Hello everyone, I’m Les Smith, and I run the threat research team here at Infoblox, in the Office of the CTO. I’m a long-time Bloxer (as Infoblox employees like to call ourselves) and veteran of the security wars.
Over the last 12 months, our team has seen a significant increase in the use of DNS Proxy Registrars and companies that have been setup to subvert the security controls around registering DNS domains. These Proxy Registrars are essentially middle men who act on behalf of someone who does not have the proper certification to sell domains themselves, and a real ICANN accredited Domain Registrar. They allow anyone to purchase a domain from them, and then register it on their behalf.
Whilst it is recognized that there are some legitimate uses for such services, there is an alarming increase in the frequency of these services being used for criminal activity. The main concern here is that each of these proxy registrars have their own standards for accountability and legitimacy for the domains they register on behalf of their customers.
Another important trend we are watching is the increasing sophistication of commercial, off the shelf (COTS) malware toolkits. Kits like GameOver Zeus now provide advanced obfuscation techniques, domain generation algorithms (DGA) and secured encrypted communication to command and control (C2) servers to anyone who can pay.
With the rise of these malware tool kits, we are seeing proxy services being used to hide the identity of the malware author. One of the registration requirements for a domain is to provide contact details for the person registering the domain, and whilst these details were often falsified in the case of malware authors, it was relatively easy for security researchers to identify false registration details and detect domains that were registered for dubious reasons.
It is therefore not surprising that in the recent attack on Apple’s app store, “XcodeGhost”, the perpetrator of the attack used the company Domains By Proxy to register its command and control (C2) domain names that were hosted on Amazon Web Services (AWS).
By running an application infected with XcodeGhost it can be seen that XcodeGhost will gather information from various files on the iPhone and iPad devices, including passwords and system information, encrypt the information, and upload it to a C2 server through the HTTP protocol. From different versions of XcodeGhost we observed slightly different behavior using one of the 3 domains:
· http://init.crash-analytics[.]com
· http://init.icloud-diagnostics[.]com
· http://init.icloud-analysis[.]com
Queries for these domains began to appear around the same time the domains were registered. The queries for ‘icloud-analysis.com’ escalated in April – two months after the domain registration on February 25th – and peaked at 1,402,831 queries on July 2nd 2015. 1
Queries for ‘icloud-diagnostics.com’ escalated in June – six weeks after the domain registration on May 7th – and peaked at 10,628 on September 18th when the infection was publicly disclosed.
Queries for ‘crash-analytics.com’ escalated in August – immediately after the domain was registered – and peaked at 908 on September 18th.
This is just one recent, high profile example. In our own lab, Infoblox is seeing a worrying trend that more and more of the domains that are being registered through DNS proxy services are being associated with malware.
Coupling advanced malware toolkits with the new lack of transparency provided by proxy registrars means that it is easy for malware developers to not only create a new generation of malware, but to hide their identity. We are watching these trends carefully.
1. OpenDNS Security Labs – https://labs.opendns.com/2015/09/21/xcodeghost-materializes/