Additional Nineball Malware Domains Uncovered

The Google Hacking technique proved effective at searching for domains that include the in.cgi?x pattern highlighted as part of the Nineball (and probably many other) attacks. In addition to the domains already listed on this site, a number of additional sites were illuminated.

Domains directly associated with the Nineball attack:

rnw.kz
bro.tw
rmi.tw
molo.tw
zedi.tw
sovi.tw
dmr.tw
stopssse.info

Other domains exhibiting similar URLs, uncovered using Google Hacking are below. At least one (google-analytstic.com) also links to Nineball final page stopssse.info.

google-analytstic.com
dreamwhores.com
piontor.com
igodir.com
fidgoogle.com
p0llo.com
traffics-inspector.cn
zbestservice.info
mortgage-e.biz
tixwagoq.cn
porno-house.net
javagoogle.net
hifgejig.cn
hqtms.com
91.203.70.58
googleloh.com
nichetds.com
twicecash.com
goldensparks.com
funnymovies.name
naked-cartoon.com
adultplanetworld.com

Visiting some of these sites resulted in a plain-text error:

Error: can't open redirects.log file

Google Hacking located further domains exhibiting the same error pattern:

onlyfind.net
ssutra.com
valza.com
traffickeeper.net
vipop.ru
fickporn.com
bdsex.ru
findnolimits.com
prosearchs.com
oursim.com
xanjan.cn
teleporn.net

and uncovered a more comprehensive error report on ssutra.com:

The table below gives hosting information for the domains that appear to be connected with the attacks. It is clear that some domains have been around for a while and may have been compromised by the attackers rather than being registered specifically for an attack.

The Nineball servers (highlighted red) are conspicuous for being hosted on only a couple of machines and for being registered very recently. Which of the additional domains belong to Nineball still remains unclear, though it is certain that some, like google-analystics.com, are at least related.