Since quite a long time now SWITCH actively cleans up drive-by sites. Attackers using the ever same tricks, analysing has become quite a routine, if not to say a bore. However recently, we stumbled over a new pattern. Many of the reported domains looked like
where XXX are three random letters. Most of the domain names didn’t give anything back when we tried. And they all had their name-servers with afraid.org, a free DNS hoster, which indeed provides quite a comprehensive service.
What is the issue with afraid.org? In a nut shell: Their business model: The default, free, setting when you register a domain is public. You forked out some money to get a domain name, obviously it should be public, or no one can see it. However public in afraids terminology means:
Public – If you add your domain as public, […] , others will be permitted to create sub domains off your domain without involving you.
Indeed, creating a sub domain pointing to something totally unrelated is easy. Only premium members ($5/month) have full control over their domain.
Obviously miscreants will be busy finding new, creative, ways of using this service. And we are not the only ones concerned about this, so are our colleges at Check and Secure. But just blaming afraid.org would be too easy. Running a quality DNS service is not a simple task. It needs resources, time – know-how and, last but not least, money to buy hardware, pay power bills etc. The folks at afraid.org are very helpful and quick in fighting misuse.
So maybe it’s us (the internet community) who all too often confuse free with free beer: We are happy to use free services, free software and don’t care about the implications of a low price. Not convinced yet? Let’s rephrase this: Would you run your important e-business on infrastructure developed by a couple of aficionados in their spare time? No? Yes, you probably do. Only after a major disaster like heartbleed do people realize that there is no such thing as free as in free beer software. The same is true for free DNS.
So zooming back: How bad was this really: According to afraid.org there where about 100 ransomware sub domains with the “law-enforcement” pattern. Looking at Dynamoo’s Blog there were many more domains and patterns. They are, thanks to the afraid.org folks gone. As we have seen many other .ch/.li domains hosted at afraid.org abused, we informed about 700 owners of afraid.org hosted .ch/.li domains with the default public shared state. Our recommendation: Pay $5 / month!