Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

The Newest Hacking Threat: Rogue Subdomains

It seems that in their never-ending quest to find new ways to avoid detection, hackers have have ramped up the use of an exploit technique that has, up to now, not been widely used. The technique involves modifying a (compromised) site's DNS settings to use add "hidden" subdomains that serve up malware, either directly or by redirecting the browser to a dedicated malware server.

So, if your site is "http://mydomain.com", the hackers set up a bunch of subdomains like, "http://malware.mydomain.com", "http://pills.mydomain.com", "http://yZx52.mydomain.com", and so on. (The subdomain names themselves don't matter, what matters is that they're active and you're not aware of them.)

In many cases site owners and/or administrators are completely unaware that anything has changed- unless you're paying close attention and looking for new subdomains that have been created, you may miss or overlook them entirely. After all, how many administrators regularly check their DNS records after they've set up the initial domain? Almost none, that's how many.

Hackers like this technique for several reasons, not the least of which is the difficulty in detection by the site owners or administrators. Another reason  they like it is because it gives them an almost infinite source of free domain names for their attack, malware, and phishing sites.

If the hackers have access to the DNS settings (and they will, if they've compromised your server) they can create an unlimited number of sub-domains on demand that they can then point to wherever they want. They can add, delete, and rename the subdomains as often as they want. And it costs them nothing, not a dime.

It looks like this may become very popular with hackers, at least until the security community develops a response to it. One likely remedy will be automated DNS-scanning and auditing tools that are run on the server periodically (daily or hourly, perhaps). Another response might be the addition of notifications that are generated anytime a subdomain is added, deleted, or altered.

In the meantime, the Unmask Parasites website has some good ways to try and detect rogue subdomains on your server. They're a bit laborious to use, but worth the time to run against your site(s) to see if there's anything hiding there.

This entry was posted in General and tagged , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree