[dns-operations] Bluecoat report on newer TLDs heavily used for botnet C&C, phishing, and spamming.
Fred Morris
m3047 at m3047.net
Mon Sep 7 19:24:09 UTC 2015
To operationalize this...
On Monday 07 September 2015 05:52, Stephane Bortzmeyer wrote:
> On Thu, Sep 03, 2015 at 03:49:28PM -0300,
> Rubens Kuhl <rubensk at nic.br> wrote
> a message of 13 lines which said:
>
> > >
<https://www.bluecoat.com/documents/download/895c5d97-b024-409f-b678-d8faa38646ab>
> >
> > Not that much useful, considering they made a gross mistake like not
> > differentiating .zip URIs from .zip domain names.
>
> I thought you were trolling but no, they are indeed stupid enough to
> do that:
>
>
https://www.bluecoat.com/security-blog/2015-09-02/zip-urls-or-why-you-should-block-domains-tld-doesnt-have-any
>
For those of you who may have missed the recent whistling past the
graveyard^H^H^H^H^H^H^H^H errmmm... Windows trusting file shares issues or
have never seen
https://www.youtube.com/results?search_query=dns+may+be+hazardous+to+your+health
I believe that they may be alluding to e.g. client-side software which is
faced with the question:
"Ok, this is a reference. I'm supposed to fetch it. What kind of reference is
it?"
and that they're seeing the FOD of attempts to find e.g. my-presentation.zip
which were meant to refer to a file of the same name, present or otherwise.
If this is the case, then other TLDs which collide with file extensions could
see the same traffic.
"Shady" is a bit of a head scratcher, although if there are (malware) DGA
algorithms which are already generating domains under a TLD which has almost
none, then seeing those on your own network would also be useful counter
intelligence.
--
Fred Morris
More information about the dns-operations
mailing list