Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/18/2016
12:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Domain Abuse Sinks Anchors Of Trust

Georgia Tech researchers create algorithm to help detect rising DNS domain abuse by cybercriminals, nation-state actors.

Researchers at Georgia Tech have developed an algorithm that helps catch abuse of recycled domain names, where attackers hide behind a reputable domain or inherit one previously used for malicious purposes.

Hijacking the reputation of retired domains by re-registering them is an oft-ignored but potentially lethal threat: cybercriminals or nation-state hackers can basically inherit the “residual trust” of the previous owner of a domain. According to the researchers, the abuse of a domain’s reputation could provide the bad guys just the cover they need, using a recognized reputable domain.

“On the Internet, we have used domains as trust anchors,” says Chaz Lever, a senior PhD student at Georgia Tech who worked on the project. “For a site that’s been around a long time, there’s a long [history] of positive recognition and the next person who buys it wants to leverage that good reputation. That’s an attractive domain for a malware author to evade reputation systems and blacklists.

“If you didn’t know ownership of the domain had changed, you’re not going to flag it for abuse. So [attackers] have a window here.”

On the flip side, by re-registering an expired domain used for malicious purposes, the new owner can then capture infected machines still calling home to the once-shuttered domain.

Lever and his fellow Georgia Tech researchers Yacin Nadji, David Dagon, Patrick McDaniel, Manos Antonakakis, and Penn State’s Robert Walls, next week at the IEEE Symposium on Security and Privacy in San Jose, will present their research on this form of Domain Name System (DNS) abuse, and their new Alembic algorithm, which sniffs out changes in domain ownership to help flag potential abuse.

 

Expiration Date

The researchers discovered that the number of domains landing on blacklists after they had expired grew from 784 between 2009 to 2012, to more than 9,000 in 2014. There’s also been an increase in malware using expired domains: more than 12,000 in 2013, up from 6,138. That’s a sign that this type of abuse is on the rise big-time, they say.

“Between 2009 and 2012, we saw ... malware using expired domains to leverage” attacks and slip past blacklists, Lever says. 

For a site that’s been around a lot time, These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever. The researchers found that out of 320,009 blacklisted domains, 101,322 had expired. That’s about 32% of all blacklisted domains.

The number of domains that were abused after they had expired was about 27,758—about 28% of expired domains. These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever.

Some 73,564 -- 72% of the expired domains -- were abused and then expired. 

“All in all, the fact that one-third of the domain names in public blacklists have this residual trust problem is very important for the community and it is clear that a policy action is needed here,” Antonakakis says.

The Georgia Tech team’s Alembic algorithm found previously unknown domain abuses, including one from an expired domain once used by an infamous Chinese APT group known for stealing intellectual property from satellite, aerospace, and communications companies, PLA Unit 61486. “We registered it, and started getting resolutions to it. So you could buy this APT for sinkholing,” Lever says. Although the domain had been expired for several years, it still received connection attempts every three seconds from a Taiwanese government research lab machine it had apparently breached.

A security researcher could use that to gather intelligence on an attack or an attack group such as PLA Unit 61486, for example. “But if an attacker were to buy it, it could just take it over or monetize the existing infections,” he says. That raises concerns over whether shuttered and formerly malicious domain names should be available for re-registration at all, the researchers say.

 

‘Subtle’ and Rare Today

Even so, a relatively small percentage of attacks today originate from reused and abused DNS domains.

Gunter Ollmann, chief security officer at Vectra Networks, notes that 0.2% of expired domains were found to be tied to some malicious behavior. “It is a very subtle attack and unlikely to be detected immediately” with today’s reputation systems, he says.

Ollmann says that while domain abuse of this type remains rare for now, it makes sense to begin to track and thwart the activity. It’s “well worth continued monitoring and taking steps to prevent it from becoming a significant threat in the future,” he says.

“There has been worry for many years about the threat of domain names that were taken down or used as sinkholes for a period of time, and that the bad guys could re-register them later to regain control of their botnets,” Ollmann says. “There are many tens-of-millions of infected devices attached to the Internet hunting for C&C domains that have been taken down at some point in time. Those victim machines can likely be controlled at sometime in the future when the bad guys are able to re-acquire the forgotten C&C domains.”

Ollmann expects re-registration of reputable domain names to become a juicy target for cybercriminals in the future, especially as domain name monitoring tools are easier to access.

 

Why Not WHOIS?

Alembic can root out exactly when a domain’s ownership changes. “Expirations aren't the only way that a domain can change ownership ... focusing solely on expirations has the potential to miss when a domain changes ownership. It's also possible that the original owner could purchase the domain again after” inadvertently allowing it to expire, Lever says.

Why not use the Net’s WHOIS tool to track abuse? WHOIS just doesn’t scale for the task of tracking domain abuse, according to the researchers. Lever says with WHOIS, “it's [also] easy to lie.”

“This is why we chose to focus on DNS for the Alembic algorithm. We can collect DNS at scale, and we rely on features that represent the underlying infrastructure and behavior of a domain,” he says.

The researchers hope to incorporate the algorithm into a commercial offering via startup NetRisk, a venture by Antonakakis, Lever, Nadji, and Dagon. 

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...