Vulnerabilities / Threats

5/18/2016
12:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Domain Abuse Sinks Anchors Of Trust

Georgia Tech researchers create algorithm to help detect rising DNS domain abuse by cybercriminals, nation-state actors.

Researchers at Georgia Tech have developed an algorithm that helps catch abuse of recycled domain names, where attackers hide behind a reputable domain or inherit one previously used for malicious purposes.

Hijacking the reputation of retired domains by re-registering them is an oft-ignored but potentially lethal threat: cybercriminals or nation-state hackers can basically inherit the “residual trust” of the previous owner of a domain. According to the researchers, the abuse of a domain’s reputation could provide the bad guys just the cover they need, using a recognized reputable domain.

“On the Internet, we have used domains as trust anchors,” says Chaz Lever, a senior PhD student at Georgia Tech who worked on the project. “For a site that’s been around a long time, there’s a long [history] of positive recognition and the next person who buys it wants to leverage that good reputation. That’s an attractive domain for a malware author to evade reputation systems and blacklists.

“If you didn’t know ownership of the domain had changed, you’re not going to flag it for abuse. So [attackers] have a window here.”

On the flip side, by re-registering an expired domain used for malicious purposes, the new owner can then capture infected machines still calling home to the once-shuttered domain.

Lever and his fellow Georgia Tech researchers Yacin Nadji, David Dagon, Patrick McDaniel, Manos Antonakakis, and Penn State’s Robert Walls, next week at the IEEE Symposium on Security and Privacy in San Jose, will present their research on this form of Domain Name System (DNS) abuse, and their new Alembic algorithm, which sniffs out changes in domain ownership to help flag potential abuse.

 

Expiration Date

The researchers discovered that the number of domains landing on blacklists after they had expired grew from 784 between 2009 to 2012, to more than 9,000 in 2014. There’s also been an increase in malware using expired domains: more than 12,000 in 2013, up from 6,138. That’s a sign that this type of abuse is on the rise big-time, they say.

“Between 2009 and 2012, we saw ... malware using expired domains to leverage” attacks and slip past blacklists, Lever says. 

For a site that’s been around a lot time, These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever. The researchers found that out of 320,009 blacklisted domains, 101,322 had expired. That’s about 32% of all blacklisted domains.

The number of domains that were abused after they had expired was about 27,758—about 28% of expired domains. These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever.

Some 73,564 -- 72% of the expired domains -- were abused and then expired. 

“All in all, the fact that one-third of the domain names in public blacklists have this residual trust problem is very important for the community and it is clear that a policy action is needed here,” Antonakakis says.

The Georgia Tech team’s Alembic algorithm found previously unknown domain abuses, including one from an expired domain once used by an infamous Chinese APT group known for stealing intellectual property from satellite, aerospace, and communications companies, PLA Unit 61486. “We registered it, and started getting resolutions to it. So you could buy this APT for sinkholing,” Lever says. Although the domain had been expired for several years, it still received connection attempts every three seconds from a Taiwanese government research lab machine it had apparently breached.

A security researcher could use that to gather intelligence on an attack or an attack group such as PLA Unit 61486, for example. “But if an attacker were to buy it, it could just take it over or monetize the existing infections,” he says. That raises concerns over whether shuttered and formerly malicious domain names should be available for re-registration at all, the researchers say.

 

‘Subtle’ and Rare Today

Even so, a relatively small percentage of attacks today originate from reused and abused DNS domains.

Gunter Ollmann, chief security officer at Vectra Networks, notes that 0.2% of expired domains were found to be tied to some malicious behavior. “It is a very subtle attack and unlikely to be detected immediately” with today’s reputation systems, he says.

Ollmann says that while domain abuse of this type remains rare for now, it makes sense to begin to track and thwart the activity. It’s “well worth continued monitoring and taking steps to prevent it from becoming a significant threat in the future,” he says.

“There has been worry for many years about the threat of domain names that were taken down or used as sinkholes for a period of time, and that the bad guys could re-register them later to regain control of their botnets,” Ollmann says. “There are many tens-of-millions of infected devices attached to the Internet hunting for C&C domains that have been taken down at some point in time. Those victim machines can likely be controlled at sometime in the future when the bad guys are able to re-acquire the forgotten C&C domains.”

Ollmann expects re-registration of reputable domain names to become a juicy target for cybercriminals in the future, especially as domain name monitoring tools are easier to access.

 

Why Not WHOIS?

Alembic can root out exactly when a domain’s ownership changes. “Expirations aren't the only way that a domain can change ownership ... focusing solely on expirations has the potential to miss when a domain changes ownership. It's also possible that the original owner could purchase the domain again after” inadvertently allowing it to expire, Lever says.

Why not use the Net’s WHOIS tool to track abuse? WHOIS just doesn’t scale for the task of tracking domain abuse, according to the researchers. Lever says with WHOIS, “it's [also] easy to lie.”

“This is why we chose to focus on DNS for the Alembic algorithm. We can collect DNS at scale, and we rely on features that represent the underlying infrastructure and behavior of a domain,” he says.

The researchers hope to incorporate the algorithm into a commercial offering via startup NetRisk, a venture by Antonakakis, Lever, Nadji, and Dagon. 

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
The Morris Worm Turns 30
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/9/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12174
PUBLISHED: 2018-11-14
Heap overflow in Intel Trace Analyzer 2018 in Intel Parallel Studio XE 2018 Update 3 may allow an authenticated user to potentially escalate privileges via local access.
CVE-2018-3621
PUBLISHED: 2018-11-14
Insufficient input validation in the Intel Driver & Support Assistant before 3.6.0.4 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVE-2018-3635
PUBLISHED: 2018-11-14
Insufficient input validation in installer in Intel Rapid Store Technology (RST) before version 16.7 may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service via local access.
CVE-2018-3696
PUBLISHED: 2018-11-14
Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.
CVE-2018-3697
PUBLISHED: 2018-11-14
Improper directory permissions in the installer for the Intel Media Server Studio may allow unprivileged users to potentially enable an escalation of privilege via local access.