Concerns With .ZIP & .MOV Top Level Domains
Recently Google announced that they’re adding several new ‘top level domains’ to the list of available top level domain registry. This has led to some concerns from the security industry. Let’s talk about why security professionals are concerned and what your organization can do about it.
First off, what is a top-level domain or TLD as they’re called?
A top-level domain is something you’re likely very familiar with. Some common examples are .com, .gov, .net, and more. These items help when looking up a website, so the internet’s name servers know where to look for a website, email addresses, and more.
Over the last week, 8 new top level domains were added. You can read more about those at Google’s announcement here: https://www.registry.google/announcements/launch-details-for-eight-new-tlds/
In this announcement, there are two top level domains of particular interest for security professionals – those being .zip and .mov.
So what’s the problem?
Well, .zip and .mov are common file extensions. .zip is used for compressed archives known as .zip files. .mov is a media format for videos. Not only can this be confusing for IT folks, but there’s a security concern that comes with these.
Currently, many threat actors will embed malware in common files – like word documents and more. However, they can also embed their malware within .zip files as well as .mov files.
Malware researchers and security professionals are noting that this could allow malicious entities to proliferate their malware and attacks. Instead of having the victim download a malicious .zip file, they could instead masquerade their malware as a .zip when it’s actually a link to the .zip top level domain. This could allow those attacks to reach beyond some of the security solutions in place to download additional malicious code, remote access, and potentially more.
In fact, many security researchers are already purchasing things like malware.zip – not only to keep it out of the hands of threat actors, but also to leverage it for their own ethical research and hacking.
So, what do we do about it?
Well, right now this is still very early, and there’s no evidence as of this writing, to show threat actors are capitalizing on this.
Organizations could choose to simply block these connections completely, however there could be a negative business impact as legitimate entities start using these domains.
However, this highlights the need for something called ‘DNS filtering.’ This technology scans those requests to access websites and analyzes the traffic to determine whether it’s malicious or legitimate. This should apply equally whether the domain ends with .gov or .zip. Currently, it’s expected that firewall vendors or 3rd party DNS filtration services would be updating their protection mechanisms to scan and classify this traffic.
Regardless, organizations should review the potential risks and develop a plan to address these risks based on their organization’s needs.