Domain-Z: 28 Registrations Later: Measuring the Exploitation of Residual Trust in Domains

Chaz Lever, Robert Walls, Yacin Nadji, David Dagon, Patrick McDaniel, Manos Antonakakis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

28 Scopus citations

Abstract

Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain's prior use. We find that adversaries can, and do, use malicious re-registration to exploit domain ownership changes - undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. We identify several instances of residual trust abuse using this algorithm, including an expired APT domain that could be used to revive existing infections.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages691-706
Number of pages16
ISBN (Electronic)9781509008247
DOIs
StatePublished - Aug 16 2016
Event2016 IEEE Symposium on Security and Privacy, SP 2016 - San Jose, United States
Duration: May 23 2016May 25 2016

Publication series

NameProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

Other

Other2016 IEEE Symposium on Security and Privacy, SP 2016
CountryUnited States
CitySan Jose
Period5/23/165/25/16

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Software

Cite this

Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., & Antonakakis, M. (2016). Domain-Z: 28 Registrations Later: Measuring the Exploitation of Residual Trust in Domains. In Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016 (pp. 691-706). [7546530] (Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2016.47