Name Servers and DNS Infrastructure

Thursday, July 15, 2010

Nathaniel Markowitz

63b96d79afc327c98a13c614670feca0

This is the third part in series of articles derived from the a graduate research project entitled "A Preliminary Survey of the Bulletproof Hosting Landscape" (Part 1) (Part 2)

Authors: Nathaniel Markowitz, Jonathan Brown, Amanda Cummins, Erin Greathouse, Christopher Kanezo, David McIntire, Thomas Saly, Toby Taylor, Louis Ulrich, Desiree Williams

While they are less visible than malicious domains, NSs play a critical role in the perpetuation of cyber-crime. Though there is a great deal of scrutiny of scam domains, NSs receives a lot less attention.

They are an important pieces of infrastructure that allow criminal syndicates to minimize down-time and avoid interruption of their operations. Some clear patterns present themselves.

A total of twenty blacklisted NS domains were sampled from a list of 2505. Several distinct naming conventions were identified from these. Three naming conventions in particular stood out.

The first is here referred to as the 0xy convention. This pattern consists of a zero followed by two randomly generated characters (numbers or letters). Examples include 0ow.ru, 0u7.ru and 0ge.ru.

To date, all of 0xy NSs are in the .ru top-level domain (TLD). All of the NS domains conforming to this convention were registered by the same Russian company and hosted by the same Chinese ISP.

The second naming convention, referred to as the xy-#-ns pattern, was similar to the 0xy pattern. It combines two randomly generated letters, a number and the letters “ns,” which presumably stands for name server.

Examples include aa1ns.ru, mh5ns.com and jm7ns.com. This pattern also shows up in the .ru and .com TLDs. The NS domains in the sample were registered by the same Russian company.

A third convention is here called the double-random pattern. In this case, two randomly generated words were combined to create a domain name. Examples include rosysexy.com and chieftable.com.

These NSs have been found in both the .com and .ru TLDs. Two registrars—one Russian, the other Chinese—were responsible for all of the sample domains in this category.

In fact, many posts in security forums and blogs accused the Chinese registrar of being heavily involved in a wide range of illicit activities, including spam, online pharmacy scams, fake product scams, botnet operation and phishing.

It was also tied to the Waledec botnet that was dismantled in 2009. All were hosted by the same Chinese ISP.

While the specific naming conventions—which can easily change—are not particularly significant, the consistent use of these patterns is. In some cases, these NSs can be affiliated with dozens if not hundreds of criminal domains.

Thus, identifying a single malicious NS can help identify exponentially more illicit domains. They can also help identify potentially abused or malicious registrars and ISPs.

Moreover, this NS naming structure provides an important insight into how criminal operations attempt to avoid down-time and service interruption. Due to the dubious nature of their activities, such organizations create a redundant infrastructure in order to support their activities.

A handful of illicit NSs can keep hundreds of scam domains operational—both those that are newly registered as well as those that move from one IP to another.

For more information: bphresearchgroup@gmail.com

Acknowledgements

We would like to thank the University of Pittsburgh, Graduate School of Public and International Affairs for providing the resources to make this research project possible. We would also like to thank Palantir Technologies for allowing us to use their software in our analysis. Finally, a very special thanks goes to Matt Ziemniak and Jim Beiber for their patience, help and guidance and for creating a research environment that was both enriching and enjoyable.

Possibly Related Articles:
13325
Webappsec->General
Web Application Security Security Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.