Abstract
This study extensively scrutinizes 14 months of registration data to identify large-scale malicious campaigns present in the .eu TLD. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, by incorporating registrant information, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated. Finally, we apply a post-factum clustering process to validate the campaign identification process and to automate the ecosystem analysis of malicious registrations in a TLD zone.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We use the term malicious domain name whenever we refer to a domain name that is registered to be bound to a malicious service or activity.
- 2.
- 3.
Note that some campaigns might be running even longer than 372 days, as they might have been active before the starting date of our dataset (campaigns c_01 - c_05) or they may still be active past the time span that is covered in our dataset.
- 4.
For instances without campaign labels, the registrant’s phone numbers are set as their label.
References
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Conference on Security, p. 18 (2010)
Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou II., N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proceedings of the 20th USENIX Conference on Security, p. 27
Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)
Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15512-3_23
Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: Proceedings of the 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p. 6 (2010)
FortiGuard Center: Antispam - IP & Signature Lookup (2017). https://www.fortiguard.com/more/antispam
Google: Google Safe Browsing (2016). https://developers.google.com/safe-browsing/
Google: Unwanted Software Policy (2016). https://www.google.com/about/company/unwanted-software-policy.html
Hao, S., Feamster, N., Pandrangi, R.: Monitoring the initial DNS behavior of malicious domains. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 269–278. ACM (2011)
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: Proactive recognition and elimination of domain abuse at time-of-registration
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 63–76 (2013)
Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning. Springer Series in Statistics. Springer, New York (2001)
Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Grier, C., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G.M., Savage, S.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 431–446. IEEE Computer Society, Washington, DC (2011). http://dx.doi.org/10.1109/SP.2011.24
Moura, G.C., Müller, M., Wullink, M., Hesselman, C.: nDEWS: a new domains early warning system for TLDs. In: NOMS 2016–2016 IEEE/IFIP Network Operations and Management Symposium, pp. 1061–1066. IEEE (2016)
Myles, P.: DomainWire Global TLD Report 2016/2. https://www.centr.org/library/statistics-report/domainwire-global-tld-report-2016-2.html
Pattanai: Faker is a PHP library that generates fake data for you. https://github.com/teepluss/laravel-faker
Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium, pp. 263–278 (2016)
Scikit-learn developers: Encoding categorical features (2017). http://scikit-learn.org/stable/modules/preprocessing.html
Scikit-learn developers: Homogeneity, completeness and V-measure (2017). http://scikit-learn.org/stable/modules/clustering.html
SURBL: SURBL - URI Reputation Data (2016). http://www.surbl.org
The Spamhaus Project Ltd: The Domain Block List (2016). https://www.spamhaus.org/dbl/
Twilio: Lookup (2017). https://www.twilio.com/lookup
URL Void: Website Reputation Checker Tool (2016). http://www.urlvoid.com/
Vixie, P.: Domain name abuse: how cheap new domain names fuel the eCrime economy. Presentation at RSA Conference 2015 (2015)
Acknowledgements
We thank the reviewers for their valuable feedback. We would also like to express our gratitude to the PC chairs and in particular our shepherd, for supporting us in improving the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Vissers, T. et al. (2017). Exploring the Ecosystem of Malicious Domain Registrations in the .eu TLD. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)