@inproceedings{4f5c764dc55843c2a877e75279c2f2b6,
title = "Domain-Z: 28 Registrations Later: Measuring the Exploitation of Residual Trust in Domains",
abstract = "Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain's prior use. We find that adversaries can, and do, use malicious re-registration to exploit domain ownership changes - undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. We identify several instances of residual trust abuse using this algorithm, including an expired APT domain that could be used to revive existing infections.",
author = "Chaz Lever and Robert Walls and Yacin Nadji and David Dagon and Patrick McDaniel and Manos Antonakakis",
note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 2016 IEEE Symposium on Security and Privacy, SP 2016 ; Conference date: 23-05-2016 Through 25-05-2016",
year = "2016",
month = aug,
day = "16",
doi = "10.1109/SP.2016.47",
language = "English (US)",
series = "Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "691--706",
booktitle = "Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016",
address = "United States",
}