Backdooring Your Backdoors – Another $20 Domain, More Governments
75 comments
·January 12, 2025Lammy
judge2020
What would buying even mean in this sense? Even countries don't "own" their ccTLDs, but ICANN has made considerable efforts to outline policies that go "we really need to treat ccTLDs like the countries own them to avoid tensions over internet namespaces". That's why most gTLD rules don't apply to ccTLDs.
Countries "own" their ccTLD in the sense that they (or most) have the military prowess to defend their usage of their ccTLD if ICANN, or the servers at root-servers.net, were to stop resolving TLDs appropriately.
NewJazz
The root servers hold the real power, and IIRC over 50% are operated in the US, with many of them being operated by the US military and others educational institutions.
I can only assume that the US has tolerated varied use of ccTLDs for the sole purpose of avoiding a competing alternate DNS root zone becoming more prominent.
preciousoo
I’m sure the NSA does their best to make sure the US doesn’t politically fuck that up
croemer
But root servers aren't a democracy, are they? If US root servers went bonkers, people would just use different root servers. Doesn't matter whether it's 50% or 90% that are in US if they can be ignored?
BobbyTables2
DNS is then a weapon of mass destruction
awwaiid
All property, physical and digital, is rented if you squint just right.
noduerme
I'm curious if this is a socialist lament about landlords or a libertarian complaint about governments.
lazyasciiart
Maybe it's an existential comment about the fleeting existence of life.
nightpool
I think it's just acknowledging the reality that property is a social construct, one that's created by the social contract.
SkyBelow
Maybe a deeper truth that is harder to put into words but which feeds into both of them. Something captured in much higher dimensional concept space that, when forced into our 3D world (and our <whatever>D political discussion space), looks like a sphere in one projection and a cube in the other, but which is neither.
short_sells_poo
I tend to think is neither of those, but meant very literally. For that reason I like it and I think it's an interesting subject.
What is ownership after all? The universe does not seem to have any form of ownership embedded in it's fundamental laws. If ownership is a human construct, then it is only meaningful insofar as a group of humans agrees on it.
I can stroll up to the White House and declare that I own it, but I'll struggle to convince a sufficient number of other people that this is true. If I can't assert my ownership, then I don't really own it, do I? It doesn't matter whether it is just, or fair (again - purely human constructs), ownership only matters if it can be enforced.
Being a human construct, it is also by definition temporary. It is only valid as long as humans are around to enforce it, and humans are fleeting. Humanity might endure, but there's no reason to think we are going to be around for eternity.
So it looks like ownership is not only temporary, but it is also fickle. People routinely disagree on ownership and are willing to kill- or be-killed for asserting their claims.
It looks like neither the communists, nor the liberatarians are in the right. Things will be owned by whoever has more pointy sticks :D
foobarbecue
Property is theft from the state
hhh
what's the difference?
sgjohnson
I read it as a libertarian complaint about governments.
i.e. own real estate? Try not paying the property tax on it, and see who really owns it. :)
bell-cot
> I wish we could collectively stop...
That's a "feature" of human nature and English. People say "my car" and "my phone number" when those are leased. "My house" when they have a new zero-down mortgage. And all sorts of other conceptual contractions - with the messier reality assumed to be common knowledge. Or just irrelevant to the point at hand.
TacticalCoder
[dead]
fn-mote
I loved this write up. Light-hearted. Conscious of the impact of any disclosure. Everything substantiated, but not taking themselves too seriously. Enjoying read, and at the same time talking about a serious issue.
ipdashc
Thank you for putting it in words. I felt the same way, both about this and the writeup for their previous .mobi thing. Well explained with plenty of context, no buzzwords, light hearted and cool (while not trying too hard to make themselves sound cool), and plenty of substance with no fluff. A lot of blog posts or security write-ups violate some of these; this is a breath of fresh air.
taspeotis
I also loved the appearance of WordArt, shame they did not do the rainbow one.
Thorrez
I wonder what would happen if they exploited these webshells' backdoors to delete the webshells...
abound
If you're the FBI (and maybe also have a court order), you can do this [1]. If you're a grey hat hacker in Russia, you can maybe do this [2]. If you're a random person in the US, you're likely exposing yourself to a lot of (CFAA) risk.
As the authors of this post note, they were careful to only receive + log traffic and not otherwise send interesting responses/engage with the webshells.
[1] https://www.malwarebytes.com/blog/news/2024/02/fbi-removes-m...
[2] https://www.zdnet.com/article/a-mysterious-grey-hat-is-patch...
croemer
I'm not sure I understand this correctly:
> This is a line of CSS, specifying that the ‘menu’ style should fetch a background image from the given URL. On loading the page, the web browser will attempt to fetch the specified .gif file from the w2img.com server.
> Note: Disclosing just the domain in referrers is a relatively recent browser change, and indeed attackers using older browsers were sending us full shell URLs.
In particular re "attackers using older browsers": haven't the (original) attackers taken over the _server_ that's serving the CSS and the browser belongs to unsuspecting _users_ of the pwned server? Isn't it wrong to say the attackers use the browsers then, as the browser is used by a victim?
Under which circumstances would _attackers_ be using a browser? I can't make sense of this.
TazeTSchnitzel
A webshell is a page (typically a .php file) uploaded to a site by an attacker after a compromise (e.g. an RCE), which is then used by an attacker through their browser to perform further actions on the compromised webserver. These premade webshell files however have been made by other attackers and come pre-compromised with a backdoor. In this case the CSS in the webshell makes the attacker's browser snitch the webshell's location to a domain controlled by the author of the webshell.
croemer
Thanks that makes sense, not sure how I could miss that.
busymom0
Slightly off topic but what's going on with the font for the "y" character in this article? It sticks out like a sore thumb.
8organicbits
I find this sort of thing bothers me often enough that I've disabled downloadable_fonts. I think of the web as a place where I read things, so custom fonts that hurt readability are undesirable. I get why designers want a unique style, but I rarely want that as an end user.
sosborn
It's the font design: https://abcdinamo.com/typefaces/favorit
roygbiv2
Wow what is going on with that website.
lioeters
I guess it's "Brutalism" or something, but I had a physical revulsion to the entire site design and all their fonts. It's so ugly it's almost charming.
busymom0
Looks like the font provides an "alternative y" which looks normal. But the default one has that ugly broken look.
alt227
That website had me in tears of laughter.
From the amazing picture at the top, to the hand offering cookies, to the over the top shaking and spinning of everything on hover. This is one funny website.
npteljes
I think some fonts do this so that they have a distinguishing feature. Fonts seem to be a very saturated market, so this might help being noticed in a crowd of sameness and copycats, and many people don't look at a font otherwise either, even people who use them in designs.
I think the sticking out part is supposed to irritate somewhat, but it still needs to make some sense, like a hot take. I noticed some online personalities use the same strategy with pronunciation, consciously and consistently mispronouncing specific words, play up their accent. Media analysts also recognize verbal tics as a trope, for similar effect.
Back to fonts, another site that I remember using a similar thing is the Genius lyrics site. For a long time, while establishing their presence, they used the square character forms from the Programme font, which you can see on my link. They still use Programme, but use the normal forms for some time now though, presumably, because it was indeed irritating, and it hurt legibility.
pessimizer
If you can't compete on quality, you compete by being difficult to compare to better things.
npteljes
I think this is too cynical to be true. I brought up saturation and uncare of primary users (designers) specifically to address that quality is not enough. You put your heart and 1000 person-hours into a lovely font, but many will still opt for whatever ships with their OS or design tool. Quality is simply not enough, and sometimes don't even enter the picture, very similarly to creative work - for a musician, talent itself does nothing. Same for well-written code for software engineers - nobody cares, maybe only themselves in the future. Software achieving business goals, and being well written, or by brilliant people are two different things, with very weak correlation.
Usually the recipe for success includes good quality / talent, sure. But it also usually includes something that is markedly different from others. People, searching for this distinct something, can seem tryhard, or just throwing sh!t at the wall, to see what sticks - and maybe they are - but they are also doing something that's an organic part of the road to success.
For a font-related example, that might be easier on the eyes, could be Fira Code. One of the immediate distinguishers is the ligatures. Check it out if you haven't already, it's quite neat, and it was the talk of the town for quite some time.
croemer
> with the hopes of painting a paint a clear picture.
Typo: "a paint" is superfluous
> Taking a look through the results for high-value domains within our referrers, we the following stood out like a shining beacon:
Typo: superfluous "we" in "we the following"
> Atleast there will be memes on the record, and an awkward explanation of a raccoon.
Typo: "Atleast"
pea
Blast from the past seeing h0no mentioned.. Brings me back to days of darpanet/m00/#darknet/dikline
croemer
I wonder why they redacted almost all domains but the Federal High Court of Nigeria's? It's not mentioned explicitly, so I hope they did responsible disclosure.
m3kw9
Should be called front dooring your backdoor
1oooqooq
so, it was 99% based on dns hijack, but he says nothing about how it was done?
aneutron
Have you actually read the article ? He explains everything in sufficient detail. He didn't "hijack" the DNS records, he bought the ones that were expired and available.
The only thing he doesn't explain (for obvious reasons) is the how he found the shells online (because as he puts it, they fell off the back of a truck).
Its_Padar
Technically this is a dupe as this has been submitted twice before in the last week
catoc
The first link is also watchtwr, but a different post
To avoid my comment being entirely a terminology nitpick I will say this is very cool work that I would be too afraid of CFAA to ever attempt. Especially funny to see four parasites on one government domain. Do skiddies not excise other skiddies' backdoors when pwning systems so they can have them all to themselves?
> We then hooked that up to the AWS Route53 API, and just bought them en-masse. Honestly, it’s $20, and we’ve done worse with more.
> We’re incredibly grateful for the support of The Shadowserver Foundation, who have agreed yet again to save us from our own adventures and to take ownership of the domains implicated in this research and sinkhole them.
I wish we could collectively stop using the terms “buy” and “own” with regard to domains. Try “leased” or “rented”. If they could be bought then they wouldn't have been available again for this exercise.