Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malware on Hijacked Subdomains, a New Trend?

Soulskill posted more than 4 years ago | from the hiding-in-plain-sight dept.

Security 24

The Unmask Parasites blog discusses a technique attackers are using more and more often recently: modifying a compromised site's DNS settings to redirect various subdomains to different IPs that serve up malware, often leaving site administrators none the wiser. Quoting: "It is clear that hackers have figured out that subdomains of legitimate websites are an almost infinite source of free domain names for their attack sites. With access to DNS settings, they can create arbitrary subdomains that point to their own servers. Such subdomains can hardly be noticed by domain owners who rarely check their DNS records after the initial domain configuration. And they cost nothing to hackers. I wonder if using hijacked subdomains of legitimate websites is a new trend in malware distribution or just a temporarily solution that won't be widely adopted by cybercriminals in the long run (like dynamic DNS domains last September)."

Sorry! There are no comments related to the filter you selected.

Also done with 404 Error Documents (5, Informative)

Anonymous Coward | more than 4 years ago | (#32306148)

This is also done with 404 Error pages. They change it to redirect to their spam, and then point people at what looks like a legitimate URL. Then they get redirected to the spam and are none the wiser. www.slashdot.org/thisdoesntexist could redirect anywhere.

Re:Also done with 404 Error Documents (4, Informative)

Anonymous Coward | more than 4 years ago | (#32306226)

Agreed 404, 301, 302. Anything that you can drop a .htaccess file into an account.

Ideally, web servers (not just DNS) have a lot of holes, allowing NS access to the user isn't the problem like the TFA implies. Because most automation software doesn't allow for too much sub domain specific flexibility, most times you still need to be in root to redirect at a dns level.

The exception is say parking (godaddy etc) or zoneedit but usually once its hosted it's pretty much in the hands of the admin to delegate externally.

Re:Also done with 404 Error Documents (3, Informative)

DeadPixels (1391907) | more than 4 years ago | (#32306486)

While I've yet to personally see any subdomain hijacking, I have come across 404 pages that have been turned into drive-by-downloads. Otherwise legitimate sites have all of these extra pages created (www.example.com/search_query_here) that actually just point to malware. While most of them are still fairly easy to pick out because the domain is entirely unrelated to the search term, it's still dangerous and could easily catch many unobservant users.

Re:Also done with 404 Error Documents (2, Interesting)

commodore64_love (1445365) | more than 4 years ago | (#32306518)

So can these hacks be used to get around "NoScript"? I currently have it set to:

- Temporarily allow top-level sites by defualt
--- Base 2nd level Domains (noscript.net)

Re:Also done with 404 Error Documents (0)

Anonymous Coward | more than 4 years ago | (#32306662)

Yes it can.
Just visit http://billstclair.com/html-redirect.html [billstclair.com] with your no-script enabled to find out ( the redirection occurs after 5 secs ).

Just have to have the right HTML.

Re:Also done with 404 Error Documents (1)

peacefinder (469349) | more than 4 years ago | (#32306954)

In general, any security tool configured to trust a subdomain of a trusted domain would be vulnerable to this attack.

See also "Trusted Sites" in IE.

Re:Also done with 404 Error Documents (1)

UnmaskParasites (1597151) | more than 4 years ago | (#32307408)

In this attack, the hacked sites redirect to subdomains of third party sites. E.g. site1.com redirects to sub.site2.org, so most NoScript settings should be safe.

Wildcard SSL (2, Interesting)

oztiks (921504) | more than 4 years ago | (#32306164)

Since a lot of hosting automation software (cPanel) sets up an a name for @ giving the power singularly to apache also lends it self to have the ability to mask it as being secure.

It isnt a nameserver its moreover a webserver one.

Administrator negligence? (3, Insightful)

davidwr (791652) | more than 4 years ago | (#32306188)

"who rarely check their DNS records"

And thereinlies both the problem and the solution.

Re:Administrator negligence? (3, Insightful)

oztiks (921504) | more than 4 years ago | (#32306264)

I see the best way is to notify admin upon a dns change, any external sites added get sent via email.

(sounds like a job for the guys at http://www.configserver.com/ [configserver.com] )

Even number of hackers, or odd number? (0)

Anonymous Coward | more than 4 years ago | (#32306198)

I wonder if using hijacked subdomains of legitimate websites is a new trend in malware distribution or just a temporarily solution that won't be widely adopted by cybercriminals in the long run (like dynamic DNS domains last September).

I wonder if an even number of hackers will use this technique, or an odd number. Only time will tell.

unravel the illicit infrastructure (4, Insightful)

Anonymous Coward | more than 4 years ago | (#32306312)

Yes, checking the DNS records will help identify the sites that have been modified, however it will also identify the hackers servers IP numbers. With that thread, you can start to unravel the illicit infrastructure, and counteract it.

Re:unravel the illicit infrastructure (2, Interesting)

drdrgivemethenews (1525877) | more than 4 years ago | (#32306816)

At least in the example given, it would seem pretty feasible to do this at the GoDaddy site itself, where all the A records are centralized. How many businesses registered with GoDaddy have subdomains in different class A or even class B networks?

url rewrites are not dns issues.. (0)

Anonymous Coward | more than 4 years ago | (#32306446)

htaccess is irrelevant to dns. come on..

That explains idle.slashdot.org (5, Funny)

orkysoft (93727) | more than 4 years ago | (#32306646)

That explains idle.slashdot.org :-)

A wierd habit of mine . . . (1)

NicknamesAreStupid (1040118) | more than 4 years ago | (#32306868)

. . . is that I have always set DNS addresses manually. Back before the days of DHCP, I got to know the two primary DNS addresses for Level3 (now Verizon), 4.2.2.4 & 4.2.2.5. Since I have an easier time remembering numbers than names, they stuck. I use them even though they are not my ISPs, which makes DN look-ups a little slow.

There are a number of well known DNS exploits, especially with DNSSEC (http://www.dnssec.net) being a late comer to the Internet and not widely implemented beyond top level domains. It is actually a bigger problem for foreign countries, whose resources to oversee these technical things may be very limited.

Re:A wierd habit of mine . . . (1)

QuantumRiff (120817) | more than 4 years ago | (#32310202)

Google now has a public DNS server at 8.8.8.8, which is also very easy to remember. (and very fast)

As a malware defense professional.. (5, Informative)

ma1wrbu5tr (1066262) | more than 4 years ago | (#32307292)

I can verify that this trend has been building for months. It only seems to be getting worse. We've logged literally hundreds of compromised sites ranging from the very high traffic to the very obscure. This is one case where even vigilant users are undermined by the lack of security awareness of the site admins.

Re:As a malware defense professional.. (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#32314058)

As a malware defense professional..

Man, that's got to make you feel as good as working for a large bank makes me feel ;)

Re:As a malware defense professional.. (1)

ma1wrbu5tr (1066262) | more than 4 years ago | (#32314202)

Pretty much.

Misread headlines (2, Funny)

DigitAl56K (805623) | more than 4 years ago | (#32307532)

"Malware on Hijacked Submarines, a New Trend?"

Talk about a double-take! Would have made for an interesting story, though :)

Re:Misread headlines (0)

Anonymous Coward | more than 4 years ago | (#32307690)

Hunt for Misread October?

-AC

David (0)

Anonymous Coward | more than 4 years ago | (#32308988)

The best idea is to monitor your DNS, Whois (and sites for changes). Good tool to do that: http://sucuri.net/ [sucuri.net]

A permanent trend? (1)

rakslice (90330) | more than 4 years ago | (#32310230)

> I wonder if using hijacked subdomains of legitimate websites is a new trend in malware distribution or just a temporarily solution that won’t be widely adopted by cybercriminals in the long run (like dynamic DNS domains last September).

Well, if my co-workers' research with URL-shortener links is any indication, you can certainly train people in a Pavlovian manner to avoid following links to unknown content.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?