Malware misinformation

Documenting misinformation in the infosecurity space, focusing particularly on malware analysis and forensics.

Created by @maldr0id

View the Project on GitHub maldroid/misinformation.tech

Claim ID: 00009

The following claim is repeated in the context of Pegasus misinformation:

expired domains are not a useful indicator of compromise

The claim is considered: :x: FALSE :x:

Why is it false?

Indicators of compromise - small pieces of forensic data that investigators try to find when looking for malware - can come with an expiration date. Some of them, like IP addresses, usually have a very short lifespan and should only be used with a date filter1. Hence, even if the indicator of compromise is expired it is still useful if it appears between certain dates on the forensic timeline. However, for intrusion detection systems which work in near real time the mere fact that the indicator of compromise is no longer relevant right now (e.g. a domain has expired) means that it may be considered a “false positive”2.

When an attacker registers a domain name, they are able to use it for the period of time you registered it for, which is typically between one to ten years3. If the domain is not renewed it will expire. As the attackers have an incetive to change infrastructure as often as possible to avoid being detected, most malicious domains will expire and can be bought. The fact that a domain was subsequently bought does not mean it was not used in a malicious way in the past. In fact buying (or seizing) a domain considered malicious can lead to a creation of “sinkhole” - a server which observes the traffic to the domain made by infected devices4. These observations can then be used to stop the infections or notify the device owners about the infection.

Therefore it is extremely important to establish whether the investigation is performed using historical artefacts (e.g. backups) or is done real time (e.g. using actual network traffic). Once that is established the investigator can decide whether to use now expired but once active domains or not. This does not mean that expired domains are not useful, just that they have to be used in combination with the correct date range in which they were actively malicious.

Statement sources

The websites below repeat the claim. This is not a full list of websites.

Campaigns

The misinfomartion campaigns below have used this claim.

Footnotes

  1. End of Life of an Indicator of Compromise (IOC) 

  2. A Guide to Indicator Expiration 

  3. FAQs for Registrants: Domain Name Renewals and Expiration 

  4. Microsoft and industry partners seize key domain used in SolarWinds hack