Chrome Malicious (HUGE)

[scafroglia93]

Source -> https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/

hastebin -> (it's made by me) https://hastebin.com/ilosayuxiv.css

[StevenBlack]

Thanks Lorenzo @scafroglia93.

Using ghosts, there are 15,212 unique domains, with just 10 duplicates with our base list.

$ ./ghosts -c https://hastebin.com/raw/ilosayuxiv
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Domains: 57,322
Bytes: 1.8 MB
----------------------------------------
----------------------------------------
Compared hosts file summary:
----------------------------------------
Location: https://hastebin.com/raw/ilosayuxiv
Domains: 15,212
Bytes: 267 kB
----------------------------------------
Intersection: 10 domains

Using ghost -intersection yields the 10 domains in the intersection.

angelsinuniform.comv
nauthorne.info
carmuffler.net
coolinc.info
evertherenous.info
legfrissebb.info
rtb-seller.com
sedatorslegallock.info
solicita.info
yie4zooseif.info

My initial thought: why is the intersection so small?

[StevenBlack]

My next thought is, why would the domain registrar matter, at all? This doesn't make sense to me.

What am I missing?

[StevenBlack]

What's the TLD distribution in the list?

$ ./ghosts -m https://hastebin.com/raw/ilosayuxiv -tld
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://hastebin.com/raw/ilosayuxiv
Domains: 15,212
Bytes: 267 kB
TLD tally:
   com: 6,421
   info: 4,807
   org: 2,987
   net: 694
   il: 296
   xn--9dbq2a: 3
   mobi: 2
   top: 2
----------------------------------------

How is this real data?

Let's compare with our base list:

$ ./ghosts -tld
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Domains: 57,322
Bytes: 1.8 MB
TLD tally:
   com: 31,686
   net: 6,828
   pl: 5,852
   info: 868
   jp: 816
   vn: 814
   org: 760
   ru: 758
   eu: 591
   de: 563
   live: 429
   io: 393
   nl: 380
   uk: 377
   cn: 349
   fr: 273
   xyz: 265
   co: 264
   biz: 215
   us: 206
   in: 196
   at: 195
   tv: 175
   tk: 171
   online: 151
   mobi: 140
   it: 137
   site: 127
   ca: 109
   club: 108
   me: 105
   br: 105
   cz: 103
   top: 98
   name: 97
   ro: 93
   pro: 86
   be: 83
   cc: 77
   pw: 71
   es: 65
   hu: 65
   ua: 63
   kr: 62
   icu: 61
   ch: 52
   za: 52
   asia: 50
   ml: 48
   au: 46
   space: 44
   tr: 41
   se: 41
   to: 36
   dk: 36
   bid: 35
   win: 35
   pt: 34
   su: 34
   cl: 34
   ws: 33
   website: 32
   link: 30
   ir: 30
   life: 28
   services: 28
   ga: 28
   tech: 26
   il: 26
   click: 24
   no: 22
   pk: 21
   ar: 20
   gq: 20
   bg: 19
   cf: 19
   kz: 19
   gr: 19
   fun: 19
   by: 18
   best: 18
   mx: 18
   host: 17
   my: 17
   cm: 16
   nz: 16
   sk: 15
   fi: 15
   pet: 15
   id: 14
   network: 14
   im: 14
   sg: 14
   today: 14
   th: 13
   download: 13
   st: 13
   la: 13
   nu: 13
   ly: 12
   stream: 12
   world: 12
   tt: 11
   review: 11
   date: 10
   tw: 10
   sh: 10
   cloud: 10
   bz: 10
   si: 9
   lv: 9
   lt: 9
   vip: 9
   hk: 9
   ug: 9
   ad: 9
   cx: 9
   work: 8
   gg: 8
   ge: 8
   lu: 8
   press: 7
   media: 7
   ovh: 7
   ai: 7
   ee: 6
   gov: 6
   tools: 6
   ie: 6
   am: 5
   xn--p1ai: 5
   ph: 5
   tl: 5
   store: 5
   email: 5
   re: 5
   ae: 5
   is: 4
   ng: 4
   onion: 4
   care: 4
   page: 4
   ve: 4
   mt: 4
   trade: 4
   tube: 4
   li: 4
   gt: 4
   company: 4
   edu: 3
   sa: 3
   rocks: 3
   gdn: 3
   pm: 3
   nf: 3
   systems: 3
   ps: 3
   men: 3
   gs: 3
   uz: 3
   news: 3
   al: 3
   loan: 3
   vu: 3
   shop: 2
   ke: 2
   bf: 2
   np: 2
   guide: 2
   tips: 2
   city: 2
   one: 2
   surf: 2
   md: 2
   ht: 2
   pn: 2
   ne: 2
   accountant: 2
   fit: 2
   rs: 2
   tn: 2
   buzz: 2
   science: 2
   group: 2
   agency: 2
   help: 2
   az: 2
   app: 2
   pub: 2
   hn: 2
   games: 2
   mn: 2
   blue: 2
   report: 1
   webcam: 1
   pink: 1
   vg: 1
   ec: 1
   pe: 1
   gift: 1
   ki: 1
   technology: 1
   ba: 1
   mk: 1
   cool: 1
   zw: 1
   as: 1
   plus: 1
   watch: 1
   localdomain: 1
   ma: 1
   cu: 1
   software: 1
   red: 1
   example: 1
   dev: 1
   bd: 1
   pa: 1
   nyc: 1
   rr: 1
   cheap: 1
   hr: 1
   wang: 1
   gold: 1
   zm: 1
   bo: 1
   so: 1
   lan: 1
   vc: 1
   dog: 1
   video: 1
   bw: 1
   do: 1
   ag: 1
   camp: 1
   jo: 1
   fm: 1
   uy: 1
   kg: 1
   photos: 1
   rw: 1
   works: 1
   ac: 1
   cricket: 1
   digital: 1
   team: 1
   guru: 1
   dz: 1
   ms: 1
----------------------------------------

[scafroglia93]

wp_the_internets_new_arms_dealers_malicious_domain_registrars.pdf

[scafroglia93]

this is the whitepaper ;)

[StevenBlack]

Lorenzo @scafroglia93 anybody can register a domain, and most people can use almost any registrar they chose, subject to national TLD limitations.

The registrar brings nothing useful to a malicious actor. Except perhaps a lower cost of domain registration?

This doesn't pass a basic smell test. What am I missing?

[scafroglia93]

It's useless for you ?

[StevenBlack]

@scafroglia93 I simply ask, how does this make any sense?

• It's presented, at the outset, as a "the internet's new arms dealers, registrars!" which makes no sense. Again I ask, what am I missing?
• The data itself shows very curious patterns. On one hand we have over 20 independent and active curators in our main list, and these people find over 15,000 domains with only 10 domains overlapping. How does THAT happen? Not saying it's impossible, just that's not readily plausible.
• The data itself has no tail in TLD distribution. Maybe this is because of limited scope of sketchy registrars? If that's true, how come their list has 296 .il domains (~2%)?

It just smells very fishy.

[StevenBlack]

@scafroglia93 "curation" means, asking questions. This isn't a domain dumpster.

[StevenBlack]

Dan @dnmTX, Nissar @funilrys, Anudeep @anudeepND, and others, what are your takes? What am I missing?

[p1r473]

My bigger concern is how the list will be updated and maintained if it's just stored in a paste.

[StevenBlack]

@p1r473 that's a good take.

[liamengland1]

Here's my thoughts:

only 10 domains overlapping. How does THAT happen?

these domains were used in malicious chrome extensions. Since most exposure to malicious extensions is through advertising, I wouldn't expect many of these domains to appear in this list. I believe malware domain list is the only dedicated malware source in this list, and it's more than 5 months stale. IMO that's as good as useless, since new malware domains are being registered and deployed every day. See https://github.com/uBlockOrigin/uBlock-issues/issues/984

The registrar brings nothing useful to a malicious actor. Except perhaps a lower cost of domain registration?

I don't think the researchers fully understand either what the registrar has to do with it, either. It's an interesting connection though

[dnmTX]

I've read plenty of articles about malicious domains. All of them explained in depth what the domain(s) do,how,where they're found and so on.Here i'm reading "yeah,we made the connection but..." "we think but..." "google already removed all" "all managed to bypass every security program and person(yeah,right)" "Israeli company in play(of course)" "here is 15.000 domains that we think they are but....." In conclusion: No proof,just empty words. Steve @StevenBlack let me quote you here:

This isn't a domain dumpster

That's what this is....(i mean,that actual post/issue,not your list in general) The difference between all of the curators here and @scafroglia93 is that all of them are using tools to catch the domains in real time,leaving notes where they're found,checking time to time if they're still in play and so on and so on. Only @scafroglia93 here keeps reading them articles and keeps on dumping numerous domains solely based on some "artcles",even though he was advised to create his own lists and start curating it properly,he refused.

Steve @StevenBlack you asked for my take,well here it is. Nothing personal @scafroglia93 ,i guess it's time for you to change direction.Make your own list,curate it properly...get recognized by the community.

[StevenBlack]

Thanks Dan @dnmTX. Good take. A bit harsh perhaps, but I hear 'ya.

I think Lorenzo @scafroglia93 found a dangerous-looking list, took time to read an assess it, created a paste of domains, and raised a flag here. That's perfect. The paste was very helpful because I was able to use it as a direct input to ghosts and that was very easy from that point forward.

Lorenzo @scafroglia93 Dan @dnmTX is solid. We're harsh on the list, not on you. It's all about assessing the source and the overall threat, and not about you personally. Right Dan?

I'd still like to know, how the heck does this get pinned on registrars? It that legit, in any way? In Canada, when there's a problem domain, it's not the registrar who's on the hook. It's CIRA the national authority for .ca domains. Is it similar with .com or .org or .info domains? The registrars do no vetting, no oversight, and bear no responsibility? Is that right?

[dnmTX]

A bit harsh perhaps

Yeah,sorry,but that stupid article got me fuming here. Apologies 😉

We're harsh on the list, not on you. It's all about assessing the source and the overall threat, and not about you personally. Right Dan?

@scafroglia93 again,nothing personal but much rather see you invest all that time and energy in your own list instead of posting domains from whatever you read on internet.

[StevenBlack]

Closing.