Hackers manipulate domain names to spread malware

More tools becoming available to follow attackers’ trails, set up defenses

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When Seat­tleite Jay Wes­t­erdal boot­strapped a com­pa­ny called Domain­Tools in 2002, it was to sup­port his activ­i­ties in the domain name spec­u­la­tion game that was red hot at the time.

Domain­Tools set out to gath­er domain “whois” records in order to serve those immersed in spec­u­lat­ing on own­ing domain names, like chocolate.com. Unbe­known to the founders at the time, the com­pa­ny did a cou­ple of things that would posi­tion Domain­Tools to rein­vent itself down the road as a secu­ri­ty ven­dor, once the domain name mar­ket ran its course.

First, the com­pa­ny kept his­tor­i­cal records of every­thing. And, sec­ond, Domain­Tools start­ed gath­er­ing, not just “whois” records, but also web serv­er and email serv­er records, all of which would prove to be valu­able for track­ing the activ­i­ties of cyber crim­i­nals.

Third­Cer­tain­ty recent­ly vis­it­ed with Tim Helm­ing, Domain­Tools’ direc­tor of prod­uct man­age­ment, to out­line how the com­pa­ny today sheds light on the cyber under­ground. Text edit­ed for clar­i­ty and length.

3C: How do domain names come into play with mali­cious inter­net activ­i­ties?

Tim Helming, DomainTools’ director of product management
Tim Helm­ing, Domain­Tools’ direc­tor of prod­uct man­age­ment

Helm­ing: Every­thing that hap­pens on the inter­net hap­pens with IP address­es and domain names. You’ve prob­a­bly received phish­ing emails once or twice, right? We all have. So a phish­ing email has domains in a cou­ple of places. Usu­al­ly there’s a link that they want you to click on, and that link has some domain in it. Some­times it’ll be an inten­tion­al typo that looks like a legit­i­mate site. They want you to click on it. So that domain name actu­al­ly is a key to a lot of valu­able infor­ma­tion about the attack­er.

Relat­ed: DNS vul­ner­a­bil­i­ties expose busi­ness­es to attack

From that one domain, you can often expand and see oth­er domains that they own. And that could tell you things like, ‘Oh these oth­er domains are all tar­get­ing busi­ness­es in my indus­try. So this attacker’s inter­est­ed in my indus­try.’ Or maybe they’ve got a bunch of dif­fer­ent typos of my com­pa­ny name. So they’re going to be send­ing phish­es all over the place. I can block that if I know that.

3C: So if I’m a mal­ware hunter in a Secu­ri­ty Oper­a­tions Cen­ter, you can help me do foren­sics?

Helm­ing: Fun­da­men­tal­ly. We enable you to learn more about the attack­er and their moti­va­tions by see­ing their hold­ings, and also under­stand more about what their entire web of hold­ings are, so you can defend against that.

3C: So if one of my servers is owned and bea­con­ing out to a com­mand-and-con­trol serv­er, I can see that?

Helm­ing: Bot­nets have to get com­mands from some­where, and so, typ­i­cal­ly, they are bea­con­ing out to domains. A lot of times, bot­net domains don’t look like any­thing that makes sense to a human. They look like a ran­dom col­lec­tion of let­ters and num­bers. But they’re not intend­ed for a human to use. The bot­net uses that domain name in order to know what IP address to hit in order to get its instruc­tions. That’s how they use the domain names, but a human can take the domain name, plug it into a tool like our Iris tool, and find out all the oth­er ones that are con­nect­ed to it. And you can use that to defend against them.

3C: You’re out there, watch­ing and cross-ref­er­enc­ing domains?

Helm­ing: If you’re in law enforce­ment, you might use the kind of data that we have to find out who an attack­er real­ly is so that you can take action against them. Or if you’re sit­ting in the SOC, you’re using it to bet­ter under­stand the attack­er and what all of their hold­ings are.

3C: Some of this type of foren­sics was done with the huge breach of health insur­ance com­pa­ny Anthem. What do we now know about Anthem?

Helm­ing: This was a real­ly inter­est­ing mis­use of a domain name. Anthem’s name used to be Well­Point, and some­body reg­is­tered a look-alike domain that was like Well­Point, except the L’s were 1’s, and it was designed to lure Well­Point employ­ees to go to what looked like a com­pa­ny web­site. It got them to enter their log-in cre­den­tials. The attack­ers grabbed all of those log ins, because the attack­ers were the ones that con­trolled that domain. Now they were inside, and they were able to pull out 80 mil­lion records.

3C: Even using the best tools, are the ana­lysts in SOCs play­ing an end­less cat-and-mouse game?

Helm­ing: We allow the SOC ana­lysts, or threat hunters, to active­ly go out to find var­i­ous kinds of threats. We call it enrich­ment. So if you have a domain or IP address that looks like it’s scary, we can help you get more con­text about it and under­stand it bet­ter. Fun­da­men­tal­ly, it’s about bet­ter under­stand­ing the attacks, and assess­ing the risks, so that they can fig­ure out how to align their defens­es against them.

3C: SOC ser­vices aren’t just for large enter­pris­es any­more; Man­aged Secu­ri­ty Ser­vices Providers can do sim­i­lar foren­sics for small and mid­size busi­ness­es, right?

Relat­ed pod­cast: MSSPs help SMBs defend their net­works

Helm­ing: You don’t have to have a big room that looks like NORAD to be doing SOC-like func­tions, and just about every com­pa­ny has peo­ple that are doing that, even if they don’t have an actu­al Secu­ri­ty Oper­a­tions Cen­ter.

3C: Clear­ly the advan­tage still goes to the bad guys, but it’s encour­ag­ing that some pret­ty cool tools, that are get­ting more pow­er­ful all the time, are avail­able to the good guys.

Helm­ing: It’s so hard to pre­dict where the inter­net is going, and where secu­ri­ty is going, in some ways. But we know that IP address­es, whether it’s IPV4 or IPV6, and some form of domain names are going to be part of how the inter­net oper­ates. It may look a lit­tle bit dif­fer­ent, but being able to tie togeth­er con­nect­ed infra­struc­ture is still going to be impor­tant. We don’t know what tech­niques the bad guys will use. That may change. Ulti­mate­ly, they’re after mon­ey and intel­lec­tu­al prop­er­ty. But you can’t oper­ate with­out oper­at­ing on the inter­net. And if you’re doing that, it’s very, very hard not to leave some kind of a bread­crumb trail behind, and we like to latch onto that.

More sto­ries relat­ed to busi­ness hack­ers:
Easy cre­ation of domain names by hack­ers leaves SMBs dan­ger­ous­ly exposed
Sophis­ti­cat­ed spear phish­ing attacks becom­ing more com­mon
How orga­ni­za­tions can avoid get­ting hooked by phish­ing scams