over time, just when they are about to be used. The live IPs in this range show the same open ports and services fingerprint as nmap shows below:

22/tcp  open  ssh     OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)

80/tcp  open  http    nginx web server 0.7.67

111/tcp open  rpcbind

Below are the IPs that were used, along with the “first seen, last seen” dates of subdomains on them: 2014-02-12 2014-02-13 2014-02-12 2014-02-12 2014-02-12 2014-02-12 2014-02-11 2014-02-12 2014-02-10 2014-02-11 2014-02-10 2014-02-11 2014-02-10 2014-02-10 2014-02-09 2014-02-10 2014-02-08 2014-02-09 2014-02-07 2014-02-08

Following abuse reports sent by different security researchers to besthosting.ua regarding this malicious IP range, the bad actors switched back and started using on Feb 13th [12]. Also, was live since Feb 13th and started hosting Nuclear domains on Feb 14th.

In the figures below, we’ve used our DNSDB to show the daily counts of Nuclear Pack subdomains on the OVH IP range, active between Jan 11th and Feb 2nd, as well as the count of subdomains per IP:




We are currently blocking the entire [13] range of IPs as they seem highly suspicious, thereby ensuring any subdomains that start resolving to them are inaccessible.

Predicting and Neutralizing Nuclear Pack Domains Before They Are Weaponized

More importantly, as of Feb 14th, we counted six authoritative name servers answering for the current .pw Nuclear Pack domains:

dns1.echouniversal.com. 86400
dns2.echouniversal.com. 86400
dns1.merchantmarkets.com. 86400
dns2.merchantmarkets.com. 86400
dns1.highlinerservices.com. 86400
dns2.highlinerservices.com. 86400

Four of these IPs are currently live:

and they also show similar open ports/services fingerprints:

22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
53/tcp open domain ISC BIND 9.7.3
80/tcp open http Apache httpd 2.2.16 ((Debian))
445/tcp filtered microsoft-ds

These name servers are hosted on OVH IPs, so it appears the bad actors are still keeping a foothold on OVH’s IP space. The same suspicious actor(s) who reserved the small ranges hosting the Nuclear Pack name servers have also reserved the ranges below: – – – – – –

and – – – – –

and –

and –

and – – – – – – –

and – – – –

We have blocked the name server 2LDs and the bulk of these IP ranges as a preventive measure, and are monitoring any new suspicious name servers that appear on them.

Preemptive Strike

Additionally, on Feb 14th, another stream of Nuclear EK subdomains appeared on [14] hosted on a Russian hosting provider, Petersburg Internet Network LLC is part of the prefix. On that prefix, there are currently 62 live IPs.

The following IPs (including the current that is hosting live Nuclear subdomains) all have the same open ports/services fingerprints indicated below:

22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
80/tcp open http nginx web server 1.2.1
111/tcp open rpcbind

As we showed in the pattern on to and, above, the pattern on is clearly preparation to use these IPs as web servers to host the Nuclear Pack Exploit Kit attacks.

Using this intel, we are predicting the emergence of these domains before they appear and preemptively blocking IPs before they are weaponized with Exploit Kit domains, as well as IPs serving the name server infrastructure of the Nuclear Exploit domains.

The malicious campaign of these bad actors is live and ongoing, so we expect them to shift to other hosting providers to set up their name servers and Exploit Kit servers infrastructures. At the moment, it seems their MO of choice is to keep their name servers on OVH and set up the Exploit Kit servers at Eastern European hosting providers. 

For further information about the web traffic analysis/monitoring of these exploit kit attacks and the malvertising campaigns leading to them, we recommend the excellent work and updates of @malekal_morte, @kafeine, @jeromesegura@MalwareMustDie, just to name a few.

This post is categorized in: