In March this year the Talos Security group at Cisco coined a name for an attack that hackers have been using since 2011 at least. Domain Shadowing is when an attacker gains admin access to a legitimate domain, and uses that legitimate domain to register a large amount of shady subdomains, usually with an exploit kit. For instance, visapayment.opendns[.]com instead of opendns[.]com. It’s becoming more common because of how easy it is to run a domain shadowing attack, and how hard they are to detect.

Using a Stolen Reputation

“Domain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that threat actors have used to date. The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns. This makes blocking increasingly difficult,” Cisco threat researcher Nick Biasini explained in his blog post about Domain Shadowing. The worst part is owners of the legitimate domain are often not aware it is being used for Domain Shadowing.

OpenDNS Security Labs researchers have also been tracking the rising popularity of exploit kits, and responded with a new security models and features to detect them. One feature is an addition to OpenDNS’s threat intelligence search engine, Investigate. Called Pattern Search, the feature essentially adds regular expression and wildcard searching to the search engine, allowing for much more correlative results.

SPRank and Predictive Discovery

Pattern Search in action looking for DGAs.

Pattern Search in action looking for DGAs.

Currently most blocking and detection mechanisms for Domain Shadowing rely on some sort of domain reputation system that rates good versus bad domains. But reputation scores, according to Technical Leader Dhia Mahjoub, are not enough to catch most Domain Shadowing attacks. Mahjoub along with Security Researcher Thomas Mathew recently announced a new security model get around this issue.

“Compromised domains that have a great historical reputation will easily fool a reputation system,” Mahjoub wrote in a blog post.  Furthermore, cheap hosting makes it difficult to assign meaningful scores for IP reputation as new ranges appear having no historical context to provide it a score. SPRank avoids these issues by analyzing the DNS request patterns to a domain.” In other words, reputation scores, upon seeing a C Name like Amazon[.]com, will give a compromised subdomain a pass, since Amazon is a well-known and highly reputable site.

How to Further Protect Against Domain Shadowing

Aside from advanced security solutions like Investigate, the key to protecting against Domain Shadowing lies in protecting the credentials of your site’s registrant, and monitoring for changes on the domain’s registrant account. “It’s one thing that people just don’t do,” Craig Williams, security outreach manager for Cisco Talos, told ThreatPost in an interview. “No one logs back into their registrant account unless they are going to change something, or renew it.”

Two-factor authentication is probably the first, most effective precaution. Most domain registration companies, even the often abused GoDaddy, offer two-factor authentication. Using it will ensure that even if admin credentials are compromised, they can’t be used to register a new malicious domain.

To find out more about IP Space Monitoring, read Mahjoub’s blog post (linked above) — also includes an in-depth explanation of SPRank. To see the Pattern Search function in action, read the blog post by Security Researcher Chip McSweeney who used it in an experiment to find DGAs with Python.

This post is categorized in: