Closed scafroglia93 closed 4 years ago
Thanks Lorenzo @scafroglia93.
Using ghosts, there are 15,212 unique domains, with just 10 duplicates with our base list.
$ ./ghosts -c https://hastebin.com/raw/ilosayuxiv
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Domains: 57,322
Bytes: 1.8 MB
----------------------------------------
----------------------------------------
Compared hosts file summary:
----------------------------------------
Location: https://hastebin.com/raw/ilosayuxiv
Domains: 15,212
Bytes: 267 kB
----------------------------------------
Intersection: 10 domains
Using ghost -intersection
yields the 10 domains in the intersection.
angelsinuniform.comv
nauthorne.info
carmuffler.net
coolinc.info
evertherenous.info
legfrissebb.info
rtb-seller.com
sedatorslegallock.info
solicita.info
yie4zooseif.info
My initial thought: why is the intersection so small?
My next thought is, why would the domain registrar matter, at all? This doesn't make sense to me.
What am I missing?
What's the TLD distribution in the list?
$ ./ghosts -m https://hastebin.com/raw/ilosayuxiv -tld
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://hastebin.com/raw/ilosayuxiv
Domains: 15,212
Bytes: 267 kB
TLD tally:
com: 6,421
info: 4,807
org: 2,987
net: 694
il: 296
xn--9dbq2a: 3
mobi: 2
top: 2
----------------------------------------
How is this real data?
Let's compare with our base list:
$ ./ghosts -tld
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Domains: 57,322
Bytes: 1.8 MB
TLD tally:
com: 31,686
net: 6,828
pl: 5,852
info: 868
jp: 816
vn: 814
org: 760
ru: 758
eu: 591
de: 563
live: 429
io: 393
nl: 380
uk: 377
cn: 349
fr: 273
xyz: 265
co: 264
biz: 215
us: 206
in: 196
at: 195
tv: 175
tk: 171
online: 151
mobi: 140
it: 137
site: 127
ca: 109
club: 108
me: 105
br: 105
cz: 103
top: 98
name: 97
ro: 93
pro: 86
be: 83
cc: 77
pw: 71
es: 65
hu: 65
ua: 63
kr: 62
icu: 61
ch: 52
za: 52
asia: 50
ml: 48
au: 46
space: 44
tr: 41
se: 41
to: 36
dk: 36
bid: 35
win: 35
pt: 34
su: 34
cl: 34
ws: 33
website: 32
link: 30
ir: 30
life: 28
services: 28
ga: 28
tech: 26
il: 26
click: 24
no: 22
pk: 21
ar: 20
gq: 20
bg: 19
cf: 19
kz: 19
gr: 19
fun: 19
by: 18
best: 18
mx: 18
host: 17
my: 17
cm: 16
nz: 16
sk: 15
fi: 15
pet: 15
id: 14
network: 14
im: 14
sg: 14
today: 14
th: 13
download: 13
st: 13
la: 13
nu: 13
ly: 12
stream: 12
world: 12
tt: 11
review: 11
date: 10
tw: 10
sh: 10
cloud: 10
bz: 10
si: 9
lv: 9
lt: 9
vip: 9
hk: 9
ug: 9
ad: 9
cx: 9
work: 8
gg: 8
ge: 8
lu: 8
press: 7
media: 7
ovh: 7
ai: 7
ee: 6
gov: 6
tools: 6
ie: 6
am: 5
xn--p1ai: 5
ph: 5
tl: 5
store: 5
email: 5
re: 5
ae: 5
is: 4
ng: 4
onion: 4
care: 4
page: 4
ve: 4
mt: 4
trade: 4
tube: 4
li: 4
gt: 4
company: 4
edu: 3
sa: 3
rocks: 3
gdn: 3
pm: 3
nf: 3
systems: 3
ps: 3
men: 3
gs: 3
uz: 3
news: 3
al: 3
loan: 3
vu: 3
shop: 2
ke: 2
bf: 2
np: 2
guide: 2
tips: 2
city: 2
one: 2
surf: 2
md: 2
ht: 2
pn: 2
ne: 2
accountant: 2
fit: 2
rs: 2
tn: 2
buzz: 2
science: 2
group: 2
agency: 2
help: 2
az: 2
app: 2
pub: 2
hn: 2
games: 2
mn: 2
blue: 2
report: 1
webcam: 1
pink: 1
vg: 1
ec: 1
pe: 1
gift: 1
ki: 1
technology: 1
ba: 1
mk: 1
cool: 1
zw: 1
as: 1
plus: 1
watch: 1
localdomain: 1
ma: 1
cu: 1
software: 1
red: 1
example: 1
dev: 1
bd: 1
pa: 1
nyc: 1
rr: 1
cheap: 1
hr: 1
wang: 1
gold: 1
zm: 1
bo: 1
so: 1
lan: 1
vc: 1
dog: 1
video: 1
bw: 1
do: 1
ag: 1
camp: 1
jo: 1
fm: 1
uy: 1
kg: 1
photos: 1
rw: 1
works: 1
ac: 1
cricket: 1
digital: 1
team: 1
guru: 1
dz: 1
ms: 1
----------------------------------------
this is the whitepaper ;)
Lorenzo @scafroglia93 anybody can register a domain, and most people can use almost any registrar they chose, subject to national TLD limitations.
The registrar brings nothing useful to a malicious actor. Except perhaps a lower cost of domain registration?
This doesn't pass a basic smell test. What am I missing?
It's useless for you ?
@scafroglia93 I simply ask, how does this make any sense?
.il
domains (~2%)?It just smells very fishy.
@scafroglia93 "curation" means, asking questions. This isn't a domain dumpster.
Dan @dnmTX, Nissar @funilrys, Anudeep @anudeepND, and others, what are your takes? What am I missing?
My bigger concern is how the list will be updated and maintained if it's just stored in a paste.
@p1r473 that's a good take.
Here's my thoughts:
only 10 domains overlapping. How does THAT happen?
these domains were used in malicious chrome extensions. Since most exposure to malicious extensions is through advertising, I wouldn't expect many of these domains to appear in this list. I believe malware domain list is the only dedicated malware source in this list, and it's more than 5 months stale. IMO that's as good as useless, since new malware domains are being registered and deployed every day. See https://github.com/uBlockOrigin/uBlock-issues/issues/984
The registrar brings nothing useful to a malicious actor. Except perhaps a lower cost of domain registration?
I don't think the researchers fully understand either what the registrar has to do with it, either. It's an interesting connection though
I've read plenty of articles about malicious domains. All of them explained in depth what the domain(s) do,how,where they're found and so on.Here i'm reading "yeah,we made the connection but..." "we think but..." "google already removed all" "all managed to bypass every security program and person(yeah,right)" "Israeli company in play(of course)" "here is 15.000 domains that we think they are but....." In conclusion: No proof,just empty words. Steve @StevenBlack let me quote you here:
This isn't a domain dumpster
That's what this is....(i mean,that actual post/issue,not your list in general) The difference between all of the curators here and @scafroglia93 is that all of them are using tools to catch the domains in real time,leaving notes where they're found,checking time to time if they're still in play and so on and so on. Only @scafroglia93 here keeps reading them articles and keeps on dumping numerous domains solely based on some "artcles",even though he was advised to create his own lists and start curating it properly,he refused.
Steve @StevenBlack you asked for my take,well here it is. Nothing personal @scafroglia93 ,i guess it's time for you to change direction.Make your own list,curate it properly...get recognized by the community.
Thanks Dan @dnmTX. Good take. A bit harsh perhaps, but I hear 'ya.
I think Lorenzo @scafroglia93 found a dangerous-looking list, took time to read an assess it, created a paste of domains, and raised a flag here. That's perfect. The paste was very helpful because I was able to use it as a direct input to ghosts
and that was very easy from that point forward.
Lorenzo @scafroglia93 Dan @dnmTX is solid. We're harsh on the list, not on you. It's all about assessing the source and the overall threat, and not about you personally. Right Dan?
I'd still like to know, how the heck does this get pinned on registrars? It that legit, in any way? In Canada, when there's a problem domain, it's not the registrar who's on the hook. It's CIRA the national authority for .ca
domains. Is it similar with .com
or .org
or .info
domains? The registrars do no vetting, no oversight, and bear no responsibility? Is that right?
A bit harsh perhaps
Yeah,sorry,but that stupid article got me fuming here. Apologies 😉
We're harsh on the list, not on you. It's all about assessing the source and the overall threat, and not about you personally. Right Dan?
@scafroglia93 again,nothing personal but much rather see you invest all that time and energy in your own list instead of posting domains from whatever you read on internet.
Closing.
Source -> https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/
hastebin -> (it's made by me) https://hastebin.com/ilosayuxiv.css