Georgia Tech researchers create algorithm to help detect rising DNS domain abuse by cybercriminals, nation-state actors.
Researchers at Georgia Tech have developed an algorithm that helps catch abuse of recycled domain names, where attackers hide behind a reputable domain or inherit one previously used for malicious purposes.
Hijacking the reputation of retired domains by re-registering them is an oft-ignored but potentially lethal threat: cybercriminals or nation-state hackers can basically inherit the “residual trust” of the previous owner of a domain. According to the researchers, the abuse of a domain’s reputation could provide the bad guys just the cover they need, using a recognized reputable domain.
“On the Internet, we have used domains as trust anchors,” says Chaz Lever, a senior PhD student at Georgia Tech who worked on the project. “For a site that’s been around a long time, there’s a long [history] of positive recognition and the next person who buys it wants to leverage that good reputation. That’s an attractive domain for a malware author to evade reputation systems and blacklists.
“If you didn’t know ownership of the domain had changed, you’re not going to flag it for abuse. So [attackers] have a window here.”
On the flip side, by re-registering an expired domain used for malicious purposes, the new owner can then capture infected machines still calling home to the once-shuttered domain.
Lever and his fellow Georgia Tech researchers Yacin Nadji, David Dagon, Patrick McDaniel, Manos Antonakakis, and Penn State’s Robert Walls, next week at the IEEE Symposium on Security and Privacy in San Jose, will present their research on this form of Domain Name System (DNS) abuse, and their new Alembic algorithm, which sniffs out changes in domain ownership to help flag potential abuse.
The researchers discovered that the number of domains landing on blacklists after they had expired grew from 784 between 2009 to 2012, to more than 9,000 in 2014. There’s also been an increase in malware using expired domains: more than 12,000 in 2013, up from 6,138. That’s a sign that this type of abuse is on the rise big-time, they say.
“Between 2009 and 2012, we saw … malware using expired domains to leverage” attacks and slip past blacklists, Lever says.
For a site that’s been around a lot time, These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever. The researchers found that out of 320,009 blacklisted domains, 101,322 had expired. That’s about 32% of all blacklisted domains.
The number of domains that were abused after they had expired was about 27,758—about 28% of expired domains. These were domains likely being abused by bad guys for their once-trusted reputations, according to Lever.
Some 73,564 — 72% of the expired domains — were abused and then expired.
“All in all, the fact that one-third of the domain names in public blacklists have this residual trust problem is very important for the community and it is clear that a policy action is needed here,” Antonakakis says.
The Georgia Tech team’s Alembic algorithm found previously unknown domain abuses, including one from an expired domain once used by an infamous Chinese APT group known for stealing intellectual property from satellite, aerospace, and communications companies, PLA Unit 61486. “We registered it, and started getting resolutions to it. So you could buy this APT for sinkholing,” Lever says. Although the domain had been expired for several years, it still received connection attempts every three seconds from a Taiwanese government research lab machine it had apparently breached.
A security researcher could use that to gather intelligence on an attack or an attack group such as PLA Unit 61486, for example. “But if an attacker were to buy it, it could just take it over or monetize the existing infections,” he says. That raises concerns over whether shuttered and formerly malicious domain names should be available for re-registration at all, the researchers say.
‘Subtle’ and Rare Today
Even so, a relatively small percentage of attacks today originate from reused and abused DNS domains.
Gunter Ollmann, chief security officer at Vectra Networks, notes that 0.2% of expired domains were found to be tied to some malicious behavior. “It is a very subtle attack and unlikely to be detected immediately” with today’s reputation systems, he says.
Ollmann says that while domain abuse of this type remains rare for now, it makes sense to begin to track and thwart the activity. It’s “well worth continued monitoring and taking steps to prevent it from becoming a significant threat in the future,” he says.
“There has been worry for many years about the threat of domain names that were taken down or used as sinkholes for a period of time, and that the bad guys could re-register them later to regain control of their botnets,” Ollmann says. “There are many tens-of-millions of infected devices attached to the Internet hunting for C&C domains that have been taken down at some point in time. Those victim machines can likely be controlled at sometime in the future when the bad guys are able to re-acquire the forgotten C&C domains.”
Ollmann expects re-registration of reputable domain names to become a juicy target for cybercriminals in the future, especially as domain name monitoring tools are easier to access.
Why Not WHOIS?
Alembic can root out exactly when a domain’s ownership changes. “Expirations aren’t the only way that a domain can change ownership … focusing solely on expirations has the potential to miss when a domain changes ownership. It’s also possible that the original owner could purchase the domain again after” inadvertently allowing it to expire, Lever says.
Why not use the Net’s WHOIS tool to track abuse? WHOIS just doesn’t scale for the task of tracking domain abuse, according to the researchers. Lever says with WHOIS, “it’s [also] easy to lie.”
“This is why we chose to focus on DNS for the Alembic algorithm. We can collect DNS at scale, and we rely on features that represent the underlying infrastructure and behavior of a domain,” he says.
The researchers hope to incorporate the algorithm into a commercial offering via startup NetRisk, a venture by Antonakakis, Lever, Nadji, and Dagon.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio