Large Foot Prints and Loud Noises

So milling around in some spam while on another research project, I started noticing something strange… how so many seemingly unrelated domains appeared in the Reply To address of the same spam campaign. I began digging into the domains for multiple campaigns and I am currently monitoring the behavior and working on mapping the associations of the bad guys. Granted, there’s nothing glorious about discovering spammers or shutting them down, but uncovering a large enterprise of what appears to be individuals working together kind of intrigues me.

Anyway, while working on this, I found someone that sticks out like a sore thumb. Why, because they are “loud” and have a huge footprint. This individual has registered over 4,000 domains in 11 days. I’m sure he/she has reasons, but none that I’m currently interested in hearing. Not surprisingly, the actor is also associated with over 100K other active domains. I’m not sure what you plan to do about it, but in the mean time, I’m blocking these.

For the record, at this present moment I have only tied this actor to spam (in my resources) and malicious sites as indicated by other research sources, but I have not personally tied them to specific malware.  If I do, I will update this blog with those details provided it doesn’t compromise any other OPSEC.

As a general rule, I’d recommend blocking non standard gTLDs and allowing your users to request an exception.

Here’s a link to the blacklist thanks T-byrd for hosting it. https://www.dropbox.com/s/31c2p85naba08wa/blacklist.txt?dl=0

Check back to that link for future updates.

That’s all for now, if this was helpful to you please let me know.

 

**UPDATE** 2016-03-29 (0446-UTC)

Additional investigation shows the registrant is a Chinese reseller (http://www.wuyumi.com/).  I’ve personally linked many of the domains to spam, and   others are blacklisted by Domain Tools and other resources.   The seller’s page reveals the price they sell domains at is (2.9-3.5 Yuan, take the avg) less than 50 cents (3.27 Yuan = 0.50 USD) and pricing is also per month in many cases.

So let’s math a little here (assuming all his domains are “rented” for the next 12 months at the average rate)

100,135 domains
x 50 cents/mo
x 12 month

$600,810/year gross

Now I’m not sure what their cost is, but let’s assume they bought a .download domain from ALPNAMES for the advertised $0.60 for 1 year.  They just rented it for .50 x 12 = $6.00 – .60 = profit of $5.40

ROI = 5.40/.60 = 9

9 x 100% = 900% return on investment of 60 cents for one domain.

So we have a low cost of entry to do [bad] business (both the folks buying & renting the domain), links to multiple spam campaigns, some with phishing elements, and links to other confirmed spam campaigns.  I don’t care what they are re/selling them for, at that price, nothing good is going to come of it IMHO.  So the list has been made available WITHOUT WARRANTY you may do with it what you wish.

What’s Under that Threshold?

This blog post is meant to be short, sweet and to the point so please forgive the brevity if you were looking for something in depth this time….

*THE LITTLE FISH*

Many of us are trained to get the big fish, find the next cutting edge threat, defend against the big blob of red in the graphic of some ridiculous C-level slide presentation. We sit, eyes locked on some SOC tool waiting for bells & whistles to go off, the emails to start flying, the lights to flash to wake us up because we’ve fallen asleep from boredom all because we’ve place our trust in a tool to tell us on what we should focus our attention. So, how often do you go digging, or lift up the lid on something peeking to see what’s inside? What are you doing about the quiet, smart bad guy who’s tiptoeing in just under your alert criteria? You know, the one who isn’t making a lot of noise on your network, the customer doing the dirtiest of deeds, just under your thresholds for your automated alarms?

*MY GLORIOUS TOOLS*

Well, if you know what your thresholds are for automated alerts, why aren’t YOU looking at what lies beneath it? Is it because you think nobody with malicious intent would take the time to do X in such small quantities because it wouldn’t pay off? Is it because your tool is awesome and perfect *cough*cough*cough*cries*grabs water*? If you answered yes, to the 2nd or 3rd question please allow me to share some good ol’ country advice that has served me well is “He who underestimates his enemy, has lost the first battle in the war.”

*MY CUSTOMER?! NOT _MY_ CUSTOMER*

So without divulging the details to my current research, I’ll share a few things I’ve been noticing lately. First is bad guys doing a little here, a little there regarding purchasing domains. Instead of buying in bulk, they’re buying a few each day at a time. So, if you’re selling domains, maybe you want to take a look at any customers who are buying in quantities just below your “alarm” threshold and who are NOT buying via your bulk discount programs. I mean seriously, what does one individual need with a couple hundred domains, that he/she wouldn’t want to take advantage of bulk discounts? I mean, they could just be a legit business that doesn’t know any better, but I’m gonna guess not. It might be worth checking those domains out using tools such as OpenDNS, Domain Tools, Threat Grid, and Virus Total. Are the domains registered, more than 30 days old and still do not have a websites? What’s the aggregate amount of domains purchased in the last 30 days and how old is the customer account? Does the data on the domain registrations, match that on your customer’s account? Does the data on the domain registration match ANOTHER customer account? If you find that your customer’s domains are popping hot, ya just might want to take a leeeetle-bit closer look at their activities.

Let’s look at another OSINT source you have….customer access logs. The second thing I’ve been noticing is bad guys creating DNS entries a little here, a little there. So you found a guy, flying below the radar (could be a girl, but just go with me here) with the daily number of domains being purchased under your alarm level. Maybe you provide infrastructure not domains, so you offer DNS, and you have a customer flying below the radar making lots of DNS records. Do your tools alert you when a customer logs into his/her account from multiple ASN’s or ASN’s in different countries? I mean if a guy logs in for <5 minutes, makes DNS records, and logs out all from from Romania on Sunday, Russia on Monday, Great Britain on Tues....etc either he's racking up some serious frequent flyer miles or he might be up to no good. AGAIN, there COULD be a perfectly legitimate explanation (none come to mind immediately) but you won't even know unless you go looking. If you're providing website hosting, do you have a customer that has hundreds of completely unrelated domains pointing to a single IP? I once found a guy with over 900 malicious domains all pointing/pointed to a single IP...I wanted to say to the provider "Seriously you don't notice?" *SUMMARY* So the point of today's topic - start looking BELOW your automated thresholds for the really bad guys. Be pro-active, stop waiting for bad guys to wave, shake your hand, and say hello. Thanks again for taking time to read the blog and feel free to share comments, DM me on twitter, or just tag and say hi!