A paradigm shift
Newly registered domains. Pseudorandom names. Short TTLs. A myriad of IPs spread over unrelated ASNs, most of them being already well known for hosting malicious content. These are strong indicators, among others, that a domain is very likely to be malicious. Our team has been using algorithms that can automatically spot these malicious trends and block them for our customers.
However, the security industry is currently observing a significant paradigm shift. Spammers, scammers and malware authors are now massively abusing compromised machines in order to operate their business. Hours after the Boston Marathon bombing tragedy, a spam campaign drove recipients to a web page containing actual videos of the explosion. What site visitors didn’t know is that the page also contained a malicious iframe exploiting a recent vulnerability in Java that would download and install the Kelihos trojan.
Here are some of the infectors serving the malicious Java bytecode:
In order to evade most blacklists, the iframe in the video web page was switching to a new URL roughly every hour. Around the same time, other spam campaigns led to a similar page. Thousands of web sites were involved. We quickly set up scripts to monitor these web pages and block newly discovered domains in real time.
What all of these websites have in common is that they were not malicious. These were totally benign web sites, established for a long time, with a decent security track record and no distinctive network features. But in the blink of an eye they were compromised, and started infecting thousands of machines with malware. (Running software known to have well-known vulnerabilities didn’t help.)
A compromised host is a powerful weapon for malware authors. Having full control of a system makes it easy to serve different content according to the web browser, referrer, time or other criteria. The code can be updated anytime, in order to ship repacked versions or download data from different hosts.
Furthermore, backdoors like Darkleech can be planted and stay under the radar for a very long time for further malicious activities.
For this reason, detecting compromised hosts as soon as possible has become a critical research topic for our team.
Traffic spikes as an indicator of compromise
Anomaly detection is a way to spot some domain names we want to take a closer look at. In particular, we are keeping track of domain names seeing a sudden increase of traffic.
There are many legitimate reasons for such a spike to happen, for example a company may be sending a newsletter.
While being virtually useless as a defense against spam, a lot of mail transfer agents are doing preliminary checks on incoming email.
Whenever an email whose sender is example.com is received, these servers check that valid DNS MX or A records for example.com are present. They also frequently check that related PTR records map to one of the found IP addresses. TXT queries (for SPF and DomainKey records), as well as checks against DNS-based black lists are also common.
In order to reduce false positives when detecting compromised hosts, we only keep domain names for which we saw no TXT, SPF nor MX queries around the time the spike began.
Another common cause for a spike of traffic is web sites dedicated to specific events.
We use the Umbrella Security Graph to extract three features for domain names observing an abnormal increase of traffic:
– The popularity score, which reflects the number of distinct client IP addresses having looked up a domain name in a short time frame.
– The requester geographic distribution. Benign web sites seeing a spike of traffic after a special event tend to fit our models better than malicious domains.
– The c-rank, which reflects how frequently the domain name has been co-occurring with other domain names known to be malicious.