Vulnerabilities / Threats
5/18/2016
12:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Domain Abuse Sinks Anchors Of Trust

Georgia Tech researchers create algorithm to help detect rising DNS domain abuse by cybercriminals, nation-state actors.

Researchers at Georgia Tech have developed an algorithm that helps catch abuse of recycled domain names, where attackers hide behind a reputable domain or inherit one previously used for malicious purposes.

Hijacking the reputation of retired domains by re-registering them is an oft-ignored but potentially lethal threat: cybercriminals or nation-state hackers can basically inherit the “residual trust” of the previous owner of a domain. According to the researchers, the abuse of a domain’s reputation could provide the bad guys just the cover they need, using a recognized reputable domain.

“On the Internet, we have used domains as trust anchors,” says Chaz Lever, a senior PhD student at Georgia Tech who worked on the project. “For a site that’s been around a long time, there’s a long [history] of positive recognition and the next person who buys it wants to leverage that good reputation. That’s an attractive domain for a malware author to evade reputation systems and blacklists.

“If you didn’t know ownership of the domain had changed, you’re not going to flag it for abuse. So [attackers] have a window here.”

On the flip side, by re-registering an expired domain used for malicious purposes, the new owner can then capture infected machines still calling home to the once-shuttered domain.

Lever and his fellow Georgia Tech researchers Yacin Nadji, David Dagon, Patrick McDaniel, Manos Antonakakis, and Penn State’s Robert Walls, next week at the IEEE Symposium on Security and Privacy in San Jose, will present their research on this form of Domain Name System (DNS) abuse, and their new Alembic algorithm, which sniffs out changes in domain ownership to help flag potential abuse.

 

Expiration Date

The researchers discovered that the number of domains landing on blacklists after they had expired grew from 784 between 2009 to 2012, to more than 9,000 in 2014. There’s also been an increase in malware using expired domains: more than 12,000 in 2013, up from 6,138. That’s a sign that this type of abuse is on the rise big-time, they say.

“Between 2009 and 2012, we saw ... malware using expired domains to leverage” attacks and slip past blacklists, Lever says. 

For a site that’s been around a lot time, These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever. The researchers found that out of 320,009 blacklisted domains, 101,322 had expired. That’s about 32% of all blacklisted domains.

The number of domains that were abused after they had expired was about 27,758—about 28% of expired domains. These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever.

Some 73,564 -- 72% of the expired domains -- were abused and then expired. 

“All in all, the fact that one-third of the domain names in public blacklists have this residual trust problem is very important for the community and it is clear that a policy action is needed here,” Antonakakis says.

The Georgia Tech team’s Alembic algorithm found previously unknown domain abuses, including one from an expired domain once used by an infamous Chinese APT group known for stealing intellectual property from satellite, aerospace, and communications companies, PLA Unit 61486. “We registered it, and started getting resolutions to it. So you could buy this APT for sinkholing,” Lever says. Although the domain had been expired for several years, it still received connection attempts every three seconds from a Taiwanese government research lab machine it had apparently breached.

A security researcher could use that to gather intelligence on an attack or an attack group such as PLA Unit 61486, for example. “But if an attacker were to buy it, it could just take it over or monetize the existing infections,” he says. That raises concerns over whether shuttered and formerly malicious domain names should be available for re-registration at all, the researchers say.

 

‘Subtle’ and Rare Today

Even so, a relatively small percentage of attacks today originate from reused and abused DNS domains.

Gunter Ollmann, chief security officer at Vectra Networks, notes that 0.2% of expired domains were found to be tied to some malicious behavior. “It is a very subtle attack and unlikely to be detected immediately” with today’s reputation systems, he says.

Ollmann says that while domain abuse of this type remains rare for now, it makes sense to begin to track and thwart the activity. It’s “well worth continued monitoring and taking steps to prevent it from becoming a significant threat in the future,” he says.

“There has been worry for many years about the threat of domain names that were taken down or used as sinkholes for a period of time, and that the bad guys could re-register them later to regain control of their botnets,” Ollmann says. “There are many tens-of-millions of infected devices attached to the Internet hunting for C&C domains that have been taken down at some point in time. Those victim machines can likely be controlled at sometime in the future when the bad guys are able to re-acquire the forgotten C&C domains.”

Ollmann expects re-registration of reputable domain names to become a juicy target for cybercriminals in the future, especially as domain name monitoring tools are easier to access.

 

Why Not WHOIS?

Alembic can root out exactly when a domain’s ownership changes. “Expirations aren't the only way that a domain can change ownership ... focusing solely on expirations has the potential to miss when a domain changes ownership. It's also possible that the original owner could purchase the domain again after” inadvertently allowing it to expire, Lever says.

Why not use the Net’s WHOIS tool to track abuse? WHOIS just doesn’t scale for the task of tracking domain abuse, according to the researchers. Lever says with WHOIS, “it's [also] easy to lie.”

“This is why we chose to focus on DNS for the Alembic algorithm. We can collect DNS at scale, and we rely on features that represent the underlying infrastructure and behavior of a domain,” he says.

The researchers hope to incorporate the algorithm into a commercial offering via startup NetRisk, a venture by Antonakakis, Lever, Nadji, and Dagon. 

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.