DNS flaw reanimates slain evil sites as ghost domains Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS). A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team …
"Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.
"If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc)."
Seems like this would screw up crappy legislation like SOPA and PIPA too, giving site owners time to point people toward alternate DNS servers or to advertise their IP address on their front page.
This is not how botnets generally work.
Although some may use hardcoded IPs, the majority now keeps kind of regular expression of domain names (like bot*.net) and will more or less randomly try to resolve the names until they find one that works (like botnet1.net, botnet2.net, or botbot.net, etc.).
If the malware can resolve the name longer after it has been de-registered, we clearly have a problem.
Cheers
"By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."
With all the zombies out there malicious people could keep DNS alive on networks with infected computers nearly indefinitely...
Yet more reasons not to use nameservers that are shared with other people you don't know or trust
And you don't want EVERY deleted-domain access attempt notified to the FBI, SOCA, RIAA, etc.
Some of the malware sites are legitimate sites that have been hacked and compromised. I glance at some of the addresses in recent "Please to upstate your password on bankning web site" e-mails and they look like a legitimate site for a different purpose. Well, initially, they look like the actual address of the bankning web site, you know how it goes. So I presume that somebody innocent has been hacked at that end, not that I care either way.
You don't need to do it for all deleted domains, only ones that are taken over as a result of a court ordered take down for malware - everything else follows as usual. Personally I sort of like the idea of taking over the malware domain for a year or three and redirecting them to a legitimate anti-malware site.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
