Nominum Research continues to refine algorithms, working toward more generalized methods to quickly detect “anomalous” activity that might represent DDoS, bots, or various other undesirable behaviors. To simplify somewhat, algorithms examine high speed, real-time, data streams and compare a small window of incoming queries to a very large “normal” historical sample on a continuous basis. Unexpected variations are flagged and relevant data is captured for further analysis.
New generic Top Level Domains (gTLDs) first went live on the Internet in October 2013. Not a lot has been written about abuse of these new domain names. With techniques like those described above and a worldwide high speed data stream over the past few months Nominum researchers have uncovered more and more malicious activity using names under new gTLDs. In particular there are queries that suggest domains registered under gTLDs are being used to serve ads that subvert ad-blocking software. This premise is based on previous analysis of other similar query patterns that were later shown to be used for ads that evaded blocking filters.
The suspect queries change second level labels constantly. By carefully timing the changes ad-servers one can stay one step ahead of ad-blockers that rely on matching against a dynamically changing list of domains that send unwanted ads. Some examples of queries with labels that change every day are below (the new gTLD used is intentionally obscured):
These queries and many others with similar characteristics have been observed for several weeks.
To be clear and fair this activity predominates in legacy TLDs and has existed for many years. New domains registered on some legacy TLDs trigger suspicions due to their reputations and even very large popular TLDs inadvertently host malicious domains despite their best efforts to deter them. It is not surprising malicious activity is starting to appear in gTLDs. When there is a misalignment of interests between domain registries and the greater good of the Internet hackers will use the DNS to enable their exploits. Cheap or free domain registrations bias the economic model in favor of misuse. Lack of vigilance policing registrations is another contributing factor. For instance with batch registrations and no verification of the identity of the registrant it’s simple to obtain names, use them briefly, and abandon them without a trace.