July 23, 2012

A new service offered in the cybercriminal underground is geared toward spammers, scammers and malware purveyors interested in mass-registering dozens of dodgy domains in one go.

DoItQuick offers mass registration of malware domains.

The service — doitquick.net — will auto-register up to 15 domains simultaneously, choosing randomly named domains unless the customer specifies otherwise. DoItQuick sells two classes of domains: “white” domains that are “guaranteed” to stay registered for at least a year; and “black” domains that customers can use for illicit purposes and expect to last between 2 and 30 days before they are canceled.

This service makes it quite clear why customers might prefer the “black” domain registration service: “Domains for black deeds – these domains are registered for limited terms, from 2 to 30 days (average duration is about a week). Such domains are used for black and gray deeds. Low prices, fast registration! It is ideal for redirects, exploit packs, traffic, flood, botnets and other similar stuff. Domain names are checked for getting into blacklists, trackers and Spamhaus.”

DoItQuick refuses to guarantee registrations for domains purchased under its “white” classification if customers decide to use them to host exploits or other bad stuff.

“Domains for white – a domain that live year until paid off,” the site instruction. “They are ONLY for white matter, no viruses or other things!”

Fees for the black domains (without guarantee) run about $5, and payment is made via virtual currencies such as Webmoney and Liberty Reserve. When I told the system to auto-generate five domains for me, it suggested five Web site names in the .org registry; all of the domains were simply two or three random words run together, like “tweetdecksprefilled.org,” and “scriptair.org”.

This offering is another reminder that, where there is demand for a particular good or service in the computer crime underworld, someone will step up and create an automated way of meeting that need.


19 thoughts on “DoItQuick: Fast Domains for Dirty Deeds

  1. Kyle Collins

    The domains that are set as “black” are carded. So if you purchased through there, I’d suggest refunding.

    No other reason for registrars to be locking within 2 days.

    Redirect to google is now gone, and the sites just not there anymore.

    Dmitry Kunickiy (javofasta@gmail.com)
    982 chester ave
    New York
    ,220121
    US
    Tel. +1.8889002983

    Is on the WhoIS info.

    1. C

      FWIW, WHOIS for doitquick.net now leads to

      Registrant:
      N/A
      Dmitry Kunickiy (javofasta@gmail.com)
      ul podlesnaya d.29
      Perm
      ,614097
      RU
      Tel. +7.9656018062

  2. Nic

    I originally left a comment analyzing the bad networks providing service to reg3.ru, which provides DNS service to the doitquick.net domain, but that comment didn’t go through. (Slower website today? ddos attacks?)

    So I just decided that instead of blackholing reg3.ru in my local dnscache, I would just blackhole all of .ru. It’s already done. Now any domain that depends on .ru in any way will fail to resolve for me. This includes .com domains controlled by .ru nameservers.

    This is in addition to .su being blocked for months now with zero FPs.

    What a wretched hive of scum and villainy.

    Anyone (using Unix) can do this as well. Install on 127.0.0.1 dnscache, unbound, or dnsmasq, and configure it to return NXDOMAIN or SERVFAIL for .ru and .su. That alone will eliminate _tons_ of problems.

      1. Nic

        Ignoring problems won’t fix them; they’ll only multiply.

        1. mishka

          According to your logic ALL black people must be jailed “before problems are multiplied” 🙂

          Disrupting network operations because of your own superstitions is highly unprofessional. I do hope you are just some local petty tyrant, not person in charge of any decent size network

          1. Neej

            You are aware that he’s referring to his local DNS cache meaning it will only effect computers on whatever network he’s on right LOL … it’s hardly a matter of internet freedoms being violated or whatever you’re trying to say.

            1. Nic

              Exactly. As noted, it’s running on 127.0.0.1. (But I enjoyed the attempted dig at my competence!) 🙂

              That said, I do believe almost everyone should block .su (the Soviet Union) in their resolvers, which is recommended by abuse.ch, one of the most respected sites in abuse. It’s an illegitimate TLD and an abuse factory.

              http://www.abuse.ch/?p=3581

              Small businesses would probably do well blocking all of .ru as well depending on their users and customer base. Not possible for universities and other large networks.

              I’ve been blocking all of .ru since yesterday. No bad interactions so far.

    1. picachu

      I have no idea why would someone want to do this unless they are a russophobe.
      It is much easier to use .com domains for criminals, since .ru domains cost more and require more verification

  3. David Williams

    I’d think this sort of service would be pop up on agin and again regardless of who takes the domain down. It seems as stated that if there is a market for a service the void will easily be filled by a company or inidivual offering said service.

    It’s really just economics 101.

  4. Neej

    $5 is a pretty decent price for a .org domain. Just out of curiosity how much were the “white” domains going for?

    1. BrianKrebs Post author

      About double that. I believe the previous commenter is right: The black domains are carded; there really isn’t any other explanation for domains that would be revoked in 2 days.

      1. Michele

        $5 is way below the price charged by the registry, so I’m not 100% sure how they could charge so little.. While it would be possible to use the AGP to get a refund on *some* domains, you couldn’t use it that extensively

        1. SeymourB

          A carded domain, I believe, means they use a stolen credit card to register the domain name, which get revoked in short order when the stolen credit card’s charges get reversed.

          Since (as Brian has previously reported) credit cards are available in bulk for less than $5 each, a portion (large portion?) of the “registration fee” is going straight into the scammer’s pocket.

  5. Dave

    DoltQuick? So it’s a service targeting ricers?

  6. Adam

    But why would they just not by domains the normal way, through godaddy or something?

    And also what on earth to card thieves do anyway, they cant buy anything because the bank tracks them, its not like they send stuff to their house do they, that would be madness.

    Awesome job with the blog Brian.

  7. PC.Tech

    FYI…

    Something evil on 178.63.195.128/26
    http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html
    “…A look at the 178.63.195.128/26 range (178.63.195.128 – 178.63.195.191) shows several suspicious websites with domains apparently generated by -DoItQuick- … quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
    The registrant for this block is:
    inetnum: 178.63.195.128 – 178.63.195.191
    address: RUSSIAN FEDERATION
    178.63.195.163…
    178.63.195.167…
    178.63.195.168…
    178.63.195.170…
    178.63.195.171…”
    .

  8. John

    They might not be carded. Registrars have the ability to test domains for a couple days. Domain squatters use this frequently to test out new domains for traffic.

Comments are closed.