Date post: | 26-May-2015 |
Category: |
Technology |
Upload: | nicknikiforakis |
View: | 1,547 times |
Download: | 1 times |
Bitsquatting Exploiting Bit-Flips for Fun, or Profit?
Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet. Frank Piessens, Wouter Joosen
WWW 2013
Humble beginnings
• There was a time when the Internet wasn’t yet a big thingo Some sites existed, and people were starting to register
domain nameso But many were skeptical
• Some, however, were registering domains by the dozenso Speculators
• wine.com• cheapairlinetickets.com• traveltobrazil.com
Cybersquatters
• In 1994, 2/3 of the Fortune 500 companies had not registered the domains corresponding to their trademarks[13]o E.g. mcdonalds.com
• Some of the speculators, decided to push it a bit by registering such domains, hoping for profito This practice was named “cybersquatting”
• In some cases, cybersquatters speculated the name of future products and services:o iphone6.com
WWW2012.ORG
WWW2013.ORG
WWW2016.ORG
Cybersquatting evolves
• Typosquattingo Keyboard users, even experienced ones, make
mistakes while typingo Registration of mistypes of popular domains
• foogle.com, ffacebook.com, twitte.com
• Homograph domainso Registration of domains that look like, popular domains
• tvvitter.com, paypa1.com, icrosoft.comⅿo Higher chances of maliciousness
• Users arrive to these domains by clicking on malicious links
I heard some bits need help…
• Dinaburg, in 2011, suggested that random bit-flips could happen in memory of hardware, storing a domain name
example.com
01100101 01111000 01100001…
01100101 01111001 01100001…
eyample.com
Bitsquatting
• To test his theory, Dinaburg registered 30 bitsquatting domains, targeting popular domainso E.g. mic2osoft.com and fbbdn.com
• In 8 months, he received:o 52,317 requests from 12,949 unique IP addresseso Requests were:
• From all over the world• All popular OSs and browsers• Some clearly not user-initiated, like “Windows Updates”
Our question…
• Given the crowded typosquatting field, were cybersquatters convinced by Dinaburg’s attack?o i.e., did they started registering bitsquatting domains?
• Bitsquatting-domain generator and crawlero Investigated all possible bitsquatting domains daily, for
nine months.o Recorded, HTML, inline JavaScript, redirections and
destination IP addresses
Results
• In 9 months, we discovered:o 5,366
different bitsquatting domains
o Targeting 491/500 Alexa domains
Bitsquatting vs. typosquatting
Typosquatting Bitsquatting
71.8%
How are bitsquatting domains used?
• How does one explore 5,336 domains, with possibly 9 months worth of data for each domain?o Bitsquatting, typosquatting, cybersquatting are all
branches of the same tree
• Prior research has shown that most “whitehat” cybersquatters use one of the following monetization techniques:o Parking pageso Affiliate abuse
Detecting parkers
• Used the hosts identified as large parking agencies by Wang et al [17], together with a simple extra heuristico If these hosts appeared in any place in the gathered
pages (HTML, JavaScript, redirections), the page was flagged as parked
o 2,782 domains were flagged as parked (51.8%)
• Domain-parking agencies are the biggest facilitators of cybersquatters
Detecting affiliate abuse
• Abusers of affiliate programs gain money by product commissions, with the help of unsuspecting userso constintcontact.com -> constantcontact.com?pn=aff123
• 311 (5.7%) of the domains redirected the user back to the correct authoritative siteo 211 belonged to the same companyo 58 were abusing affiliate programso 42 were unclassified
Bitsquatting experiments
• Hypothesis: Dinaburg’s idea sounds improbable, thus there must be people trying to recreate it
• We searched each bitsquatting page for keywords that would give away the experimento bitsquatting, squatting, experiment
• 61 of the 5,366 domains were classified as experimentso E.g. iozilla.org and wozdpress.com
Need for further classification
• Using our automated methods, we were able to classify more than half of all the bitsquatting pages
• To estimate the classes of the rest, we chose a 10% random sample, which we manually analyzedo Check source, WHOIS records, DBs of malicious sites
Results
Category Percentage
Legitimately owned 40.0%
Parked 15.4%
Redirect 15.0%
For sale 10.0%
Non-syndicated ads 6.8%
Other 6.8%
Malware 3.2%
Empty 2.7%
Results
Category Percentage
Legitimately owned 40.0%
Parked 15.4%
Redirect 15.0%
For sale 10.0%
Non-syndicated ads 6.8%
Other 6.8%
Malware 3.2%
Empty 2.7%
Overall:
More than 73% of the discovered bitsquatting domains were exploited for profit
Huffingtonpost.com Case Study
Defenses
• Hardware Basedo Global use of ECC memory
• Software Basedo Sanity checks by software to detect unexpected
modificationso DNSSEC
• Damage Controlo Companies register these domains before attackers do
• Incentive Removalo Thousands of cybersquatters flock around tens of
domain parking agencies
Conclusion
• As the web expands, domain names can only become more popular
• Bitsquatting is a new type of domain squatting, relying on hardware failures rather than user mistakes
• Verdict is still out on the magnitute of the bitsquatting problem and the practicality of the attack
• Cybersquatters, however, are using it in exactly the same way as other types of domain squatting