Abused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity

Similar documents
ACCEPTABLE USE AND TAKEDOWN POLICY

FAQ (Frequently Asked Questions)

CYBERSECURITY INESTIGATION AND ANALYSIS

Acceptable Use (Anti-Abuse) Policy

.IBM TLD Registration Policy

Acceptable Use Policy and Terms of Service

Emerging Security Technological Threats

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

PROTECTING YOUR MAILBOXES. Features SECURITY OF INFORMATION TECHNOLOGIES

Who s Doing the Hacking?

Acceptable Use Policy

Detecting peer-to-peer botnets

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

.tirol Anti-Abuse Policy

Law Enforcement Recommendations Regarding Amendments to the Registrar Accreditation Agreement

Acceptable Use Policy. This Acceptable Use Policy sets out the prohibited actions by a Registrant or User of every registered.bayern Domain Name.

.BIO DOMAIN NAME POLICY v2.0 - Last Update: May 30, Starting Dot Ltd..BIO DOMAIN NAME POLICY - V1.0 - AS OF 30 MAY

CMPT 471 Networking II

What security and compliance challenges exist with the move to Microsoft Office 365?

Managing Web Security in an Increasingly Challenging Threat Landscape

2010 Data Breach Investigations Report

Code of Conduct Exemption Request Form

BYPASSING THE ios GATEKEEPER

Introduction: 1. Daily 360 Website Scanning for Malware

Fast Flux Hosting and DNS ICANN SSAC

Fostering Incident Response and Digital Forensics Research

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Enterprise Apps: Bypassing the Gatekeeper

PLAN FOR ENHANCING INTERNET SECURITY, STABILITY, AND RESILIENCY

Inspection of Encrypted HTTPS Traffic

Domain Name Abuse Detection. Liming Wang

Application Security in the Software Development Lifecycle

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Best Practices in Account Takeover

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

Recurrent Patterns Detection Technology. White Paper

Mobile Devices and Malicious Code Attack Prevention

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Defending Against. Phishing Attacks

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

.SKI DOMAIN NAME POLICY. May 21, Starting Dot Ltd. .SKI DOMAIN NAME POLICY

INSTANT MESSAGING SECURITY

IDS or IPS? Pocket E-Guide

.Brand TLD Designation Application

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Five Trends to Track in E-Commerce Fraud

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Fighting Advanced Threats

Virgin Media Business Acceptable Use Policy (Internet)

2010 Carnegie Mellon University. Malware and Malicious Traffic

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

The Benefits of SSL Content Inspection ABSTRACT

CYBERCRIME AND THE HEALTHCARE INDUSTRY

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

UNCLASSIFIED Version 1.0 May 2012

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Before The United States House of Representatives Committee On The Judiciary. Subcommittee on Intellectual Property, Competition and the Internet

The FBI and the Internet

NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Transcription:

2012 Abused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity KnujOn.com LLC Brief Version 2/18/2012

Promising Research KnujOn.com LLC is proud to release this briefing of our Abused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity. KnujOn reviewed nearly one million WHOIS records from domain names advertised with spam in 2011 and found that 22.8% of the rogue registrations could be blocked with fundamental validation. Another 67.5% could be filtered or held for additional screening with a robust analysis developed in response to our findings. This study focused exclusively on the Administrator Email Address in each WHOIS record. We are confident that this promising method could prevent slightly more than 90% of truly abusive registrations, potentially curtailing the 14 million distinct spam instances which supplied the test data. In the real world those instances are duplicated and repeated for Internet users globally creating the unwanted traffic and related criminality which plague us daily. In our research we separated the domains which were spoofed or hijacked to focus purely on ones which were created specifically as illicit shopping sites or for malware distribution. Abusive Registrations Are Preventable The problem for domain name Registrars has always been inability to predict user intent and the belief that any screening would increase domain cost and slow the registration process. We now know this is not the case and that statistical analysis with a vast repository of intelligence can be used to mitigate abusive registrations. To be clear, this is not a blacklist. Rather, this is a two-part process which uses existing policy-based rules to handle the smaller percentage of obvious violations and a comprehensive analytics engine to assign risk factors to the larger portion of potential abuses. While the ICANN Registrar Accreditation Agreement 1 requires accurate information 2 and validation 3, in practice this has been a challenge. Fortunately, it appears this can be done with relative ease. Registrars expend significant resources now dealing with spam and abuse after the fact when it is often too late. 1 http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm 2 http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3.3.1.7 3 http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3.7.8 1 KnujOn Abused Domain WHOIS Analysis for Registration Filtering V1.4- BRIEF

Addressing a Serious Issue The annual cost of spam to companies and individuals is in the tens of billions of dollars 4 as well as wasting the precious time of employees 5. Malware (viruses, Trojans, etc.) presents an everevolving threat to industry as well as personal Internet use 6 as it expands into mobile devices. The world of spam and Internet abuse is a complex place involving a variety of players and resources 7. However, the use of domain names by illicit parties is a critical and final piece of the cycle. The outer edges of Internet abuse (spam email, malware distribution, server compromises, etc.) are fleeting and constantly changing in source. But even illicit businesses require a certain amount of stability. Domain names as transaction platforms provide a critical resource to people selling rogue pharmaceuticals, counterfeit products, or illicit services. Without access to domain names the underground Internet would be much harder to operate. Moving from the Elementary to the Complex As shown above, 23% of abusive domains could be blocked for basic policy reasons. These abusive registrations, not hijacked or spoofed spam domains, contained obvious errors which would have invalidated the domain WHOIS record. The set includes even typographical errors which make the administrator email address unreachable. These represent attempts to obfuscate or make the domain operators unaccountable. A further 67% of abusive domains can be filtered by analytics. Within this range there are a number of subtle and discrete factors which allowed us to identify risky domain registrations. Assigning Risk The Internet Corporation of Assigned Names and Numbers (ICANN) and their contracted parties (Registries and Registrars) are sustained on the high volume trade in domain names. Consumers of domain names expect speed, convenience and value in their purchases. The competition to provide easy and rapid domain deployment among Registrars has also created opportunities to exploit the system. It is not generally in the interest of the Registrar or ICANN to deny a registration as it is impossible to discern user intent, but it is possible to assign risk based accumulated data. Validated 15 Factors Based on Knowledge Repository By compiling everything learned from the 2011 abuse data KnujOn was able to create a test engine which caught potentially abusive registrations. The series of comprehensive tests completed in microseconds and would be transparent to the registrant. The Abuse Range Sweet Spot There is a major difference between compromised domains and domains specifically registered for illicit traffic. To the victim of spam or malware all abused domains appear to be the same. Within this study KnujOn was able to predict, through our analysis, which domains were created for spamming and which were hijacked in one way or another. This has allowed us to disregard the noise and focus on core illicit activity. 4 http://www.meierhenrylaw.com/web/?p=2510 5 http://ridiculouslyefficient.com/2011/11/30/email-spam-costs/ 6 http://www.slideshare.net/gfisoftware/viprebusinesssocialmediamalware-en-gen 7 http://edition.cnn.com/2011/business/06/06/cybercrime.cost/index.html 2 KnujOn Abused Domain WHOIS Analysis for Registration Filtering V1.4- BRIEF

Examples of Missing Policy Enforcement Some domains should never have existed. One of the registrations caught with an impossible email address was an illicit online pharmacy: md-pill.com. In further examining the WHOIS record we found the address and phone number for this purported pharmacy is actually contact information for newspaper Los Angeles Times. As can be seen below this is a No Prescription pharmacy which is illegal in most countries. The WHOIS record is outlined in red and the official contact information for the Los Angeles Times is outlined in black. The purpose is to illustrate how simple red flags in one entry can lead to the discovery of an entire false record. Such a registration should have been held for secondary screening. Many abusive registrations also have incomplete administrator email addresses as in the example below: Allowing this type of registration to pass will only cost the Registrar later in terms of dealing with complaints and other issues. Invalid Privacy Services Draw Illicit Domain Registrants In this study we also reviewed which WHOIS privacy protection services were most heavily used by abusive registrants and why. Some services are technically in violation of the ICANN contract and therefore offer additional concealment for illicit Internet commerce. 3 KnujOn Abused Domain WHOIS Analysis for Registration Filtering V1.4- BRIEF

Illicit Domain Registrations vs. Abusive Administrator Email Domains Our research results show that abusive registrants frequently have their home base at one Registrar and purchase domains to be exploited at a second Registrar. We have exposed the attack vectors of various malicious actors. The data also indicates why some Registrars have more abusive registrations. What Else We Found The results of this study were intriguing, revealing the complex relationships between abusive registrants and spammed domains. As in previous KnujOn studies on spam, we find the activity is clustered. In our study there were 956,702 unique abused domain names with 237,557 unique administrator email addresses in their registrations. These email addresses were at 71,484 unique administrator email address domains, but more than 55% of the abuse originated from just 50 administrator email domains. Within 500 of the worst administrator email domains we see 73% of the abuse. This percentage of abuse only rises to 77% at the 1000 worst administrator email domain mark. So, as we approach the larger population of abusive registrations the volume of abuse drops considerably. If we change the data view to specific unique abusive administrator email addresses we can isolate about 50% of the abusive registration activity to just 1144 specific domain administrators. Over seven million abuse instances examined in the study, one half of the total, can be attributed to these specific administrators. Full Version of Research KnujOn s 30-page report on Abused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity contains detailed analysis, case studies, and fascinating findings. This is a proprietary work being used to develop a solution and is not part of a general public release. When complete, a fully developed a subscription-based API will be made available. If you are interested in this work please contact us: contact@knujon.com. About Knujon KnujOn is a unique Internet security and policy analysis project which works with ordinary Internet users, small businesses, governments, nonprofit organizations, and the global community of Internet policy developers to combat abuse, illicit activity, and in general enhance the overall Internet user experience. KnujOn has developed custom mathematical modeling techniques which expose not only where abuses are originating but why and what can be done. KnujOn has moved beyond blacklists to develop a multidimensional abuse response paradigm. Our process is concerned with dire policy failures and loopholes in the Internet architecture which have been exploited by malicious parties for their own benefit at the expense of consumers at large. Any questions or concerns can be directed to contact@knujon.com. More information at http://www.knujon.com. 4 KnujOn Abused Domain WHOIS Analysis for Registration Filtering V1.4- BRIEF

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information