DOCSLIB.ORG

Towards Automated Detection of Shadowed Domains

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Don’t Let One Rotten Apple Spoil the Whole Barrel: Towards Automated Detection of Shadowed Domains Daiping Liu Zhou Li Kun Du University of Delaware ACM Member Tsinghua University [email protected] [email protected] [email protected] Haining Wang Baojun Liu Haixin Duan University of Delaware Tsinghua University Tsinghua University [email protected] [email protected] [email protected] ABSTRACT scammers set up phishing websites on domains resembling well- Domain names have been exploited for illicit online activities for known legitimate ones [38, 75]. In the past, Internet miscreants decades. In the past, miscreants mostly registered new domains mostly registered new domains to launch attacks. To mitigate the for their attacks. However, the domains registered for malicious threats, tremendous efforts [10, 14, 33, 41, 77] have been devoted purposes can be deterred by existing reputation and blacklisting in the last decade to construct reputation and blacklisting systems systems. In response to the arms race, miscreants have recently that can fend off malicious domains before visited by users. Allof adopted a new strategy, called domain shadowing, to build their these endeavors render it less effective to register new domains attack infrastructures. Specifically, instead of registering new do- for attacks. In response, miscreants have moved forward to more mains, miscreants are beginning to compromise legitimate ones sophisticated and stealthy strategies. and spawn malicious subdomains under them. This has rendered In fact, there is a newly emerging class of attacks adopted by almost all existing countermeasures ineffective and fragile because cybercriminals to build their infrastructure for illicit online activi- subdomains inherit the trust of their apex domains, and attackers ties, domain shadowing, where instead of registering new domains, can virtually spawn an infinite number of shadowed domains. miscreants infiltrate the registrant accounts of legitimate domains In this paper, we conduct the first study to understand and detect and spawn subdomains under them for malicious purposes. Domain this emerging threat. Bootstrapped with a set of manually confirmed shadowing is becoming increasingly popular due to its superior shadowed domains, we identify a set of novel features that uniquely ability to evade detection. The shadowed domains naturally inherit characterize domain shadowing by analyzing the deviation from the trust of a legitimate parent zone, and miscreants can even set their apex domains and the correlation among different apex do- up authentic HTTPS connections with Let’s Encrypt [59]. Even mains. Building upon these features, we train a classifier and apply worse, miscreants can create an infinite number of subdomains it to detect shadowed domains on the daily feeds of VirusTotal, a under many hijacked legitimate domains and rapidly rotate among large open security scanning service. Our study highlights domain them at no cost. This makes it quite challenging to keep blacklists shadowing as an increasingly rampant threat. Moreover, while pre- up-to-date and gather useful information for meaningful analysis. viously confirmed domain shadowing campaigns are exclusively While domain shadowing has been reported in public outlets like involved in exploit kits, we reveal that they are also widely exploited blogs.cisco.com [8, 40], most previous studies only elaborate on for phishing attacks. Finally, we observe that instead of algorith- sporadic cases collected in a short time through manual analysis. mically generating subdomain names, several domain shadowing It is still unclear how serious the threat is and how to address this cases exploit the wildcard DNS records. domain shadowing problem on a larger scale. In this paper, we conduct the first comprehensive study of do- main shadowing in the wild, and we present a novel system to au- 1 INTRODUCTION tomatically detect shadowed domains by addressing the following The domain name system (DNS) serves as one of the most funda- unique challenges. Shadowed domains by design do not present sus- mental Internet components and provides critical naming services picious registration information, and thus all detectors leveraging for mapping domain names to IP addresses. Unfortunately, it has these data [30, 33, 34] can be easily bypassed. Blindly blacklisting also been constantly abused by miscreants for illicit online activities. all sibling subdomains of shadowed domains is also infeasible in For instance, botnets exploit algorithmically generated domains to practice, since it can cause large amounts of collateral damage. Last circumvent the take-down efforts of authorities [11, 65, 86], and but not least, most suspicious DNS patterns identified in previous Permission to make digital or hard copies of all or part of this work for personal or studies do not work well in domain shadowing. For instance, Kopis classroom use is granted without fee provided that copies are not made or distributed [10] analyzes the collective features of all visitors to a domain. How- for profit or commercial advantage and that copies bear this notice and the full citation ever, our study has seen many shadowed domains being visited on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, only once, rendering the collective features insignificant. Such col- to post on servers or to redistribute to lists, requires prior specific permission and/or a lective features can be applied to malicious apex domains1 because fee. Request permissions from [email protected]. CCS ’17, October 30-November 3, 2017, Dallas, TX,USA © 2017 Association for Computing Machinery. 1An apex domain is also known as a bare/base/naked/root domain that is separated ACM ISBN 978-1-4503-4946-8/17/10...$15.00 from the top level domain by a dot, e.g., foo.com, and needs to be purchased from https://doi.org/10.1145/3133956.3134049 registrars. the domain registration cost will become unaffordable if an apex is in phishing attacks. Another interesting finding is that miscreants used only a few times. also exploit the wildcard DNS records to spawn shadowed domains. To bootstrap the design of our detector, we collect a set of 26,132 Roadmap. The remainder of this paper is organized as follows. confirmed shadowed domains under 4,862 distinct zones through Section 2 introduces the background of DNS and shadowed domains. manually searching and reviewing technical reports by security pro- Section 3 presents the design and extracted features of our detector. fessionals. Comparing them with legitimate subdomains, we find In Section 4, we validate the efficacy of our detector using labeled that the shadowed ones can be characterized and distinguished by datasets. We then conduct a large-scale analysis of the shadowed two dimensions. On one hand, shadowed domains usually exhibit domains in Section 5. Section 6 discusses the limitations of our deviant behaviors and are more isolated from those known-good detection approach. Finally, we survey related work in Section 7 subdomains under the same parent zone. For instance, most le- and conclude in Section 8. gitimate domains are hosted on reputable servers, which usually strictly restrict illicit content. Due to the nature of their criminal ac- 2 BACKGROUND tivity and their demand to evade detection and possible take-down, We give a brief overview of the domain system in the beginning shadowed domains have to be hosted on cheap and cybercriminal- of this section. Then, we describe the schema regarding domain friendly servers. This deviation serves as a prominent indicator shadowing attacks and use one real-world case identified by our of potential shadowed domains. On the other hand, miscreants detection system to walk through the attack flow. tend to exploit a set of shadowed domains under different parent zones within the same campaign. This can greatly increase the 2.1 Basics of Domain Names resilience and stealthiness of their infrastructure. However, such correlation also presents suspicious synchronous characteristics. Domain name structure. A domain name is presented in the For instance, shadowed domains in the same campaign usually structure of hierarchical tree (e.g., a.example.com), with each level appear and disappear at the same time. (e.g., example.com) associated with a DNS zone. For one DNS zone, Based on these observations, we develop a novel system, called there is a single manager that oversees the changes of domains Woodpecker, to automatically detect shadowed domains by inspect- within its territory and provides authoritative name-to-address ing the deviation of subdomains to their parent zones and the cor- resolution services through the DNS server. The top of the domain relation of shadowed domains among different zones. In particular, hierarchy is the root zone, which is usually represented as a dot. So we compose 17 features characterizing the usage, hosting, activity, far, the root zone is managed by ICANN, and there are 13 logical and name patterns of subdomains, based on the passive DNS data. root servers operated by 12 organizations. Below the root level is Five classifiers (Support Vector Machine, RandomForest, Logistic the top-level domain (TLD), a label after the rightmost dot in the Regression, Naive Bayes, and Neural Network) are then trained domain name. The commonly used TLDs are divided into three using these features. We achieve a 98.5% detection rate with an ap- groups, including generic TLDs (gTLDs) like .com, country-code proximately 0.1% false positive rate with a 10-fold cross-validation TLDs (ccTLDs) like .uk, and sponsored TLDs (sTLDs) like .jobs. when using RandomForest. Next to TLD is the second-level domain (2LD) (e.g., .example.com), Woodpecker is envisioned to be deployed in several scenarios, which can be directly registered from registrars (like GoDaddy) e.g., domain registrars and upper DNS hierarchy as a complement to if not yet occupied, in most cases. One exception occurs when Kopis [10], generating more accurate indicators about the ongoing both ccTLD and gTLD appear in the domain name, like .co.uk, cybercrimes.
Recommended publications
  • Characterizing Certain Dns Ddos Attacks

    Characterizing Certain Dns Ddos Attacks

    CHARACTERIZING CERTAIN DNS DDOSATTACKS APREPRINT Renée Burton Cyber Intelligence Infoblox [email protected] July 23, 2019 ABSTRACT This paper details data science research in the area of Cyber Threat Intelligence applied to a specific type of Distributed Denial of Service (DDoS) attack. We study a DDoS technique prevalent in the Domain Name System (DNS) for which little malware have been recovered. Using data from a globally distributed set of a passive collectors (pDNS), we create a statistical classifier to identify these attacks and then use unsupervised learning to investigate the attack events and the malware that generates them. The first known major study of this technique, we discovered that current attacks have little resemblance to published descriptions and identify several previously unpublished features of the attacks. Through a combination of text and time series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small. 1 Introduction In the field of Cyber Security, there is a rich history of characterizing malicious actors, their mechanisms and victims, through the analysis of recovered malware1 and related event data. Reverse engineers and threat analysts take advantage of the fact that malware developers often unwittingly leave fingerprints in their code through the choice of libraries, variables, infection mechanisms, and other observables. In some cases, the Cyber Security Industry is able to correlate seemingly disparate pieces of information together and attribute malware to specific malicious actors. Identifying a specific technique or actor involved in an attack, allows the Industry to better understand the magnitude of the threat and protect against it.
  • Proactive Cyberfraud Detection Through Infrastructure Analysis

    Proactive Cyberfraud Detection Through Infrastructure Analysis

    PROACTIVE CYBERFRAUD DETECTION THROUGH INFRASTRUCTURE ANALYSIS Andrew J. Kalafut Submitted to the faculty of the Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in Computer Science Indiana University July 2010 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements of the degree of Doctor of Philosophy. Doctoral Minaxi Gupta, Ph.D. Committee (Principal Advisor) Steven Myers, Ph.D. Randall Bramley, Ph.D. July 19, 2010 Raquel Hill, Ph.D. ii Copyright c 2010 Andrew J. Kalafut ALL RIGHTS RESERVED iii To my family iv Acknowledgements I would first like to thank my advisor, Minaxi Gupta. Minaxi’s feedback on my research and writing have invariably resulted in improvements. Minaxi has always been supportive, encouraged me to do the best I possibly could, and has provided me many valuable opportunities to gain experience in areas of academic life beyond simply doing research. I would also like to thank the rest of my committee members, Raquel Hill, Steve Myers, and Randall Bramley, for their comments and advice on my research and writing, especially during my dissertation proposal. Much of the work in this dissertation could not have been done without the help of Rob Henderson and the rest of the systems staff. Rob has provided valuable data, and assisted in several other ways which have ensured my experiments have run as smoothly as possible. Several members of the departmental staff have been very helpful in many ways. Specifically, I would like to thank Debbie Canada, Sherry Kay, Ann Oxby, and Lucy Battersby.
  • Taxonomy and Adversarial Strategies of Random Subdomain Attacks

    Taxonomy and Adversarial Strategies of Random Subdomain Attacks

    Taxonomy and Adversarial Strategies of Random Subdomain Attacks Harm Griffioen and Christian Doerr Delft University of Technology, Cybersecurity Group Van Mourik Broekmanweg 6, Delft, The Netherlands fh.j.griffioen, [email protected] Abstract—Ever since the introduction of the domain name new type of attack gained some visibility when source code system (DNS), attacks on the DNS ecosystem have been a steady triggering it was discovered in a forensic analysis of the Mirai companion. Over time, targets and techniques have shifted, Internet-of-Things malware in 2016 [?], since then a number and in the recent past a new type of attack on the DNS has of actors have picked up this particular technique. emerged. In this paper we report on the DNS random subdomain attack, querying floods of non-existent subdomains, intended to Until now, very little is known how these attacks are cause a denial-of-service on DNS servers. Based on five major executed and exactly using which means. This paper intends to attacks in 2018 obtained through backscatter measurements in address this gap. Based on backscatter measurements through a a large network telescope, we show the techniques pursued by large network telescope, we observed the emergence of random adversaries, and develop a taxonomy of strategies of this attack. subdomain attacks over a period of three years and will in this paper make the following two contributions: Keywords—cyber threat intelligence, random subdomain attack, DNS, DDoS • We show the spectrum of different types of random subdomain attacks in use in the wild today based on I. INTRODUCTION five exemplary case studies, and use this to develop a taxonomy of random subdomain attacks.
  • Domain Name System 1 Domain Name System

    Domain Name System 1 Domain Name System

    Domain Name System 1 Domain Name System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service translates queries for domain names (which are easier to understand and utilize when accessing the internet) into IP addresses for the purpose of locating computer services and devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.43.10 (IPv4) and 2620:0:2d0:200::10 (IPv6). The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain.
  • Country Code Top-Level Domain (Cctld) Project for State of Kuwait

    Country Code Top-Level Domain (Cctld) Project for State of Kuwait

    Country Code Top-Level Domain (ccTLD) Project for State of Kuwait Communication and Information Technology Regulatory Authority (CITRA) assigns, organizes, manages and codes the top domain names for the State of Kuwait (.kw) for access to the Internet in accordance with best practices and standards in this field, ensuring the efficiency, fairness and transparency for the beneficiaries. This includes the regulation and implementation of all regulations, policies and procedures in relation to the operation of the country code's top-level domain. What is a domain name? A domain name is the address and identity of any website. It is a means of accessing websites directly without having to search them in the search engines. The domain name is a system of converting IP addresses and numbers used to locate computers on the Internet. Domain names provide a system of easy-to-use Internet addresses that can be translated through the DNS - Domain Name System (a system that stores information related to Internet domain names in a decentralized database on the Internet) on the network. What is a ccTLD? Country code top-level domains or the highest country encoding range: used by an independent country or territory. It consists of two letters, such as .eg for Egypt or. sa for Saudi Arabia or .kw for the State of Kuwait. The registration of a domain name (.kw) became easy and smooth process after the establishment and launch of the electronic registration system for the management and operation of domains through the Communication and Information Technology Regulatory Authority and the accredited registrars authorized by the Communication and Information Technology Regulatory Authority and responsible for providing integrated registration services for those wishing to register (.Kw).
  • DNS) Administration Guide

    DNS) Administration Guide

    Edgecast Route (DNS) Administration Guide Disclaimer Care was taken in the creation of this guide. However, Edgecast cannot accept any responsibility for errors or omissions. There are no warranties, expressed or implied, including the warranty of merchantability or fitness for a particular purpose, accompanying this product. Trademark Information EDGECAST is a registered trademark of Verizon Digital Media Services Inc. About This Guide Route (DNS) Administration Guide Version 2.40 8/28/2021 ©2021 Verizon Media. All rights reserved. Table of Contents Route ............................................................................................................................................................. 1 Introduction .............................................................................................................................................. 1 Scope ......................................................................................................................................................... 1 Module Comparison ................................................................................................................................. 2 Managed (Primary) or Secondary DNS Module .................................................................................... 2 DNS Health Checks Module .................................................................................................................. 3 Billing Activation ......................................................................................................................................
  • Rssac026v2: RSSAC Lexicon

    Rssac026v2: RSSAC Lexicon

    RSSAC026v2: RSSAC Lexicon An Advisory from the ICANN Root Server System Advisory Committee (RSSAC) 12 March 2020 RSSAC Lexicon Preface This is an Advisory to the Internet Corporation for Assigned Names and Numbers (ICANN) Board of Directors and the Internet community more broadly from the ICANN Root Server System Advisory Committee (RSSAC). In this Advisory, the RSSAC defines terms related to root server operations for the ICANN Community. The RSSAC seeks to advise the ICANN community and Board on matters relating to the operation, administration, security and integrity of the Internet’s Root Server System. This includes communicating on matters relating to the operation of the Root Servers and their multiple instances with the technical and ICANN community, gathering and articulating requirements to offer to those engaged in technical revisions of the protocols and best common practices related to the operational of DNS servers, engaging in ongoing threat assessment and risk analysis of the Root Server System and recommend any necessary audit activity to assess the current status of root servers and root zone. The RSSAC has no authority to regulate, enforce, or adjudicate. Those functions belong to others, and the advice offered here should be evaluated on its merits. The RSSAC has relied on the RSSAC Caucus, a group of DNS experts who have an interest in the Root Server System to perform research and produce this publication. A list of the contributors to this Advisory, references to RSSAC Caucus members’ statement of interest, and RSSAC members’ objections to the findings or recommendations in this Report are at the end of this document.
  • DNS) Deployment Guide

    DNS) Deployment Guide

    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-81 Revision 1 Title: Secure Domain Name System (DNS) Deployment Guide Publication Date(s): April 2010 Withdrawal Date: September 2013 Withdrawal Note: SP 800-81 Revision 1 is superseded in its entirety by the publication of SP 800-81-2 (September 2013). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-81-2 Title: Secure Domain Name System (DNS) Deployment Guide Author(s): Ramaswamy Chandramouli, Scott Rose Publication Date(s): September 2013 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-81-2 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-81-2 (as of August 7, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϳ, 2015 Special Publication 800-81r1 Sponsored by the Department of Homeland Security Secure Domain Name System (DNS) Deployment Guide Recommendations of the National Institute of Standards and Technology Ramaswamy Chandramouli Scott Rose i NIST Special Publication 800-81r1 Secure Domain Name System (DNS) Deployment Guide Sponsored by the Department of Homeland Security Recommendations of the National Institute of Standards and Technology Ramaswamy Chandramouli Scott Rose C O M P U T E R S E C U R I T Y Computer Security Division/Advanced Network Technologies Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 April 2010 U.S.
  • How to Add Domains and DNS Records

    How to Add Domains and DNS Records

    Barracuda NextGen Firewall X How to Add Domains and DNS Records https://campus.barracuda.com/doc/41109753/ Configure the Barracuda NextGen X-Series Firewall to be the authoritative DNS server for your domains or subdomains to take advantage of Split DNS or dead link detection. Step 1. Make the X-Series Firewall the authoritative DNS server at your domain registrar To become the authoritative DNS server for a domain contact the registrar for your domain to use the static or dynamic WAN IP addresses of your X-Series Firewall. Hosting a subdomain If you want to delegate a subdomain to the X-Series Firewall, add ns1 and ns2 records to the zone file of the domain where it is stored at the registrar. If the domain is yourdomain.com, and you want to host subdomain.yourdomain.com add the following DNS records: subdomain IN NS ns1 subdomain IN NS ns2 ns1 IN A <WAN IP 1 OF YOUR BARRACUDA FIREWALL> ns2 IN A <WAN IP 2 OF YOUR BARRACUDA FIREWALL> Step 2. Enable authoritative DNS on the X-Series Firewall In the DNS Servers table, you can view a list of the static IP addresses for which the DNS Server service is enabled (NETWORK > IP Configuration). Dynamic IP addresses are not listed. An access rule is created in step 3 to redirect incoming DNS requests on dynamic interfaces to the DNS service on the firewall. The access rule LOCALDNSCACHE must be active after enabling authoritative DNS for local clients to access the DNS server. 1. Go to the NETWORK > Authoritative DNS page.
  • DNS Introduction

    DNS Introduction

    DNS Introduction www.what-is-my-ip-address.com (C) Herbert Haas 2005/03/11 1 “Except for Great Britain. According to ISO 3166 and Internet tradition, Great Britain's top-level domain name should be gb. Instead, most organizations in Great Britain and Northern Ireland (i.e., the United Kingdom) use the top-level domain name uk. They drive on the wrong side of the road, too.” DNS and BIND book Footnote to the ISO 3166 two-letter country code TLDs 2 DNS Tree Growth 162,128,493 by 2002/7 (C) Herbert Haas 2005/03/11 3 The ISC about the new DNS survey method: The new survey works by querying the domain system for the name assigned to every possible IP address. However, this would take too long if we had to send a query for each of the potential 4.3 billion (2^32) IP addresses that can exist. Instead, we start with a list of all network numbers that have been delegated within the IN-ADDR.ARPA domain. The IN-ADDR.ARPA domain is a special part of the domain name space used to convert IP addresses into names. For each IN- ADDR.ARPA network number delegation, we query for further subdelegations at each network octet boundary below that point. This process takes about two days and when it ends we have a list of all 3-octet network number delegations that exist and the names of the authoritative domain servers that handle those queries. This process reduces the number of queries we need to do from 4.3 billion to the number of possible hosts per delegation (254) times the number of delegations found.
  • DNS and the DNS Cache Poisoning Attack

    DNS and the DNS Cache Poisoning Attack

    Lecture 17: DNS and the DNS Cache Poisoning Attack Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) June 25, 2021 3:21pm ©2021 Avinash Kak, Purdue University Goals: The Domain Name System BIND Configuring BIND Running BIND on your Ubuntu laptop Light-Weight Nameservers (and how to install them) DNS Cache Poisoning Attack Writing Perl and Python code for cache poisoning attacks Dan Kaminsky’s More Virulent DNS Cache Poisoning Attack CONTENTS Section Title Page 17.1 Internet, Harry Potter, and the Magic of DNS 3 17.2 DNS 5 17.3 An Example That Illustrates Extensive DNS 13 Lookups in Even the Simplest Client-Server Interactions 17.4 The Domain Name System and The dig Utility 28 17.5 host, nslookup, and whois Utilities for Name 42 Lookup 17.6 Creating a New Zone and Zone Transfers 45 17.7 DNS Cache 48 17.7.1 The TTL Time Interval 51 17.8 BIND 56 17.8.1 Configuring BIND 58 17.8.2 An Example of the named.conf Configuration File 64 17.8.3 Running BIND on Your Ubuntu Laptop 68 17.9 What Does it Mean to Run a Process in a 70 chroot Jail? 17.10 Phishing versus Pharming 73 17.11 DNS Cache Poisoning 74 17.12 Writing Perl and Python Code for Mounting a 81 DNS Cache Poisoning Attack 17.13 Dan Kaminsky’s More Virulent Exploit for 92 DNS Cache Poisoning 17.14 Homework Problems 99 Computer and Network Security by Avi Kak Lecture 17 Back to TOC 17.1 INTERNET, HARRY POTTER, AND THE MAGIC OF DNS If you have read Harry Potter, you are certainly familiar with the use of owl mail by the wizards and the witches.
  • Verisign-Cnic-Lawsuit

    Verisign-Cnic-Lawsuit

    Case 1:15-cv-01028-LO-IDD Document 1-1 Filed 08/13/15 Page 1 of 123 PageID# 5 VIRGINIA: IN THE CIRCUIT COURT OF FAIRFAX COUNTY VERISIGN, INC., Plaintiff, V. Civil Action No. CL 2015-3519 CENTRALNIC LIMITED, XYZ.COM LLC Serve; Paracorp Incorporated, Reg. Agt. 318 N. Carson Street, Suite 208 Carson City, NV 89701 -and- DANIEL NEGARI, 205 South Camden Drive Beverly Hills, CA 90212 Defendants. FIRST AMENDED COMPLAINT COMES NOW the plaintiff, VeriSign, Inc. ("Verisign"), bycounsel, and for its first amended complaintstates the following: Parties 1. Verisign is a corporation organized and existing under the laws of the State of Delaware, having its principal place of business in the Commonwealth of Virginia. EXHIBIT /I Case 1:15-cv-01028-LO-IDD Document 1-1 Filed 08/13/15 Page 2 of 123 PageID# 6 2. Defendant CentralNic Limited ("CentralNic") is a corporation organized and existing under the laws of the United Kingdom, having its principal place of business in London, England. 3. Defendant XYZ.COM LLC ("XYZ") is a limited liability company organized and existing under the laws of the State of Nevada, having its principal place ofbusiness in the State ofNevada. 4. Defendant Daniel Negari is a natural person who, upon information and belief, is a resident of the State of California. Upon information and belief, Negari owns and/or controls XYZ. Jurisdiction and Venue 5. This Court has subject matterjurisdiction over this action pursuant to Virginia Code § 17.1-513. 6. CentralNic, XYZ and Negari are subject to personal jurisdiction in this Court pursuant to Virginia Code § 8.01-328.1(3 & 4) in that, as set forth herein, CentralNic, XYZ and Negari have caused tortious injury by acts in this Commonwealth; and have caused tortious injury in this Commonwealth by acts and omissions outside this Commonwealth and regularly do or solicit business, orengage in other persistent course ofconduct in this Commonwealth.