DomainScouter RAID 2019

64599895753b730878224e1f9dc8f60f?s=47 Daiki CHIBA
September 25, 2019

DomainScouter RAID 2019

Daiki Chiba, Ayako Akiyama Hasegawa, Takashi Koide, Yuta Sawabe, Shigeki Goto, and Mitsuaki Akiyama, ``DomainScouter: Understanding the Risks of Deceptive IDNs,'' Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), pp. 413--426, Sep. 2019.

Paper PDF: https://www.usenix.org/conference/raid2019/presentation/chiba

64599895753b730878224e1f9dc8f60f?s=128

Daiki CHIBA

September 25, 2019
Tweet

Transcript

  1. 1.

    DEL H 1, 21 1 21 2 2 ,21 1

    : 1 L AD A L G K A G .D 9IH 5 K 5 A DHD C 0 HGI A A L 1 DALD E C G C J G HL DALD E C , 5 E
  2. 2.

    D 9 A 1 1 1 •   

     • • A9C • 9 0 A • A 0A D • 2 0A D • 9 9 • 0 D   
  3. 3.
  4. 4.

    ? 1 0 1 0 0 1  2A A

    A ? 4 аpple[.]com а U+0430 99 a U+0061 2?
  5. 5.

    ? 1 0 1 0 0 1 2A5 5A5 A

    ?5 аpple[.]com / / а U+0430 99 a U+0061 2?
  6. 6.

    AG 9:D 1 0 1 0 0 1 ) )(

    ) • EC 9 2 6 : D C • E G 6 A C D D 6 A D DG • ) ) ) ) ) ) ) 2 6 IH.test E G 6 xn--r8jz45g.test
  7. 7.

    127 0 0 0 3 - 1 13/ / 13

    apple.com - https://www.xudongz.com/blog/2017/idn-phishing/
  8. 8.

    8 12 0 0 0 / /3 3 /2/ adobe.com

    https://blog.newskysecurity.com/fake-adobe-website- delivers-betabot-4114d1775a18
  9. 10.

    E 9B 2 0 2 0 0 2 • C

    • • B D • 1 CB • AC B 1BC E • A 1BC E • A CAA • 1C E
  10. 11.

    201 3 3 .3 . 23 2   

    2 3 . . 3 3 ,3 3 3 3 3 2 3 1 . 3 2
  11. 12.

    EA 9C 2 0 2 0 0 2 • A

    D • 0 B A 9 • • 1 DC A • BDA C 1CD E • B A 1CD E • B DBB • 1D AE
  12. 14.

    ,A HD ) 1 4 .2. + 0 + -

    .2. 04 . ,4 4 + 14 ( - - - - example.test - - O .test example L N.test êxämplē.test êxämplē L N.test O L N.test IP .test IP L N.test :A 9AECG A A D A A :A 9A
  13. 15.

    2OP R I T ( . :8 : 4946 0

    0:3 494 :4 2 0 8 : + 3 83 836 4 8 G I example.test 3 83 8 836 4 8 G I b].test 83 G I example a.test 83 4 G I êxämplē.test 83 4 G I êxämplē a.test 8 8 83 G I b] a.test 8 8 83 4 G I c].test 8 8 83 4 G I c] a.test A),B 1 9 GT CL 0 RGG C NCT ON OH NTGRNCT ONCL YGF FO C N NC GS/ G IOOF T G DCF CNF T G IL [ ROE 8444 858 3 : ( - A -B C CDG GT CL 3GTGET NI O OIRCP 83:S S NI 2 [ ROE 0 0: ( - , - / EO DOS CTT NI 4 / O OIRCP 4 / O O EO DO
  14. 16.

    1NO HIS ( - 9 :9 383 / 6 /92

    383 6:93 1: : / :9 + - F H example.test - F H a .test F H example ] .test - F H êxämplē.test - F H êxämplē ] .test F H a ] .test - F H [b .test - F H [b ] .test )+A 0 8 T FS B Y/ FF BL BS N NG SF BS N B FE ENLB BLFR. IF HNNE SIF CBE B E SIF TH ND 333 4 2 9 ( , ,A B BCF FS B Y2FSFDS H INLNH BOI 29R TR H :1 ND / /9 ( , . DNLCNRPTBSS H - . INLNH BOI - . INLN DNLCN
  15. 17.

    AGB 9 D 00 1 0 0 10 1 •

    9B E 7 • 1 C B • AD •      • CEB D 2DE7G • C B 2DE7G • C ECC • 2E BG   
  16. 18.

    ABHC E 0 2210 2 0 2 10 1 21

    10 4 2: 2 2: 42 DEC D 2 : 4 AB DED 2 : 1 252 4 2 32 2 2: 4 DF C EH EFC D C 9 EFC D 2 2 :2 : 4 / 8 C /A9 8 BE G 0D C E 9 C 9D 8 BE G 0 8AC D 2 :2 5 5 4 DE C 9 0D 0 D C 9 D C 9 A D EFC D
  17. 19.

    AGB D / 110/ 2 1 / 1 0/ 02102

    0/ 4 2: 4 29 CDB 9C 2 : 4 A CDC 2 : 1 252 4 2 32 2 2: 4 CE B DG 9 DEB9C B 9 DEB9C 2 2 :2 : 4 9 9 B 9 9 9AD F9 /C B 9D9 B C 9 9AD F9 / B9C 2 :2 5 5 4 29 CD9B9 /C / 9C B 9C B C 9 DEB9C
  18. 20.

    EFNGA? I 2/ 32 0 . 2 0 .32 3

    3 /32 : 1: 3 5 33 /H I ADF I / 2 FIA 9 I G D AH I G? I N I ADF I / 2 .EL C DN H GH G MF I IE CAHB N I / 2 ?AHIGA H 3 1 : EF 0AHIH 3 2 3 31 : 3 43 3 3 : AH B ACAB GAIN I G H G D I G H 3 3 3 1 : 1 AD 0 GDAD? 1E B FIA / 2H G? I G D H FIA / 2 EG H 3 1: 3 1 : ?AHI G / 2H / 2 /C ? H G D /C ? H G D EC ADH 0 I G H
  19. 21.

    /I P ECDM + 5::9 1 13 -:4 - 0

    1 1:49 1 /9 :9 - 59 :3 14 1 9OB +) GEFFEIH AIG EHL 50 L HIH 50 L NHAB )( 0L C 34 B : . 0 5 2 0, I BOBF 0IG EH BCELM EBL 1 . 0 C 34 I ELML 1 3 5 1 4 1 .:37 3 ELN F EGEF EMP 2B MN BL HA 2B MN BL 1 3 C 34 DEHB B HEHC IABF 0B B MEOB 50 L CBMBA HAL 0B B MEOB 50 I BL 1 14 3 4 3 BCELMB BA 50 L 50 5G CBL HA 5G CBL HA 0IG EHL 0 2B MN BL
  20. 22.

    AGB D / 110/ 2 1 / 1 0/ 02102

    0/ CA7 B5 C G E 5G D 5 G B F 7B: )) BCB B F E7B: :CA7 BF F B G E GCD FGF I7 A E 7 7B: 37 FG 29 CDB 9C 5G D 2 4 IGE7 G CB A CDC 5G D ,E7B: 5 G CB 5G D 2A7 1 B E7G CB CE B DG 9 DEB9C B 9 DEB9C 5G D 0 7G E IGE7 G CB 9 9 B 9 9 9AD F9 /C B 9D9 B C 9 9AD F9 / B9C 5G D ( 5 CE -7 7G CB 29 CD9B9 /C / 9C B 9C B C 9 DEB9C
  21. 23.

    ABHC E 0 2210 3 2 0 2 10 13213

    10 ) : 2 4 4 4 4 4 : 4 5 : 1 4 4 43 ) 4 3 1 3 3 : 4 3 DEC D 4 ) B 2 AB DED 4 3 4 42 4 : 4 4 4 DF C EH EFC D C 9 EFC D 4 4 4 B 2 / C /A9 BE G 0D C E 9 C 9D BE G 0 AC D 4 2 4 ( 2 3 DE C 9 0D 0 D C 9 D C 9 A D EFC D
  22. 24.

    00 2) ) 1 0 ( 2) )0 ) 10

    1 2 31 1 1 11 A 1 2 31 2 1 ) 31 ( ) ( . 22 )1 1 31 13 1 1 31 example.co.jp 9 example.co.jp example.co.jp 9 example example AC.test 9 example AC 4 4 4
  23. 25.

    ABHC E 0 2210 5 2 0 5 2 10

    1 21 5 10 5 1 1: 1 53 4 11 :1 2 21 1 1 1 5 :1 2 1 1: 5 1 DEC D 1: 5 5AB DED 1: 1 1 5 1: 31 1 1 5 DF C EH EFC D C 9 EFC D 1: 1 1 5 / C /A9 BE G 0D 5 C E 9 C 9D BE G 0 AC D 1: 1 5 DE C 9 0D 0 D C 9 D C 9 A D 5 EFC D
  24. 26.

    , LUNGE P ) 4166 4 9.2. 60 4 9.2.60

    4. , 6 91 4 • :OC GI EC OGIGH NGPU CPSCC G L P 1 4O N O • PN AP N H 13GH NGPU 13 G CT ( • , HA H PC 13 G CTCO D N GI EC L GNO D P C O IC GI EC PULC 6 ( ( E CP H 1I EC M HGPU OOCOOIC P DN I CNN N RGOG GHGPU P OPN AP N H OGIGH NGPU W 1... 9N O 1I EC 6N ACOOG E êxämplēZ [.test example.test êxämplēZ [ example êxämplē Z [ example
  25. 27.

    ABHC E 0 2210 2 0 2 10 1 21

    10 : 1 3 3 1 3 3 2313 3 , 1 3 B 1 3 3 32 D 4 3 3 3 :5 2313 32 D 3 : , DEC D 3 , C 1 : AB DED 3 :2 3 31 : 3 , 53 3:3 : DF7 7C EH 7EFC D C7 9 7EFC D 3 3 3 C 1 : /7 7C /A9 BE G 0D 7C E 9 C7 9D BE G 0 AC D 3 1 3 1 : DE C 9 0D 0 7 D C7 9 7 D C7 9 A 7 D 7EFC D
  26. 28.

    C D F 110 2 1 1 0 02102 0

    ) )( ) ) • • ACGF : :9 E I F : FD 8F:9 : FGD:E • : A    D     • : :8F:9 D F 2 A9 D:EF • 0GFCGF 9: • ) • ACGF A : :9 E I F : FD 8F:9 : FGD:E • 0GFCGF :8:CF H: E8 D: )
  27. 29.

    LTMGEFO 6388 6 /4/19 82 6. /4/82 6/ 98 9

    3 6 B6C DID BC B C D C H B CDB 8 D • CMCB BCACLOG C 3.6 OTLCN • COF BN O BCOCAO BCACLOG C 3.6N B6C D H C FD 1ID D 4 6 18 F C F 6 4 16H6 6 4 8 B / Y Y Y Y 8 Y . 3 DF6 1 6C D Y Y Y C6 6 FC D Y 2 6 FC D Y , 4GP CO H MCCS IG OG D G OCM OG HG CB B I G ICN FC E B OFC B B OFC PEHT 8M A 3/// 3038 .:6 : R C CO H .COCAOG E F I EM LF 3.6N PNG E 9 8M A 8 6 Y 0PHHT CMCB 8 MOG HHT CMCB 6 O CMCB
  28. 30.

    . N OHFG 6488 6 0 029,83 ,6/ 0 083

    60 . 98 9, 4 6 2 / /2 2 • 9D H N D DL GD NODSH RP P P D P • PDC AO LC C HLP E O E HO DS R H L DSDL G RFG GD OHFHL N NDOP RPDC L , DU N I AO LC C HLP 2 / 2 / /2 38 651 621 6,732 DomainScouter Liu et al., 2018 [36] Sawabe et al., 2018 [48] 242 Blacklists - HR D , ODDU HL H L E HL DOL H L H DC C HL L DP GD F C GD A C LC GD RF Y 8O B 4000 4148 /:6 : T AD D /D DB HLF G FO NG 4/6P RPHLF .9 Y 8O B ,8,6
  29. 31.

    A 9C 2 0 2 0 0 2 • A

    D • 0 B A 9 • C E • 1 DC A • • 3B A 1CD • B DBB • 1D A
  30. 32.

    0NO P HIR , 96 :9 2724 . 5 .91

    272 5:92 0: : . 6:9 7 C D 7D C D I • EFDFOR TF 619 EFRFDRFE C 1NLB M DNSRFP • IF LN R DNLOPFIFM TF RSE B NG 8BPDI , M RFPL NG RIF MSLCFP NG EBRB FR BME RIF EFRFDRFE EFDFOR TF 619 1 7D C 3 I . 7 3 C 0 7 # 5 6 37 78 7 # 5(,6 .7 7D 40.D .2D ) . 7 D .2D ( ( , . . .2D , ,( , A / 7 S FR B Y. PFF BL MBR NM NG MRFPMBR NMB FE ENLB M MBLF - IF HNNE RIF CBE BME RIF SH PND 6222 636 1 9 A B BCF FR B Y1FRFDR MH INLNHPBOI 619 S MH :0 PND . .9
  31. 33.

    ,DE F H 426654 8 3 07 61 4- 8

    3 6154 ,57657 8254 4, 4 ,- - - 8 - 4 -4 • DIC D D 9C D D D D EH 2-4G • DIC EH 2-4G H9F H C CDC C A G F9C G -8 - - - 8 - 8 C D D C D D C D D D D CDC C D D CDC C D D D D 2 #
  32. 34.

    GA C 110 3 - 2 1 3 - 1

    0 02102 3 0 • 3 D A 9 C E A 4 G 4A G G 4A • 4 G C E C A C 4 A A C A 49C A
  33. 35.

    DE F H 315543 7-2- 6 50 3 7-2-5043- 46546

    7143 0 0 -1 1 - 1 • 5DEIA8F 9F8C G 8F H8F H • AA 9G H G D H H8F H 9F8C D F IG F 8 DICHG • DIC 8C C D 9D 8C C D D D 9D 1 3G 1 - 1 1 0 1 0 1 0 0 amazon.com hotels.com google.com apple.com facebook.com target.com youtube.com bet365.com office.com yahoo.com
  34. 36.

    DEL H 315543 7.2. 6 50 3 7.2.5043. 46546 7143

    • 3D 9 8C D 8 C C H DGH EDEIA8 1CH C H D E8C G E DH H H G A G D 8AA D EH 1 3G • 4CAL H D E8C G D C G I HL G G E DH H H G A G D EH 1 3G D H 8C DH D E8C G # # # amazon.com % % % google.com % gmail.com skype.com % % android.com % blogger.com bet365.com % % cloudflare.com % youtube.com % symantec.com %
  35. 37.

    AGB 9 D 110 2 1 1 0 02102 0

    • 9B E 7 • 2 C B • AD • 3 ED B • CEB D 3DE7G • • C ECC • 3E BG
  36. 38.

    GHPIB A ) 42 4 9 3 07 1 4.

    9 3 1 4 7 7 92 4 • O EB A O G NAB A L I I B P 2.4 • C H I B BH GL ) ( ( • HHIG P GLI 2 B L BG D 7 B N G I 27 • I B BH : 8 I B ( )
  37. 39.

    - S ECDO ) 5377 5 : 1 ,72 ,5

    : 72 5 - 7 ,:3 5 / 1 . • 7 A = A ( A A OE A 3 5N ( O= CAOA NA E AN W 3 5N • 9A E A 1 CGA P:P A 0= A F ,H=T I :REOOA 3INO=C =H 7=S7=G • 2ECD N EIC =I R N EIC A A OE A 3 5N A= D NA E A • 0E NO =NF ODA = OE E =ION RDE D NA E AN ODAS PNA H A OD=I I A = H IOD • :DAI CE A ODA = OE E =ION = A A OE A LPANOE I ? / / / 2 2 /. D / • A A EIA     =N OD NA RD =INRA A SAN =H IC OD NA RD PNA ODA NA E A H A OD=I I A = H IOD ) / / 2 ./ / 2 /
  38. 40.

    CID 2 4432 7,0, 5 4. 2 7,0,4.32, 35435 7

    32 5 LD •          • 1 E C D 9 C A E A A 9 A I A 9 C H 2E • GDCD E A I AI C D 9 C A E A A 9 D N I A 9 C H 2E • / H 1/ I P LD I L I I A 4 I H H 1/ 9 4 D 8 4 I H 1 D 5 .DD 0 A 6 I .DD 2 N 6 I 7 D ( ( ) #,
  39. 41.

    AGB 9 D 00 1 0 0 10 1 •

    9B E • 1 C B • AD • 2 ED B • CEB D 2DE G • 4C B 2DE G •    • 2E BG  
  40. 42.

    (A IC E 0 2210 4 2 0) 4 2

    10 (1 21 4 10 • • / E E E C D D A9 E G )0D • E C DE G CD EI A E E C E H E )0D • • ( E E A D • )A C DEC CD C DEC D • )A AH CD • ( CE E E AC E D (
  41. 43.

    C D 0.2210 4 ,3 2- 0 4 2-10 13213

    4.10 . / / • 4 9 A CD9H9A GE9DE 9EE A 9 9C H9 . 0E • 9 , 9 D 9 E C 9 9A 9 A9I 9 GD9 D I DA A AE 9 3 E A G A 9A 9 9C H9 . 0E . 1 , https://www.zdnet.com/article/google-chrome-to-get-warnings-for-lookalike-urls/ ( . 3 1 C 1 D 1 1 A )( . A 1 A . 3
  42. 44.

    . L M DEO 7 :04019- 2 - / :040

    27 0 .79 79-: 7 3 • :E LM O H M D NO M AA O H A I I N OE O M N I H M O OE M R M AN M PN M A LM O O N M N D :5.2 ) • :E PN C MI / I I / NLPO 9 N HPO H /9 ) O UN O M H A LO / N (( 2 / ) T:M A I MG .H M DE PN EOOL, OM A I MG H M DE PN I ) T C MI / I I / NLPO 9 N HPO H EOOLN, RRR MD M N PM N L D N E HL A AM PAML / 3 / . 3 2 2 / / 2 . / . 3
  43. 45.

    CDLE G -110 2 1 1 0 02102 -0 /

    / • L GE G L C C G H 9 4 5 DEC 7 G G A GHE C EC E DG C9 DC G - 3 / • L CH 9 CG H EG G GC 9 DG I - • L E IC EG G CE 9 DG I - / - . [17] Guidelines for the Implementation of Internationalized Domain Names Version 4.0N. https://www.icann.org/en/system/ files/files/idn-guidelines-10may18-en.pdf / A A ( ) C / D A ( )
  44. 46.

    ABHC E 110 4 2 1 4 1 0 02102

    4 0 • 6 CA • 29D96C A6 • 9 9BE G9 • A 6 A E9C • 96D C9 9 E E H • D9C E H • D DD A •    
  45. 47.

    AH D 0 2210 4 , 2 0 4 2

    10 1 21 4 10 . ., 2 . 2 33 2 . 12,1 . , 33 .,. 2 . • E 7 H A 8F EC H E 8GA 87 78 8AD F8 0C . , .1. 2 . . . . .,. 2 . • HI87 78 8AD F8 0C 2 . 3 . 232 2. 2 . . ,. 2 1. . , . 2 .,. 2 . • 8F8 87 78 8AD F8 0C 8 7 99 E D 9 8 7 EC8 C D 8 I8