As you know, Internet identities such as domains, IPs, or Autonomous Systems are registered and managed via Internet authority organizations (for example, the Internet Corporation for Assigned Names and Numbers (ICANN)) and their representatives. Information including the name, mailing address, phone number or email address of the users (assignees) of these entities are stored and published in Whois databases.
We’ve used Whois data to observe links between bad entities, and associate threats with bad actors in the past (big data threat detection, yahoo mail compromise).
However, Whois information is rather limited, if not entirely useless, in identifying bad actors. Due to the lack of data verification (as pointed out here), we don’t expect bad actors to use their real information when registering domains for malicious purposes.
In addition to that, bad actors can choose to hide the Whois registrations by using privacy protection domain registrars. There are plenty of privacy protection registrars, which are used by several legitimate users out of real privacy concerns.
That said, we decided to take the dive and do some data crunching with a proprietary Whois database. In this post, we’ll share some of our findings and use cases.
Many domains are registered but never used
90% of the domain names registered less than 8 days ago don’t receive any traffic from OpenDNS users. One reason is that a large number of these sites host bogus content – or no content at all. There are name dealers who buy domain names in bulk and hold them to sell for a premium. Domain names are often also registered against brand name cybersquatting.
Every day, about 90,000 new domains are registered within the .com zone alone. However, more than 6.61% of them vanish within 5 days. They usually are registered for a year, yet the Whois registry for these domains doesn’t show any records for them more a few days after they have been registered. (As a note: under some conditions, registrars can withdraw a new registration if it hasn’t been paid for within 5 days.)
To our surprise, we didn’t observe many domain tasting sites being used to serve malware, or for phishing. From the above list, only 3 of them were found to be malicious. However, these were heavily used for SEO and spam.
Exploit domain distribution sites are seen with varying life cycles
It’s easy to think that well-established domain names are less likely to be serving malware than domains that were recently registered. However, it has become fairly common for malware to not only use compromised web sites, but also compromised domains. When a domain is compromised, the previous records are not altered – but additional records leading to malicious IPs are added. This is a clever way to fool security products by serving malware while still inheriting the “good reputation” of a domain.
The Angler Exploit Kit has been relying heavily on this tactic. On average, domains used to serve this exploit kit had been registered 1,388 days before the malicious DNS records were added.
The infamous Urausy ransomware is one of the many examples of malware relying on dynamic DNS services. It relies on domain names that were registered no less than 12 years ago!
On the other hand, the popular Magnitude Exploit Kit typically relies on domain names that were registered at most 24 hours before being active.
The Neutrino Exploit Kit is also an interesting case: traffic starts being observed 3 days (on average) before the domain is actually registered.
Domains used by the Nuclear Exploit Kit are registered between 1-100 days before becoming active, and we’ve observed a similar range for the Grandsoft Exploit Kit.
Many black hat SEO and spam sites are observed with huge spikes of traffic
Every day, an enormous amount of domains are actually being registered for mass marketing, spam, black hat SEO and rogue pharmacies. We also see companies and individuals registering a massive amount of new domain names every day, with each of the domains immediately receiving an unusual number of DNS queries coming from clients all over the world.
As an example, numerous domains registered by “Audacity Media”/”Yellow Media” follow this pattern – featuring a big spike of traffic that doesn’t last more than a single day:
(Please see more details about the sd tool we used in the following data dump at the end of the blog.)
$ sd -o stone-wav3s.us
0 0 0 0 0 0 0 0 0 0 0 0 0 0 56300 ******************************
Created on: 2014-01-13 14:34:25 +0000 Updated on: 2014-01-13 14:34:26 +0000 Registrar: Wild West Domains, Inc. Registered by: Jessie Valle <email@example.com>, Audacity-Media 2637 E Atlantic Blvd #25405 - 33062 Pompano Beach - US Name servers: ns05.domaincontrol.com ns06.domaincontrol.com
On the same infrastructure: 00004446.stone-wav3s.us 00008100.stone-wav3s.us 0000db52.stone-wav3s.us 0000e5ab.stone-wav3s.us 00018c60.stone-wav3s.us 00025c8f.stone-wav3s.us 00027960.stone-wav3s.us 00033988.stone-wav3s.us 000339cc.stone-wav3s.us 0003da11.stone-wav3s.us 00053035.stone-wav3s.us ...and 48 other names
$ sd -o botiriddi.me
0 0 0 0 0 0 0 0 0 0 0 0 0 28427 ******************************
Created on: 2013-07-16 20:59:04 UTC Updated on: 2013-09-15 20:50:04 UTC Registrar: NameCheap R216-ME Registered by: Yellow Media <firstname.lastname@example.org>, Yellow Media 2637 E Atlantic Blvd #24199 - 33062 Pompano Beach - US Name servers: dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com
On the same infrastructure: botiriddi.me www.botiriddi.me 0000ecd5.botiriddi.me 00018aa4.botiriddi.me 00032955.botiriddi.me 0003b2e0.botiriddi.me 00042e80.botiriddi.me 000657cc.botiriddi.me 0006cac3.botiriddi.me 00073931.botiriddi.me 00095cb2.botiriddi.me ...and 19 other names
These domains resolve to a large set of IPs, all of them hosting a web server showing nothing more than a default Apache page. Even though our emails to the administrative contacts for these domains never received a reply, we can presume that these domains are being used for mass marketing, not to distribute malware.
More on the sd tool
The OpenDNS Security Graph is our unique database of DNS queries, on top of which we built reputation systems.
A simple way to access it programatically is to use the Security Graph client library, which has been specifically designed for security researchers. In order to quickly access the data we commonly need, we built a tool called sd, which is a command-line interface leveraging the Security Graph client library.
One of the features this tool provides is a quick overview of a domain name: the traffic recently observed, the most relevant information from Whois databases, if it has been flagged as suspicious, benign or unknown, and a sample of names sharing the same infrastructure.