Psssst: Wanna Buy a Used Spy Website?

The NSA registered hundreds of domain names and used them to plant and control malware. Those domains---like NewJunk4U.com---may be valuable to businesses.
534196213
Getty Images

The names suggest a parade of a C-list websites. There was NewJunk4U.com and Monster-Ads.net, CoffeeHausBlog.com and SuddenPlot.com. But, these sad-sounding domains actually were artful creations of the National Security Agency: They were fronts for distributing and controlling government malware around the world.

Those domains and 109 others came to light last month as part of the "Equation Group" report from anti-virus vendor Kaspersky. Researchers at Kaspersky identified 300 such domains, and published 113 of them.

The NSA's malware domains always have been a closely guarded secret---it's the kind of direct, actionable information that can expose even old cyber espionage operations. Now the agency is in an awkward position: What should it do with these domains now that their covers have been blown? The domains were chosen to look legitimate, which means the US government is effectively cyber squatting on a sizable portfolio of names like newjunk4u.com and businessdealsblog.com that are no longer useful for espionage, but potentially valuable for business.

What the Market Will Bear

How much would those domains be worth if the NSA liquidated them in a public auction, like any other disused government property? I gave the list to a veteran domain name broker, Sedo's Dave Evanson, who's been making deals since the domain-speculation salad days of the 1990s.

Evanson specializes in blue chip domains like mm.com, which he sold for a tidy $1.2 million last year, so at first glance he isn't impressed with the NSA's portfolio---the spy agency used a lot of fake download sites, ad networks, and notional technology blogs in its espionage. "Not going to have a lot of appeal to Joe or Mary Sixpack," he grumbles.

But as he studies the list, he starts spotting domains with some resell potential. TechnicalConsumerReports.com, once used as an infection platform for NSA malware, might be worth something to a technology news outlet. "That name will most likely go for a few thousands dollars, and maybe as high as 10 or 15," he says. The name xLiveHost.com, formerly a command-and-control server for the NSA's most sophisticated known malware suite, EquationDrug, would make a good porn site today. "I would rather have been selling it 15 years ago than now. But it's got value, maybe five to seven grand… Sex.com, we sold that for 13 million."

SuddenPlot.com also has curb appeal. As a dot-com with two short words and no hyphen, it has solid fundamentals. But his advice is that the NSA hold on to that one until it hears from a motivated buyer---perhaps a funeral home that specializes in unexpected deaths. He's more excited about CustomerScreenSavers.com. Evanson would shop that directly to companies that make screen savers, then sit back and watch the bidding war. "I would probably start in the $30,000 or $40,000 range," he says.

In all, Evanson estimates the published Equation Group domains are worth between $175,000 to $200,000.

Bad Company

The NSA's use of covert domain names puts it in some ignoble company. The Internet's domain name system is littered with the detritus of past espionage, sabotage, and criminal hacking campaigns---some 2.2 million domains in all, according to OpenDNS, which maintains a comprehensive blacklist. In contrast, phishing sites, where attackers set up fake login pages for banks and other companies, account for just 4,200 domains.

The most visible activity is at the surface: malicious websites that serve attack code to victim's browsers. But deeper down you find a much larger pool of domains that comprise the malware industry's command-and-control infrastructure. When attack code gets onto your machine, for example, the first thing it's likely to do is quietly "phones home" to one of those domains to report the new infection, and accept commands from the hacker.

Hackers employ varying strategies in choosing command-and-control domain names. Some malware, like the Conficker botnet and the CryptoLocker ransomware, used algorithmically generated gobbledygook domains like ywyiqzymjej.ws and jxjyndpaoofctm.com. That technique lacks grace, but allows the black hats to register hundreds or thousands of new domains every day automatically.

Intruders more concerned with stealth than growth---including the Chinese military and, we now know, the NSA---compete to register a smaller number of legitimate-looking domains. "If someone is doing any sort of security log monitoring or investigation, if it looks like a legitimate domain it's probably not going to set off a lot of flares," says Andrew Hay, director of security research at OpenDNS.

The NSA didn't respond to an inquiry from WIRED about its plans for the domains. But it's safe to say the agency hasn't demonstrated any interest in monetizing its holdings. In fact, Kaspersky says that of the 300 registered domains it found, the registration on about two dozen had been allowed to lapse. Kaspersky grabbed those domains for itself and directed incoming traffic to its own servers, allowing it to build a map of infected computers trying to phones home to the NSA.

The NSA domains were registered through a GoDaddy service that enables anonymous registration, so a whois lookup doesn't reveal the aliases or front-companies the agency uses. At least not yet. GoDaddy's terms of service allow it to revoke the anonymity of anyone who uses it to "transmit viruses, Trojan Horses, access codes, backdoors, worms, timebombs" etc.

GoDaddy spokesman Nick Fuller says the company is conducting an investigation into the Equation Group. "We'll circle back once the investigation is completed."