[dns-operations] Bluecoat report on newer TLDs heavily used for botnet C&C, phishing, and spamming.

Fred Morris m3047 at m3047.net
Mon Sep 7 19:24:09 UTC 2015


To operationalize this...

On Monday 07 September 2015 05:52, Stephane Bortzmeyer wrote:
> On Thu, Sep 03, 2015 at 03:49:28PM -0300,
>  Rubens Kuhl <rubensk at nic.br> wrote 
>  a message of 13 lines which said:
> 
> > > 
<https://www.bluecoat.com/documents/download/895c5d97-b024-409f-b678-d8faa38646ab>
> > 
> > Not that much useful, considering they made a gross mistake like not
> > differentiating .zip URIs from .zip domain names.
> 
> I thought you were trolling but no, they are indeed stupid enough to
> do that:
> 
> 
https://www.bluecoat.com/security-blog/2015-09-02/zip-urls-or-why-you-should-block-domains-tld-doesnt-have-any
> 

For those of you who may have missed the recent whistling past the 
graveyard^H^H^H^H^H^H^H^H errmmm... Windows trusting file shares issues or 
have never seen 
https://www.youtube.com/results?search_query=dns+may+be+hazardous+to+your+health 
I believe that they may be alluding to e.g. client-side software which is 
faced with the question:

"Ok, this is a reference. I'm supposed to fetch it. What kind of reference is 
it?"

and that they're seeing the FOD of attempts to find e.g. my-presentation.zip 
which were meant to refer to a file of the same name, present or otherwise. 
If this is the case, then other TLDs which collide with file extensions could 
see the same traffic.

"Shady" is a bit of a head scratcher, although if there are (malware) DGA 
algorithms which are already generating domains under a TLD which has almost 
none, then seeing those on your own network would also be useful counter 
intelligence.

--

Fred Morris




More information about the dns-operations mailing list