Home / Blogs

TLD Domain Abuse: Threat Report - First Half 2011

Gunter Ollmann

When it comes to building a robust globe-spanning network of crimeware and making the victims dance to a tune of the cyber-criminals' choosing, you're guaranteed to find domain name abuse at the heart of the operation. DNS provides the critical flexibility and underlying scalability of modern command-and-control (C&C) infrastructure. Cyber-criminals that master DNS (and manage to maintain the stream of new domain registrations that keep it fed) tend to find themselves in command of the largest and most profitable crimeware networks.

A critical ingredient in constructing a C&C infrastructure capable of shrugging off takedown requests, sinkholing by security vendors and hijacking attempts from competitors, lies in the ability to procure new domain names from various registrars around the world at a pace quicker than those being taken away.

There are thousands of domain registration and server hosting companies around the world only too happy to register a particular domain on behalf of their customer for a small annual fee. Armed with a keyword, phrase or random-gibberish, the customer can pick from over a hundred top-level domains (TLD) — ranging from popular generic TLDs (gTLD) such as .com, .biz and .name, through to any country with its own flag and dedicated country-code TLD (ccTLD); such as .ru for Russia or .tv for the Tuvalu Islands.

Over the years cyber-criminals have tended to favor particular TLDs. This favoritism is a reflection of many different factors — such as the registrars responsiveness to external takedown requests, the enforcement and verification of registrant details, and the ease of registration, etc. — but the net result is that some TLDs are more commonly abused than others.

Damballa Labs decided to take a closer look at the domain names that cyber-criminals were actively using to control their networks of victims throughout the first half of 2011. The following analysis relates to new findings disclosed in the Damballa Threat Report — First Half 2011 (available HERE).

Over the years, cyber-criminals have registered millions-upon-millions of TLDs, the vast majority of which are no longer under their control or represent no immediate threat to the Internet at large. In our study we wanted to understand precisely which TLDs are most actively being abused by the bad guys — so we removed the domain names from our analysis that were no longer under their criminal control (e.g. sinkholed, shutdown, unregistered, etc.) or were associated with domain generation algorithm (DGA) registrations (e.g. the domains generated daily by Conficker and registered by security analysts hoping to count the number of victims that still remain).

For the first time ever, based upon our analysis, we were able to construct a Top 10 list of the most abused TLDs currently being used by cyber-criminals for C&C:

gTLD or ccTLDPercentage

As expected, the most popular and frequently registered gTLDs on the Internet (.com, .info, .net, .org and .biz) all featured within the Top 10 list. The .com gTLD stands out by a substantial margin as the most commonly abused TLD — which is unlikely to surprise many people. It is interesting to note however that the .biz gTLD sits at 6th position with only 2.8% of the identified C&C abuse; it was not too many years ago that .biz was widely acknowledged as being the most frequently abused gTLD for all types of cybercrime.

For many threat analysts the presence of the Russian ccTLD ".ru" is not particularly surprising, as it has had a long history of abuse — and will likely remain that way without a substantial overhaul of their registration practices and increases in responsiveness to external law enforcement requests. A surprise is that the Chinese ccTLD, .cn, is so much lower than .ru. This is likely a reflection of some of the more recent changes in the Chinese registrar to reduce abuse — such as requiring valid government documents proving the identity of the registrant.

The biggest surprise relates to the presence of the Indian ".in" ccTLD within this Top 10 list. The .in ccTLD has found itself increasingly the focus of abuse over recent months as the genesis for many C&C servers. This is likely a reflection of several TLD registrars becoming better at identifying and responding to abuse, rather than any regressive changes in the way in which the India ccTLD is being managed.

One key takeaway from this analysis of current TLD abuse is that ccTLDs are disproportionally represented when compared to the number of legitimate domain registrations typically registered with them. gTLDs like ".com" still have a long way to come in reducing the frequency of abuse though.

In the meantime Damballa Labs will continue to track domain registration abuse and monitor the C&C situation.

Damballa FirstAlert, our cyber threat early warning system, has recently incorporated some new technologies — such as Kopis — that help to identify maliciously abused domains weeks, if not months, in advance of crimeware samples being detected by legacy threat detection systems.

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cybercrime, Cybersecurity, Cybersquatting, DNS, Domain Names, Policy & Regulation, Registry Services, Top-Level Domains


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Radix's .TECH, .STORE, .ONLINE and .FUN Get Approval from the Chinese Government

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award