Reanimating Botnet Domains Delivers Clues to Cold Cases

Grabbing forgotten domains allows researchers to identify victims and gain more intelligence about botnets and nation-state espionage attacks.

SAN FRANCISCO — Security researchers and defenders are using increasingly aggressive tactics to put pressure on attackers and make their adversaries' mistakes more costly.

In the latest example, managed security firm Dell Secureworks discovered a successful campaign that stole information from at least four organizations by co-opting the attackers' command-and-control infrastructure, the firm announced at the RSA Conference here Feb. 27. The company reserved three domains jettisoned by attackers, but to which compromised computers continued to communicate. By injecting themselves into the infrastructure, the researchers built a picture of the attackers' operations and found that, while two domains were connected to cyber-crime networks, a third domain had the hallmarks of a targeted attack.

"Sinkholing the domains allows us to look more at the targeted space," said Silas Cutler, a security researcher with Dell Secureworks' Counter Threat Unit. "If you have a list of indicators that are targeted attacks, you can weed out the ones that looked targeted but are not."

Cutler and other researchers had come across three domains mentioned in reports of a botnet known as Protux, which has been used by cyber-criminals to steal data since 2008. The domains had once been key components for controlling different botnets, but the attackers had let the registration lapse. By reserving the domains and then sinkholing any traffic, researchers are able to link into the remnants of the command-and-control channel.

Two botnets consisted of about 300 compromised home computers, suggesting that they were typical criminal operations. Yet, the third domain continued to be a communication point for a small number of systems inside three organizations, Cutler said. Dell Secureworks refused to give detailed information about the organizations.

In a second case, Dell Secureworks researchers took control of a domain used by an espionage group and discovered compromised computers inside a major U.S. research university. After contacting the university, the researchers worked with its security team to identify domain name system (DNS) traffic that linked the malware to the Comment Group, the Chinese espionage group identified in the recent report released by Mandiant.

It also led to the identification of three more victims, including a defense contractor, a U.S.-based energy company, and an international IT company, Cutler said.

"We were able to work with university and get indicators of compromise, and then put those back in our system to find three more victims," he said.

Cutler underscored that, without the help of the university, the researchers would not have been able to link the attack to an advanced persistent threat (APT) group. Without better information sharing in the future, defending against such attacks will be much more difficult, he said in the analysis released by Dell Secureworks.

"As an Internet community, if we don't make a collaborative effort to share the knowledge amongst each other, which will help to defend against these APT threats, we will surely see continued success by these highly organized and motivated APT hacker groups," the analysis stated.