The Intersection of Domains and log4j
Assuming you haven’t been in a cryonic freeze for the last few days, you’re doubtless aware of the log4j vulnerability (aka Log4Shell). It’s one of the most serious vulnerabilities, with active exploitation in the wild, to have come along in the last few years. Many folks compare it to the likes of Heartbleed, though a convincing argument can be made that this one is more serious.
What’s interesting here from the perspective of Internet infrastructure is that the domain registrations that are occurring, where the domain name contains the string “log4j,” seem to be following the pattern of Domain Blooms that we discussed in an edition of the DomainTools Report earlier this year. To summarize briefly, a Domain Bloom is a pattern where the number of domains containing a specific n-gram (or, in more practical terms, a word or word fragment) rises above a previous baseline and remains higher for some period of time before tailing off to either the original baseline (in the case of relatively common words) or a new baseline (in the case of words basically new to the lexicon, such as “COVID”).
The string “log4j” was not in any kind of popular parlance before this vulnerability was disclosed, and the record of domain registrations shows it; the number of domains with that string in the name effectively rounds to zero prior to the disclosure of in-the-wild exploits of the vulnerability on December 9, 2021. The log4j library has been around for years, of course, but it was too obscure a topic to garner domain registrations related to it.
Until now. As of this writing (December 15), there have been several dozen registrations, with the daily numbers still climbing (19 on December 14). Since it is all but inevitable that the number of registrations will go down at some point, we can confidently say that this pattern meets our definition of a bloom.
Does this Bloom Contain Poison?
As our Domain Blooms report found, some blooms have a distribution of Domain Risk Scores showing a higher proportion of malicious domains than a random sample. So far, the developing bloom for log4j domains shows a modest amount of known or predicted maliciousness. Only one domain, log4j-test[.]xyz, has been put on well-known block lists, but 13 more have extremely high Risk Scores (90-99), and another 12 are high-risk (70-90), so it’s likely that actors are looking to cause some kind of mischief with some of these domains.
For defenders, the low numbers of log4j-themed domains thus far means that you’re not too likely, statistically speaking, to see traffic from your environment to one of these domains, and if you do, there’s no guarantee that you’ll hit a bad one. Probably the most likely to show up in your traffic logs, to date, is log4jmemes[.]com:
It’s too soon to tell when we’ll reach the peak of the log4j domain bloom. If we see other activity that seems noteworthy related to this bloom, we’ll likely post that info at @SecuritySnacks. Meanwhile, stay safe out there, and here’s hoping your Apache instances are now safe!
Indicator List: log4j domains as of 12/15/21
Many of these domains may be completely benign
alanlog4j[.]xyz ast-log4j-shell[.]es canilog4j[.]com dlog4j[.]cn icanhazlog4j[.]com ihatelog4j[.]com lg4j[.]com log4[.]dev log4[.]org log4j-check[.]com log4j-fix[.]de log4j-help[.]com log4j-poc[.]com log4j-test[.]xyz log4j-testing[.]com log4j[.]cc log4j[.]co log4j[.]co.kr log4j[.]dev log4j[.]fi log4j[.]fun log4j[.]help log4j[.]io log4j[.]is log4j[.]it log4j[.]link log4j[.]live log4j[.]ninja log4j[.]online log4j[.]pro log4j[.]site log4j[.]tk log4j[.]top log4j[.]xyz log4j1[.]com log4j2[.]cn log4j2[.]com log4j2[.]icu log4j2[.]net log4j2[.]store log4jail[.]com log4java[.]com log4jay[.]com log4jbug[.]com log4jbugs[.]com log4jcheck[.]com log4jesus[.]com log4jexploit[.]com log4jfix[.]cf log4jfix[.]com log4jgear[.]com log4jhack[.]com log4jhelp[.]com log4jmemes[.]com log4jnerds[.]com log4jrce[.]org log4jscrape[.]com log4jshell[.]com log4jshirts[.]com log4jsurvivor[.]com log4jtest[.]co log4jtest[.]tk log4jtest[.]xyz log4jvuln[.]com log4jvulnerability[.]com log4rj[.]com lol4j[.]com patchlog4j2live[.]xyz testlog4j[.]com vdelog4jcheck[.]click zblog4jfinal[.]com