Hey Alexa – Show Me Whitelisted Malware

Tuesday, October 10, 2017

Troy Kent

E181257171d17cbf437b89cc372e76bc

Noise is a huge concern for the SOC. Security teams are struggling to deal with the daily barrage of noise coming from a myriad of security tools. As the volume gets louder, teams are increasingly seeking shortcuts and ways to automate certain processes in order to save precious time and cut down the noise.

One such popular shortcut among security analysts is to automate populating a whitelist by pulling from existing lists that the team deems to be safe. Curating a whitelist can be extremely time-consuming, and may seem like a distraction when other investigations are piling up on analysts’ plates. However, we’ve found that using existing lists for whitelisting could mean opening up your organization to vulnerabilities.

The team at Awake Security recently took a closer look at one seemingly benign list – the Alexa Top 1 Million list of domains – to assess whether it would be safe to use for whitelisting. While the Alexa list isn’t intended as a whitelist, many security teams see it as logical starting point. It makes sense that the most visited sites on the web would be nonthreatening, and could automatically be considered safe during an investigation.

In our investigation, however, we found that potentially malicious domains were making it up as high as #447. Just under Glassdoor, only five spots away from Dell and even more popular than BoredPanda.com, was a suspicious domain: piz7ohhujogi[.]com. At first glance, this domain looks suspicious because it appears to be randomly generated nonsense, much like the DGA domains that some malware like to use. At closer examination, courtesy of a quick Google search, we found pages of search results featuring advice on removing the domain from your redirects, with many sites referring to it as a pop-up or redirect virus.

We monitored the list for over a week, and saw this suspicious domain continue to creep up the list, reaching as high as #432. Since then, it has gradually fallen in rank, but it still remains as one of the top domains in the Alexa list.

Learning that this site had made it into the Alexa Top 1M begged the question: What other suspicious domains may have snuck their way in? To find the answer, we compared Alexa Top 1M with six different malware blacklists – Maltrail, ZeusTracker, MalwareDomains.com, Malware Domain List, Malware Bytes and Cybercrime.

The Malware Bytes list had the most domains that were also on the Alexa Top 1M (1308), however the types of domains it included were not all inherently malicious. The first domain, for example, qq.com, is a popular Chinese social website that offers a messaging app. The second was a Chinese news site. However, depending on your organization’s acceptable use policy, these sites and others on the list may still be threats to your whitelist if you don’t condone pirating software (thepiratebay[.]org, utorrent[.]com) or viewing pornography (cam4[.]com).

These are just a few of the examples we unearthed. In the end, it’s important to remember that lists like the Alexa Top 1M are not intended for whitelisting. As tempting as it can be to harness existing lists in order to cut down on noise, there is a danger in putting implicit trust in external sources.

To borrow a phrase from the Alexa website – “Information is power - if you have the right tools.” Those using popular lists for whitelisting should take another look at their tools and their approach to ensure security for their organizations.

About the author: Troy Kent  is a Threat Researcher at Awake Security. He has spent his career in SOCs as multiple Tiers of Analyst and an Investigator; working ticket queues, hunting for security incidents, rapidly prototyping new ideas into existence, working terrible hours and questioning career decisions.

Possibly Related Articles:
8559
Enterprise Security Security Training Webappsec->General
websites SOC Alexa Whitelist
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.