Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
      Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Strider URL Tracer with Typo Patrol
Tony Bradley, CISSP-ISSAP 2006-06-27

Introduction

This article looks at Microsoft's free Strider URL Tracer with Typo-Patrol to help fight typo-squatters and domain parking abuse. The tool can be used to protect children from seeing inappropriate or explicit sites that they should not see, and for companies or trademark owners to scan and investigate sites that may be typo-squatting their domain(s) so that they can be investigated and/or prosecuted.

Rise of the Typo-Squatters

It is inevitable that people surfing the Internet will have a typographical error (typo) every now and again. As one's fingers blaze across his keyboard tapping away, it's easy to hit a key you didn't intend to, or one's left hand will get ahead of his right and might transpose two characters in a word.

Many applications, such as word processors, will instantly recognize the error and underline the misspelled word or suggest an alternative word. Web browsers are not that intelligent or forgiving though. If you are trying to visit http://www.ebay.com and you accidentally swap the 'A' and the 'Y' and type http://www.ebya.com instead, your Web browser will not alert you to the flaw. It will dutifully take you to the web site registered under the ebya.com domain name.

One might expect that ebya.com would simply result in a standard "Page Not Found" error. However, those lacking in Web ethics have figured out that they could profit from people's typing mishaps. By registering the domain names associated with common typing errors from popular domain names, Web sites can benefit from a steady flow of misguided traffic. The example above, ebya.com, ends up redirected to a Web site at http://www.megago.com, which appears to be some sort of index listing of categories of other Web sites to visit.

Many of these typo domains direct users to sites that are inundated with pop-up advertising or possibly even malware such as viruses or worms. Some typo domains of popular children's web sites even redirect to pornographic adult sites, exposing children to inappropriate material because of an innocent mistake typing. Whether it is just a nuisance, a source of malware, or results in exposing minors to adult material, typo domains are a real problem on the Internet.

The business Of domain parking

One might ask himself, "why would someone bother to redirect people to a Web site they don't want to visit?" Logically, you would think that if a person was trying to visit disney.com and they enter the name wrong and end up at a different domain, they aren't going to be interested in the product or information on that site. They would simply retype the domain correctly to go about planning their vacation to Disney World (or continue figuring out how large a second mortgage they need to finance such a vacation).

The reality, though, is that enough people seem to be interested in information on these typo sites. Just as the majority of people abhor email spam and wouldn't think of responding to it or purchasing any products or services promoted with it, enough people will do so that it is still quite profitable.

In most cases, the typo domain is not even selling a product or service itself. The typo domain makes its money from syndicated advertising such as Google's AdSense program. The typo-squatter simply parks the domain and the only content on the site ends up being the ads served from a syndicated advertising program.

With ad syndication, context-sensitive ads are displayed that are based on the overall content of the target web site. When a URL is typed into the address bar or clicked on, the Web browser is instructed to retrieve data from a third-party URL. The third-party URL, using information it knows about the target URL, and possibly combined with details about the user, then serves contextual ads that are relevant to the site or user.

In theory, there is nothing wrong with this practice. If I am visiting a site about golfing, it makes sense that I would want to see advertising that has to do with golfing as well, as opposed to ads about the latest cholesterol drug or mail-order DVD service.

Some domain owners abuse the ad syndication system, however, by simply parking the domains so that the only content on the site to begin with is from the syndicated ads. These sites provide no real value and serve no better purpose than to generate ad revenue for the domain owner. With domain registrations as low as $7, the domain could pay for itself with as little as one unique visitor every 2 days.

Microsoft's Strider Typo-Patrol

To try to identify and combat this type of systematic typo-squatting and abuse of the syndicated advertising system, Microsoft's Cybersecurity and Systems Management research group developed the Strider Typo-Patrol tool. At the time of this writing, Strider Typo-Patrol works only with Windows XP and Internet Explorer 6. It also requires version 2.0 or higher of Microsoft's .NET framework before it can be installed. The .NET framework is a 22.4Mb download that is not likely to be installed by default on most home systems, but fortunately it is easy to install.

Components of Strider Typo-Patrol

The Strider Typo-Patrol tool is made up of three major components: typo-neighborhood generator, typo-neighborhood scanner and typo-domain database. The three functions of the Strider Typo-Patrol tool allow users to identify and scan for typo-squatting domains and to contribute to the running list of typo-domains stored in the typo-domain database on Microsoft's servers.

The Strider typo-neighborhood generator takes a given domain, input by the user, and extrapolates all of the conceivable domains that could be created by common mistyping errors such as missing a character, adding an additional character or transposing one or more characters within the target domain name.

The typo-neighborhood scanner takes the list of domains spawned by the typo-neighborhood generator and attempts to connect with each of them to determine if they exist and what sort of content they are serving. To prevent interference or issues from one typo-domain to the next, Strider uses a new Virtual Machine instance to connect with each one.

Using a modified version of the Strider HoneyMonkey Scanner, the typo-neighborhood scanner uses a bank of 17 servers to execute the scans and obtain information about the typo-domains such as the third-party URLs visited and the content of all HTTP requests and responses. It can also be configured to capture a screen shot of the typo-domain site.

The Strider typo-domain database collects and analyzes the scan results. The data is then analyzed in three different ways. The typo-domain database looks at the typo-domains in a given category to determine how prevalent typo-squatting is for that category and who the culprits are behind the typo-squatting.

Secondly, the Strider typo-domain database examines the traffic to identify anchor domains. An anchor domain is a domain used to aggregate typo-squatting traffic from multiple typo-domains in order to simplify operations and revenue collection by nefarious website owners through one site. Determining the anchor domain provides a central point of reference for investigating and/or prosecuting typo-domain issues.

The third type of analysis is to search for specific key words, such as sexually explicit terms. The Strider typo-domain database reviews the HTTP response pages to extract typo-domains that contain any of the identified keywords.

Strider typo-neighborhood generator

The typo-neighborhood consists of all domains that are similar to, or potential typos of, the true target domain. The Strider typo-neighborhood generator uses five methods to generate the typo-domains that commonly occur:

  • Missing-dot typos: These typos occur when a user fails to type the ".", or dot between the "www" and the domain name in the URL. For example, typing http://wwwsecurityfocus.com rather than http://www.securityfocus.com.

  • Character-omission typos: These typo-domains are created by leaving out a letter of the domain name, one letter at a time. For example, http://www.securityfocs.com and http://www.securityfous.com.

  • Character-permutation typos: These are domains that occur when two of the letters in the domain name are transposed, or swapped while typing. Typo-neighborhood generator generates all such domains by swapping all characters one pair at a time. For example, http://www.securiytfocus.com or http://www.securityfcous.com.

  • Character-replacement typos: To generate character-replacement typo-domains, the Strider typo-neighborhood generator replaces each letter in the domain with each of the letters adjacent to it on the keyboard. For example, typing http://www.secueityfocus.com or http://www.securityfpcus.com.

  • Character-insertion typos: These typo domains are generated by inserting an additional character from one of the letters adjacent to the letter from the domain. It can also include using the same letter twice. For example, http://www.securiotyfocus.com or http://www.securityffocus.com.

Strider URL Tracer tool

The Microsoft research team created the Strider URL Tracer to work with and contribute to the typo-squatting project. The Strider URL Tracer performs four different functions to help users be aware of and have more control over traffic to third-party sites.
Article continued on Page 2 



SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:







 

Privacy Statement
Copyright 2007, SecurityFocus