hero image, circles of various colors
Blog General Infosec

A Domain Bloom in Progress: log4j Domains

The Intersection of Domains and log4j

Assuming you haven’t been in a cryonic freeze for the last few days, you’re doubtless aware of the log4j vulnerability (aka Log4Shell). It’s one of the most serious vulnerabilities, with active exploitation in the wild, to have come along in the last few years. Many folks compare it to the likes of Heartbleed, though a convincing argument can be made that this one is more serious.

What’s interesting here from the perspective of Internet infrastructure is that the domain registrations that are occurring, where the domain name contains the string “log4j,” seem to be following the pattern of Domain Blooms that we discussed in an edition of the DomainTools Report earlier this year. To summarize briefly, a Domain Bloom is a pattern where the number of domains containing a specific n-gram (or, in more practical terms, a word or word fragment) rises above a previous baseline and remains higher for some period of time before tailing off to either the original baseline (in the case of relatively common words) or a new baseline (in the case of words basically new to the lexicon, such as “COVID”).

The string “log4j” was not in any kind of popular parlance before this vulnerability was disclosed, and the record of domain registrations shows it; the number of domains with that string in the name effectively rounds to zero prior to the disclosure of in-the-wild exploits of the vulnerability on December 9, 2021. The log4j library has been around for years, of course, but it was too obscure a topic to garner domain registrations related to it.

Until now. As of this writing (December 15), there have been several dozen registrations, with the daily numbers still climbing (19 on December 14). Since it is all but inevitable that the number of registrations will go down at some point, we can confidently say that this pattern meets our definition of a bloom.

Does this Bloom Contain Poison?

As our Domain Blooms report found, some blooms have a distribution of Domain Risk Scores showing a higher proportion of malicious domains than a random sample. So far, the developing bloom for log4j domains shows a modest amount of known or predicted maliciousness. Only one domain, log4j-test[.]xyz, has been put on well-known block lists, but 13 more have extremely high Risk Scores (90-99), and another 12 are high-risk (70-90), so it’s likely that actors are looking to cause some kind of mischief with some of these domains.

For defenders, the low numbers of log4j-themed domains thus far means that you’re not too likely, statistically speaking, to see traffic from your environment to one of these domains, and if you do, there’s no guarantee that you’ll hit a bad one. Probably the most likely to show up in your traffic logs, to date, is log4jmemes[.]com:

 

Probably the most likely to show up in your traffic logs, to date, is log4jmemes[.]com

 

It’s too soon to tell when we’ll reach the peak of the log4j domain bloom. If we see other activity that seems noteworthy related to this bloom, we’ll likely post that info at @SecuritySnacks. Meanwhile, stay safe out there, and here’s hoping your Apache instances are now safe!

Indicator List: log4j domains as of 12/15/21

Many of these domains may be completely benign

 

alanlog4j[.]xyz
ast-log4j-shell[.]es
canilog4j[.]com
dlog4j[.]cn
icanhazlog4j[.]com
ihatelog4j[.]com
lg4j[.]com
log4[.]dev
log4[.]org
log4j-check[.]com
log4j-fix[.]de
log4j-help[.]com
log4j-poc[.]com
log4j-test[.]xyz
log4j-testing[.]com
log4j[.]cc
log4j[.]co
log4j[.]co.kr
log4j[.]dev
log4j[.]fi
log4j[.]fun
log4j[.]help
log4j[.]io
log4j[.]is
log4j[.]it
log4j[.]link
log4j[.]live
log4j[.]ninja
log4j[.]online
log4j[.]pro
log4j[.]site
log4j[.]tk
log4j[.]top
log4j[.]xyz
log4j1[.]com
log4j2[.]cn
log4j2[.]com
log4j2[.]icu
log4j2[.]net
log4j2[.]store
log4jail[.]com
log4java[.]com
log4jay[.]com
log4jbug[.]com
log4jbugs[.]com
log4jcheck[.]com
log4jesus[.]com
log4jexploit[.]com
log4jfix[.]cf
log4jfix[.]com
log4jgear[.]com
log4jhack[.]com
log4jhelp[.]com
log4jmemes[.]com
log4jnerds[.]com
log4jrce[.]org
log4jscrape[.]com
log4jshell[.]com
log4jshirts[.]com
log4jsurvivor[.]com
log4jtest[.]co
log4jtest[.]tk
log4jtest[.]xyz
log4jvuln[.]com
log4jvulnerability[.]com
log4rj[.]com
lol4j[.]com
patchlog4j2live[.]xyz
testlog4j[.]com
vdelog4jcheck[.]click
zblog4jfinal[.]com