Q&A: How hackers manipulate domain names to spread malware

By Byron V. Acohido

When Seattleite Jay Westerdal bootstrapped a company called DomainTools in 2002, it was to support his activities in the domain name speculation game that was red hot at the time.

DomainTools set out to gather domain “whois” records in order to serve those immersed in speculating on owning domain names, like chocolate.com. Unbeknown to the founders at the time, the company did a couple of things that would position DomainTools to reinvent itself down the road as a security vendor, once the domain name market ran its course.

First, the company kept historical records of everything. And, second, DomainTools started gathering, not just “whois” records, but also web server and email server records, all of which would prove to be valuable for tracking the activities of cyber criminals.

ThirdCertainty recently visited with Tim Helming, DomainTools’ director of product management, to outline how the company today sheds light on the cyber underground. Text edited for clarity and length.

3C: How do domain names come into play with malicious internet activities?

Tim Helming, DomainTools’ director of product management

Helming: Everything that happens on the internet happens with IP addresses and domain names. You’ve probably received phishing emails once or twice, right? We all have. So a phishing email has domains in a couple of places. Usually there’s a link that they want you to click on, and that link has some domain in it. Sometimes it’ll be an intentional typo that looks like a legitimate site. They want you to click on it. So that domain name actually is a key to a lot of valuable information about the attacker.

Related: DNS vulnerabilities expose businesses to attack

From that one domain, you can often expand and see other domains that they own. And that could tell you things like, ‘Oh these other domains are all targeting businesses in my industry. So this attacker’s interested in my industry.’ Or maybe they’ve got a bunch of different typos of my company name. So they’re going to be sending phishes all over the place. I can block that if I know that.

3C: So if I’m a malware hunter in a Security Operations Center, you can help me do forensics?

Helming: Fundamentally. We enable you to learn more about the attacker and their motivations by seeing their holdings, and also understand more about what their entire web of holdings are, so you can defend against that.

3C: So if one of my servers is owned and beaconing out to a command-and-control server, I can see that?

Helming: Botnets have to get commands from somewhere, and so, typically, they are beaconing out to domains. A lot of times, botnet domains don’t look like anything that makes sense to a human. They look like a random collection of letters and numbers. But they’re not intended for a human to use. The botnet uses that domain name in order to know what IP address to hit in order to get its instructions. That’s how they use the domain names, but a human can take the domain name, plug it into a tool like our Iris tool, and find out all the other ones that are connected to it. And you can use that to defend against them.

3C: You’re out there, watching and cross-referencing domains?

Helming: If you’re in law enforcement, you might use the kind of data that we have to find out who an attacker really is so that you can take action against them. Or if you’re sitting in the SOC, you’re using it to better understand the attacker and what all of their holdings are.

3C: Some of this type of forensics was done with the huge breach of health insurance company Anthem. What do we now know about Anthem?

Helming: This was a really interesting misuse of a domain name. Anthem’s name used to be WellPoint, and somebody registered a look-alike domain that was like WellPoint, except the L’s were 1’s, and it was designed to lure WellPoint employees to go to what looked like a company website. It got them to enter their log-in credentials. The attackers grabbed all of those log ins, because the attackers were the ones that controlled that domain. Now they were inside, and they were able to pull out 80 million records.

3C: Even using the best tools, are the analysts in SOCs playing an endless cat-and-mouse game?

Helming: We allow the SOC analysts, or threat hunters, to actively go out to find various kinds of threats. We call it enrichment. So if you have a domain or IP address that looks like it’s scary, we can help you get more context about it and understand it better. Fundamentally, it’s about better understanding the attacks, and assessing the risks, so that they can figure out how to align their defenses against them.

3C: SOC services aren’t just for large enterprises anymore; Managed Security Services Providers can do similar forensics for small and midsize businesses, right?

Related podcast: MSSPs help SMBs defend their networks

Helming: You don’t have to have a big room that looks like NORAD to be doing SOC-like functions, and just about every company has people that are doing that, even if they don’t have an actual Security Operations Center.

3C: Clearly the advantage still goes to the bad guys, but it’s encouraging that some pretty cool tools, that are getting more powerful all the time, are available to the good guys.

Helming: It’s so hard to predict where the internet is going, and where security is going, in some ways. But we know that IP addresses, whether it’s IPV4 or IPV6, and some form of domain names are going to be part of how the internet operates. It may look a little bit different, but being able to tie together connected infrastructure is still going to be important. We don’t know what techniques the bad guys will use. That may change. Ultimately, they’re after money and intellectual property. But you can’t operate without operating on the internet. And if you’re doing that, it’s very, very hard not to leave some kind of a breadcrumb trail behind, and we like to latch onto that.

More stories related to business hackers:
Easy creation of domain names by hackers leaves SMBs dangerously exposed
Sophisticated spear phishing attacks becoming more common
How organizations can avoid getting hooked by phishing scams


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone