Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:00 PM
Connect Directly

Domain Abuse Sinks ‘Anchors Of Trust’

Georgia Tech researchers create algorithm to help detect rising DNS domain abuse by cybercriminals, nation-state actors.

Researchers at Georgia Tech have developed an algorithm that helps catch abuse of recycled domain names, where attackers hide behind a reputable domain or inherit one previously used for malicious purposes.

Hijacking the reputation of retired domains by re-registering them is an oft-ignored but potentially lethal threat: cybercriminals or nation-state hackers can basically inherit the “residual trust” of the previous owner of a domain. According to the researchers, the abuse of a domain’s reputation could provide the bad guys just the cover they need, using a recognized reputable domain.

“On the Internet, we have used domains as trust anchors,” says Chaz Lever, a senior PhD student at Georgia Tech who worked on the project. “For a site that’s been around a long time, there’s a long [history] of positive recognition and the next person who buys it wants to leverage that good reputation. That’s an attractive domain for a malware author to evade reputation systems and blacklists.

“If you didn’t know ownership of the domain had changed, you’re not going to flag it for abuse. So [attackers] have a window here.”

On the flip side, by re-registering an expired domain used for malicious purposes, the new owner can then capture infected machines still calling home to the once-shuttered domain.

Lever and his fellow Georgia Tech researchers Yacin Nadji, David Dagon, Patrick McDaniel, Manos Antonakakis, and Penn State’s Robert Walls, next week at the IEEE Symposium on Security and Privacy in San Jose, will present their research on this form of Domain Name System (DNS) abuse, and their new Alembic algorithm, which sniffs out changes in domain ownership to help flag potential abuse.


Expiration Date

The researchers discovered that the number of domains landing on blacklists after they had expired grew from 784 between 2009 to 2012, to more than 9,000 in 2014. There’s also been an increase in malware using expired domains: more than 12,000 in 2013, up from 6,138. That’s a sign that this type of abuse is on the rise big-time, they say.

“Between 2009 and 2012, we saw ... malware using expired domains to leverage” attacks and slip past blacklists, Lever says. 

For a site that’s been around a lot time, These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever. The researchers found that out of 320,009 blacklisted domains, 101,322 had expired. That’s about 32% of all blacklisted domains.

The number of domains that were abused after they had expired was about 27,758—about 28% of expired domains. These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever.

Some 73,564 -- 72% of the expired domains -- were abused and then expired. 

“All in all, the fact that one-third of the domain names in public blacklists have this residual trust problem is very important for the community and it is clear that a policy action is needed here,” Antonakakis says.

The Georgia Tech team’s Alembic algorithm found previously unknown domain abuses, including one from an expired domain once used by an infamous Chinese APT group known for stealing intellectual property from satellite, aerospace, and communications companies, PLA Unit 61486. “We registered it, and started getting resolutions to it. So you could buy this APT for sinkholing,” Lever says. Although the domain had been expired for several years, it still received connection attempts every three seconds from a Taiwanese government research lab machine it had apparently breached.

A security researcher could use that to gather intelligence on an attack or an attack group such as PLA Unit 61486, for example. “But if an attacker were to buy it, it could just take it over or monetize the existing infections,” he says. That raises concerns over whether shuttered and formerly malicious domain names should be available for re-registration at all, the researchers say.


‘Subtle’ and Rare Today

Even so, a relatively small percentage of attacks today originate from reused and abused DNS domains.

Gunter Ollmann, chief security officer at Vectra Networks, notes that 0.2% of expired domains were found to be tied to some malicious behavior. “It is a very subtle attack and unlikely to be detected immediately” with today’s reputation systems, he says.

Ollmann says that while domain abuse of this type remains rare for now, it makes sense to begin to track and thwart the activity. It’s “well worth continued monitoring and taking steps to prevent it from becoming a significant threat in the future,” he says.

“There has been worry for many years about the threat of domain names that were taken down or used as sinkholes for a period of time, and that the bad guys could re-register them later to regain control of their botnets,” Ollmann says. “There are many tens-of-millions of infected devices attached to the Internet hunting for C&C domains that have been taken down at some point in time. Those victim machines can likely be controlled at sometime in the future when the bad guys are able to re-acquire the forgotten C&C domains.”

Ollmann expects re-registration of reputable domain names to become a juicy target for cybercriminals in the future, especially as domain name monitoring tools are easier to access.


Why Not WHOIS?

Alembic can root out exactly when a domain’s ownership changes. “Expirations aren't the only way that a domain can change ownership ... focusing solely on expirations has the potential to miss when a domain changes ownership. It's also possible that the original owner could purchase the domain again after” inadvertently allowing it to expire, Lever says.

Why not use the Net’s WHOIS tool to track abuse? WHOIS just doesn’t scale for the task of tracking domain abuse, according to the researchers. Lever says with WHOIS, “it's [also] easy to lie.”

“This is why we chose to focus on DNS for the Alembic algorithm. We can collect DNS at scale, and we rely on features that represent the underlying infrastructure and behavior of a domain,” he says.

The researchers hope to incorporate the algorithm into a commercial offering via startup NetRisk, a venture by Antonakakis, Lever, Nadji, and Dagon. 

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...