exploring the ecosystem of malicious domain registrations ...€¦ · exploring the ecosystem of...
TRANSCRIPT
![Page 1: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/1.jpg)
Exploring the ecosystem of
malicious domain registrations in the
.eu TLD
Lieven Desmet – OWASP BeNeLux Day 2017 – Tilburg, NL
[email protected] – @lieven_desmet
![Page 2: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/2.jpg)
Joint research between KU Leuven and EURid
› EURid:
Dirk Jumpertz
Peter Janssen
Marc Van Wesemael
2
› DistriNet, KU Leuven:
Thomas Vissers
Jan Spooren
Pieter Agten
Frank Piessens
Wouter Joosen
Lieven Desmet
![Page 3: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/3.jpg)
Overview
› Research Context
› Domain name registrations in .eu
› Longitudinal campaign analysis
› Towards automatic campaign identification
› Towards pro-active detection and prevention
› Conclusion
3
![Page 4: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/4.jpg)
Research context
![Page 5: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/5.jpg)
Malicious use of domain names
› Domain names are often abused by cyber criminals
Spam, botnet C&C infrastructure, phishing, malware, …
› To avoid blacklisting, malicious actors often deploy a hit-and-
run strategy
Fast flux in domain names
Single shot: 60% are only active for 1 day after registration [Hao et al]1
5
[1] Hao et al. “Understanding the Domain Registration Behavior of Spammers” IMC 2013
![Page 6: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/6.jpg)
Research hypothesis:
“Malicious actors register domains in
bulk, and do so for longer periods of
time.”
![Page 7: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/7.jpg)
Research question
› “Can we identify such bulk behavior based on commonalities
between individual registrations?”
› Long-term goal of this research:
Understand the malicious domain registration ecosystem in order to
detect and prevent malicious registrations.
7
![Page 8: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/8.jpg)
Domain name registrations in .eu
![Page 9: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/9.jpg)
Domain name registrations in the .eu TLD
› .eu – 7th largest ccTLD (European Economic Area)
~3.8 million domain names
› Dataset used in this research:
824,121 new registrations over 14 months (Apr 2015 – May 2016)
20,870 registrations end up on blacklists (2.5%)
9
![Page 10: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/10.jpg)
Available registration data
› Basic registration information
domain name, datetime of registration, and registrar
› Contact information of the registrant
company name, name, language, email address, phone, fax, as well as
postal address
› Name server information
Name servers and/or glue records
10
![Page 11: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/11.jpg)
Dataset enrichments
› Maliciousness of a domain name
Spamhaus DBL
SURBL multi list
Google Safe Browsing
› Geolocation information of name servers
MaxMind GeoLite2 Free database
11
![Page 12: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/12.jpg)
Longitudinal campaign analysis
![Page 13: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/13.jpg)
Concept of a “registration campaign”
› Set of registrations with malicious intent
› Most probably linked to the same actor
› Running over a longer period of time
› Our approximation: Manually selected based on common
characteristics in the registration details
13
![Page 14: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/14.jpg)
Example campaign (c_11)
› Fixed email domain
j***n.com
› Multiple fake registrant details
Combinations of
2 email accounts,
3 phone numbers,
2 street addresses
› 4 registrars used back-to-back
14
• 8 months active (Jun 3, 2015 – Feb 3, 2016)
• 1,275 blacklisted registrations
![Page 15: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/15.jpg)
Activity of identified campaigns
●●●●●● ● ●● ● ●●●●●●●●●●●●● ●● ●● ●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●
●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●● ●●●●●●●● ●●●●●● ● ● ● ●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●
●●● ● ●● ● ● ●● ● ● ●● ●●●●●●●
● ●
●● ● ●●●● ● ● ●● ● ●● ● ● ● ● ● ● ● ● ●
●●● ●●●●●●●●● ●●● ●●● ●●●●●●
● ● ● ● ●●●●● ●●●●●●●●●●●●●●●●●●● ●●● ●● ●● ● ●●●●● ●●●●● ● ●●●●●●●●●●●●●●●●●● ●●●●●●●
●● ●●● ● ● ● ● ● ● ●●●●●●● ● ●●● ●● ● ●
●●● ● ●● ●●● ●●●●●●●●●● ●●●● ● ●●●●●●● ●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●●●●●●●●●●●●●●●●●●
●●●●●●● ● ●● ●●●●●●●●●● ● ●
● ● ● ●● ● ●●●●●●●●●● ● ●●●●●●●● ●●●●●●●● ● ●●●●●●● ● ●● ●● ●●●●●●●●●●●●●●●●●●●●●● ●●●●●● ●●● ●●●●●●●●●●● ●● ●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●● ● ●●●●●●●●●●●● ●●● ● ●
●● ● ●●● ●● ●● ● ● ● ●●●●● ●● ●●● ●●●● ● ● ● ●●●●●● ● ●●●●● ●● ● ●
● ●●●●●●●● ● ●●●●●●●●●●●●●● ●●●●●●●●●●●● ●●●●●●●● ●●●●●●●
● ●●●●●●●●●●● ● ●●● ●●●●●
●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●● ●●●●●●●●●●●●●●●●●●●●●●●
879133317151672 177 194 93 324
1624 125
1275 490 154 989 514 842 283
1291 752
1978
TOTAL MALICIOUS REGISTRATIONS:
c_20c_19c_18c_17c_16c_15c_14c_13c_12c_11c_10c_09c_08c_07c_06c_05c_04c_03c_02c_01
Apr2015
May2015
Jun2015
Jul2015
Aug2015
Sep2015
Oct2015
Nov2015
Dec2015
Jan2016
Feb2016
Mar2016
Apr2016
May2016
Jun2016
Cam
paig
ns
Registrations per day ● ● ● ●100 200 300 400
16
![Page 16: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/16.jpg)
Campaign identification process
![Page 17: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/17.jpg)
Manual campaign identification process
› Start from maliciously flagged registrations
› Identify:
days with high number of malicious registrations
most reused registrations details (email address, phone, street, …)
recognizable patterns in registration details (e.g. …[email protected])
frequent combinations of two independent registration details
› Apply selection criteria over benign and malicious registrations
18
![Page 18: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/18.jpg)
a) Days with high number of malicious registrations
19
0%
5%
10%
Apr 2015 Jul 2015 Oct 2015 Jan 2016 Apr 2016
Perc
enta
ge o
f reg
istra
tions
Malicious registrations outside campaigns Malicious registrations
![Page 19: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/19.jpg)
b) Frequent combinations of registration details
20
●
●
● ●
● ● ● ●
● ● ● ●
● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ● ●
● ●
●
● ● ● ●
●
● ● ●
●
●
● ● ● ● ● ● ●
●
●
●
●
● ●
● ● ● ●
● ● ● ●
● ● ● ●
● ● ● ● ● ● ● ●
● ●
●
● ● ● ●
●
● ●
●
● ● ● ● ● ● ●
●
●
ATAXBEDEESFRGBGRIEIT
LUNLNOPLROSESI
AOL.COM
C...K.COM
E...R.COM
G...A.COM
GMAIL.COM
GMX.COM
H...T.CC
I...I.C
OM
I...V.C
OM
IDSHIELD.TK
J...N.COM
L...L.
LU
L...T.
FR
M...L.COM
MAIL.RU
MSN.COM
N...X.COM
OUTLOOK.COM
P...P.NET
S...R.W
F
S...T.COM
S...T.NET
U...K.COM
W...E.COM
YAHOO.COM
YANDEX.COM
YANDEX.RU
Email provider
Coun
try
Number of Registrations ● ● ●1000 2000 3000 ● ●Malicious registrationsnot in campaigns
Malicious registrationsinside campaigns
![Page 20: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/20.jpg)
Campaign selection criteria
21
Regis
trant
![Page 21: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/21.jpg)
Insights in malicious domain
registration
![Page 22: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/22.jpg)
Insight 1: Hit-and-run strategies
› Small window of opportunity:
Domain rendered useless once blacklisted
73% is blacklisted 5 days after registration, 98% after 30 days
23
![Page 23: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/23.jpg)
Insight 2: Campaigns are primarily linked to spam
24
![Page 24: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/24.jpg)
Insight 3: Variety in intensity and duration
●●●●●● ● ●● ● ●●●●●●●●●●●●● ●● ●● ●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●
●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●● ●●●●●●●● ●●●●●● ● ● ● ●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●
●●● ● ●● ● ● ●● ● ● ●● ●●●●●●●
● ●
●● ● ●●●● ● ● ●● ● ●● ● ● ● ● ● ● ● ● ●
●●● ●●●●●●●●● ●●● ●●● ●●●●●●
● ● ● ● ●●●●● ●●●●●●●●●●●●●●●●●●● ●●● ●● ●● ● ●●●●● ●●●●● ● ●●●●●●●●●●●●●●●●●● ●●●●●●●
●● ●●● ● ● ● ● ● ● ●●●●●●● ● ●●● ●● ● ●
●●● ● ●● ●●● ●●●●●●●●●● ●●●● ● ●●●●●●● ●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●●●●●●●●●●●●●●●●●●
●●●●●●● ● ●● ●●●●●●●●●● ● ●
● ● ● ●● ● ●●●●●●●●●● ● ●●●●●●●● ●●●●●●●● ● ●●●●●●● ● ●● ●● ●●●●●●●●●●●●●●●●●●●●●● ●●●●●● ●●● ●●●●●●●●●●● ●● ●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●● ● ●●●●●●●●●●●● ●●● ● ●
●● ● ●●● ●● ●● ● ● ● ●●●●● ●● ●●● ●●●● ● ● ● ●●●●●● ● ●●●●● ●● ● ●
● ●●●●●●●● ● ●●●●●●●●●●●●●● ●●●●●●●●●●●● ●●●●●●●● ●●●●●●●
● ●●●●●●●●●●● ● ●●● ●●●●●
●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●● ●●●●●●●●●●●●●●●●●●●●●●●
879133317151672 177 194 93 324
1624 125
1275 490 154 989 514 842 283
1291 752
1978
TOTAL MALICIOUS REGISTRATIONS:
c_20c_19c_18c_17c_16c_15c_14c_13c_12c_11c_10c_09c_08c_07c_06c_05c_04c_03c_02c_01
Apr2015
May2015
Jun2015
Jul2015
Aug2015
Sep2015
Oct2015
Nov2015
Dec2015
Jan2016
Feb2016
Mar2016
Apr2016
May2016
Jun2016
Cam
paig
ns
Registrations per day ● ● ● ●100 200 300 400
25
306 days – 154 registrations
37 days – 1978 registrations
![Page 25: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/25.jpg)
Insight 4: Some campaigns align with regular
business activity patterns (1)
26
0.000
0.005
0.010
0.015
Apr 06 Apr 13 Apr 20 Apr 27
Dai
ly s
hare
of r
egis
tratio
ns
Malicious registrations All registrations
![Page 26: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/26.jpg)
Insight 4: Some campaigns align with regular
business activity patterns (2)
27
2
4
6
8
Apr 2015 Jul 2015 Oct 2015 Jan 2016 Apr 2016
Perc
enta
ge o
f mal
iciou
s re
gist
ratio
ns
![Page 27: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/27.jpg)
Insight 4: Some campaigns align with regular
business activity patterns (3)
28
![Page 28: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/28.jpg)
Insight 5: Some campaigns are fully automated
29
●●
●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●
●●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●●●●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●
●●
●●●
●
●●●
●
●●●
●
●●●
●
●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●●
●
●●●
●
●●●
●
●●●●
●
●●
●●●
●
●●●
●
●●●●
●
●●●
●
●●●●
●
●●●
●
●●●●
●
●●●
●
●●●
●
●●●●
●●
●●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●●●●
●
●●●
●
●●●●●●●●●●●
●
●●●
●
●●●●●
●
●●●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●
●●●
●●●
●
●●●●●
●
●
●
●●●●●●●●●●●●●●●
●
●●●
●
●●●●
●
●●●
●
●●●●●
●
●●●
●
●●●●●
●
●●●●●●●
●
●●
●
●●●
●
●●●●●●●●
●●
●●●
●
●●●●●●
●
●●●
●
●●●●
●
●●●●●●
●
●●●●●●
●
●●●
●
●●●
●
●●●
●
●●●●
●
●●●
●
●●●●
●
●●●
●
●●●●
●
●●
●●
●●●
●
●●●●●●●●
●
●●●
●
●●●
●
●●●●●●
●
●●●
●
●●●●●
●
●●●
●
●●●●●●
●
●●●
●
●●●
●
●●●
●
●●●●
●
●●●●●
●●●●●●
●
●●
●●
●●●
●
02:00
06:00
10:00
14:00
18:00
22:00
Dec 2015 Feb 2016 Apr 2016 Jun 2016
Reg
istra
tion
time
European Summer Time
Campaign c_19
![Page 29: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/29.jpg)
Insight 6: Top facilitators for malicious registrations
30
~ 17% of all registrations
![Page 30: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/30.jpg)
Insight 7: Campaigns vs blacklists
31
› Manual analysis of non-
blacklisted domains
› Result: < 1% false positives
› About 20% extra on top of
existing blacklistsBLACKLISTED
CAMPAIGNS
16,704 4,0763,994
![Page 31: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/31.jpg)
Insight 8: Adaptive campaign strategies
32
0
20
40
60
80
Jul 2015 Oct 2015 Jan 2016
Nb o
f reg
istra
tions
registrar_04 registrar_06 registrar_11 registrar_13
Campaign c_11
![Page 32: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/32.jpg)
Insight 8: Adaptive campaign strategies (2)
33
![Page 33: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/33.jpg)
Towards automatic campaign
identification
![Page 34: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/34.jpg)
Campaign validation: clustering algorithm
› Machine learning technique to group registrations based on
similarities between registration details
Agglomerative clustering of blacklisted registrations
Iteratively merge two closest clusters
› 30 largest (of 432) clusters represent 92% of campaign
registrations
35
![Page 35: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/35.jpg)
Cluster - campaign mapping
36
![Page 36: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/36.jpg)
Finding 1: Some campaigns are linked to each other
●●●●●● ● ●● ● ●●●●●●●●●●●●● ●● ●● ●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●
●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●● ●●●●●●●● ●●●●●● ● ● ● ●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●
●●● ● ●● ● ● ●● ● ● ●● ●●●●●●●
● ●
●● ● ●●●● ● ● ●● ● ●● ● ● ● ● ● ● ● ● ●
●●● ●●●●●●●●● ●●● ●●● ●●●●●●
● ● ● ● ●●●●● ●●●●●●●●●●●●●●●●●●● ●●● ●● ●● ● ●●●●● ●●●●● ● ●●●●●●●●●●●●●●●●●● ●●●●●●●
●● ●●● ● ● ● ● ● ● ●●●●●●● ● ●●● ●● ● ●
●●● ● ●● ●●● ●●●●●●●●●● ●●●● ● ●●●●●●● ●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●●●●●●●●●●●●●●●●●●
●●●●●●● ● ●● ●●●●●●●●●● ● ●
● ● ● ●● ● ●●●●●●●●●● ● ●●●●●●●● ●●●●●●●● ● ●●●●●●● ● ●● ●● ●●●●●●●●●●●●●●●●●●●●●● ●●●●●● ●●● ●●●●●●●●●●● ●● ●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●● ● ●●●●●●●●●●●● ●●● ● ●
●● ● ●●● ●● ●● ● ● ● ●●●●● ●● ●●● ●●●● ● ● ● ●●●●●● ● ●●●●● ●● ● ●
● ●●●●●●●● ● ●●●●●●●●●●●●●● ●●●●●●●●●●●● ●●●●●●●● ●●●●●●●
● ●●●●●●●●●●● ● ●●● ●●●●●
●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●● ●●●●●●●●●●●●●●●●●●●●●●●
879133317151672 177 194 93 324
1624 125
1275 490 154 989 514 842 283
1291 752
1978
TOTAL MALICIOUS REGISTRATIONS:
c_20c_19c_18c_17c_16c_15c_14c_13c_12c_11c_10c_09c_08c_07c_06c_05c_04c_03c_02c_01
Apr2015
May2015
Jun2015
Jul2015
Aug2015
Sep2015
Oct2015
Nov2015
Dec2015
Jan2016
Feb2016
Mar2016
Apr2016
May2016
Jun2016
Cam
paig
ns
Registrations per day ● ● ● ●100 200 300 400
37
![Page 37: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/37.jpg)
Finding 2: Some registrations were missed during campaign
analysis
38
![Page 38: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/38.jpg)
Finding 3: Advanced campaigns are not part of large
clusters
40
15
![Page 39: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/39.jpg)
Finding 3: Advanced campaigns are not part of large
clusters
41
![Page 40: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/40.jpg)
Example of an advanced campaign (c_15)
› Campaign c_15 is much more advanced
514 domains registrations during 258 days
98 registrants generated by Laravel Faker tool
Domain names consist out of 2-3 Dutch words
Dutch words are reused across registrants
Batches of 8, 16, 24 or 32 registrations
› Hard to automatically detect this type of patterns
42
![Page 41: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/41.jpg)
Towards pro-active detection and
prevention
![Page 42: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/42.jpg)
“Given the commonalities between
registrations in long-running
campaigns, can newly registered
domains with malicious intent be
detected or prevented?”
![Page 43: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/43.jpg)
Pro-active detection and prevention
› Based on previously-registered domain names, prediction models are
trained:
Similarity-based agglomerative clustering
Reputation-based classification
› Early results:
About 60% of the malicious domain name registrations can proactively be
detected and/or prevented at registration time
› Currently being deployed as part of EURid’s Trust & Security program
45
![Page 44: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/44.jpg)
Conclusion
![Page 45: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/45.jpg)
Campaign analysis on 14 months of registration data
› Hit-and-run strategies
› Some long-running campaigns
› Variety in intensity, duration and complexity/adaptiveness
› Alignment with business activity
› Top 3 facilitators have huge footprint
› Campaign analysis can strengthen existing blacklists
47
![Page 46: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/46.jpg)
Towards …
› Automatic campaign identification
Validation of manual analysis process
Nice interplay between manual and automatic analysis
› Pro-active detection and prevention
Early results look promising
More to come within next 6 months!
48
![Page 47: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/47.jpg)
Interested in more?
49
› Thomas Vissers, Jan Spooren, Pieter Agten, Dirk Jumpertz, Peter Janssen, Marc Van Wesemael,
Frank Piessens, Wouter Joosen, Lieven Desmet, Exploring the ecosystem of malicious domain registrations in the .eu TLD, Research in Attacks, Intrusions, and Defenses, (RAID
2017), Atlanta, USA, September 18-20, 2017
Final version:
https://doi.org/10.1007/978-3-319-66332-6_21
![Page 48: Exploring the ecosystem of malicious domain registrations ...€¦ · Exploring the ecosystem of malicious domain registrations in the .eu TLD Lieven Desmet –OWASP BeNeLux Day 2017](https://reader033.vdocuments.site/reader033/viewer/2022051808/600ec7337a2178534828bfe4/html5/thumbnails/48.jpg)
Exploring the ecosystem of
malicious domain registrations in the
.eu TLD
Lieven Desmet – OWASP BeNeLux Day 2017 – Tilburg, NL
[email protected] – @lieven_desmet