back to article DNS flaw reanimates slain evil sites as ghost domains

Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS). A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

The Pirate Bay: coming to a ghost domain near you - lulz

Pandora's box (haven't a clue where, or even if required at all, the apostrophe goes)

No full stop to generate apoplexy amongst some of the commentards

2
0
Joke

Haixin

Haixin? Really?

1
1
Thumb Up

Not ALL bad, actually

"Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.

"If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc)."

Seems like this would screw up crappy legislation like SOPA and PIPA too, giving site owners time to point people toward alternate DNS servers or to advertise their IP address on their front page.

2
0

The fix seems easy; never increase the TTL of a cached record...

0
1
Unhappy

Not entirely true...

"By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."

With all the zombies out there malicious people could keep DNS alive on networks with infected computers nearly indefinitely...

Yet more reasons not to use nameservers that are shared with other people you don't know or trust

1
0
Holmes

I don't see how this affects botnets.

It doesn't affect botnets if the server is still up with the same IP, as the bots could just be reprogrammed to use a hardcoded IP.

0
2
FAIL

Re: I don't see how this affects botnets.

This is not how botnets generally work.

Although some may use hardcoded IPs, the majority now keeps kind of regular expression of domain names (like bot*.net) and will more or less randomly try to resolve the names until they find one that works (like botnet1.net, botnet2.net, or botbot.net, etc.).

If the malware can resolve the name longer after it has been de-registered, we clearly have a problem.

Cheers

0
0
Anonymous Coward

DNS

I have been dealing with this crap for months and I am sick of the manipulations to Bind 9 etc. it is causing too much spam and garbage to come in. Unfortunately for me I do not control the DNS servers at work and I cannot convince the ones that do to patch BIND 9 either.

0
0
Anonymous Coward

DJB dnscache vulnerable !!!!!

Looking at the paper (https://www.isc.org/files/imce/ghostdomain_camera.pdf) I see DJB dnscache is vulnerable. Well, HAHAHAHAHA!!11!! !

MaraDNS is not vulnerable.

1
0

why delete the record...

Why not just keep the entries active, and ensure the records point to a honeypot farm.

This means:

1. There's no fight to delete them/keep them cached

2. The honeypots can pick-up additional information as to what they're being used for, and how active they are.

4
0
Anonymous Coward

For the time being, do not de-register the domain names entirely, just set no IP for the domain in DNS, until their registration runs out.

1
0
Anonymous Coward

Liking the look of 9:38 and 10:48

To the untrained eye they look good. Do those in the know think they might help, in which case why the fuss in the article?

0
0

Domains may be de-registered for other reasons.

And you don't want EVERY deleted-domain access attempt notified to the FBI, SOCA, RIAA, etc.

Some of the malware sites are legitimate sites that have been hacked and compromised. I glance at some of the addresses in recent "Please to upstate your password on bankning web site" e-mails and they look like a legitimate site for a different purpose. Well, initially, they look like the actual address of the bankning web site, you know how it goes. So I presume that somebody innocent has been hacked at that end, not that I care either way.

0
0
Silver badge

Re: Domains may be de-registered for other reasons.

You don't need to do it for all deleted domains, only ones that are taken over as a result of a court ordered take down for malware - everything else follows as usual. Personally I sort of like the idea of taking over the malware domain for a year or three and redirecting them to a legitimate anti-malware site.

0
0
Bronze badge

Unbound?

Anyone know if unbound is affected?

0
0
Anonymous Coward

Re: Unbound?

Unbound 1.4.7: yes, affected. 1.4.11: no.

0
0
This topic is closed for new posts.

Forums