Cracking the Wall of Confinement: Understanding and Analyzing Malicious Domain Take-downs

Take-down operations aim to disrupt cybercrime involving malicious domains. In the past decade, many successful take-down operations have been reported, including those against the Conficker worm, and most recently, against VPNFilter. Although it plays an important role in fighting cybercrime, the domain take-down procedure is still surprisingly opaque. There seems to be no in-depth understanding about how the take-down operation works and whether there is due diligence to ensure its security and reliability. In this paper, we report the first systematic study on domain takedown. Our study was made possible via a large collection of data, including various sinkhole feeds and blacklists, passive DNS data spanning six years, and historical WHOIS information. Over these datasets, we built a unique methodology that extensively used various reverse lookups and other data analysis techniques to address the challenges in identifying taken-down domains, sinkhole operators, and take-down durations. Applying the methodology on the data, we discovered over 620K takendown domains and conducted a longitudinal analysis on the take-down process, thus facilitating a better understanding of the operation and its weaknesses. We found that more than 14% of domains taken-down over the past ten months have been released back to the domain market and that some of the released domains have been repurchased by the malicious actor again before being captured and seized, either by the same or different sinkholes. In addition, we showed that the misconfiguration of DNS records corresponding to the sinkholed domains allowed us to hijack a domain that was seized by the FBI. Further, we found that expired sinkholes have caused the transfer of around 30K takendown domains whose traffic is now under the control of new owners.

[1]  Jun Li,et al.  Ghost Domain Names: Revoked Yet Still Resolvable , 2012, NDSS.

[2]  Daiping Liu,et al.  All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records , 2016, CCS.

[3]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[4]  Christian Rossow,et al.  RUHR-UNIVERSITÄT BOCHUM , 2014 .

[5]  Christopher Krügel,et al.  Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates , 2018, NDSS.

[6]  Wouter Joosen,et al.  Exploring the Ecosystem of Malicious Domain Registrations in the .eu TLD , 2017, RAID.

[7]  Nick Feamster,et al.  Understanding the domain registration behavior of spammers , 2013, Internet Measurement Conference.

[8]  Wouter Joosen,et al.  The Wolf of Name Street: Hijacking Domains Through Their Nameservers , 2017, CCS.

[9]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2004, IEEE Journal on Selected Areas in Communications.

[10]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[11]  Michael Ferdman,et al.  Panning for gold.com: Understanding the Dynamics of Domain Dropcatching , 2018, WWW.

[12]  Tyler Moore,et al.  The Ghosts of Banking Past: Empirical Analysis of Closed Bank Websites , 2014, Financial Cryptography.

[13]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[14]  Giovane C. M. Moura,et al.  Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs , 2018, AsiaCCS.

[15]  Ross J. Anderson,et al.  Taking down websites to prevent crime , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[16]  Tyler Moore,et al.  The Impact of Incentives on Notice and Take-down , 2008, WEIS.

[17]  Damon McCoy,et al.  Schrödinger's RAT: Profiling the Stakeholders in the Remote Access Trojan Ecosystem , 2018, USENIX Security Symposium.

[18]  Patrick D. McDaniel,et al.  Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[19]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[20]  Michel van Eeten,et al.  Post-Mortem of a Zombie: Conficker Cleanup After Six Years , 2015, USENIX Security Symposium.

[21]  Tobias Lauinger,et al.  WHOIS Lost in Translation: (Mis)Understanding Domain Name Expiration and Re-Registration , 2016, Internet Measurement Conference.