Home / Blogs

TLD Domain Abuse: Threat Report - First Half 2011

Gunter Ollmann

When it comes to building a robust globe-spanning network of crimeware and making the victims dance to a tune of the cyber-criminals' choosing, you're guaranteed to find domain name abuse at the heart of the operation. DNS provides the critical flexibility and underlying scalability of modern command-and-control (C&C) infrastructure. Cyber-criminals that master DNS (and manage to maintain the stream of new domain registrations that keep it fed) tend to find themselves in command of the largest and most profitable crimeware networks.

A critical ingredient in constructing a C&C infrastructure capable of shrugging off takedown requests, sinkholing by security vendors and hijacking attempts from competitors, lies in the ability to procure new domain names from various registrars around the world at a pace quicker than those being taken away.

There are thousands of domain registration and server hosting companies around the world only too happy to register a particular domain on behalf of their customer for a small annual fee. Armed with a keyword, phrase or random-gibberish, the customer can pick from over a hundred top-level domains (TLD) — ranging from popular generic TLDs (gTLD) such as .com, .biz and .name, through to any country with its own flag and dedicated country-code TLD (ccTLD); such as .ru for Russia or .tv for the Tuvalu Islands.

Over the years cyber-criminals have tended to favor particular TLDs. This favoritism is a reflection of many different factors — such as the registrars responsiveness to external takedown requests, the enforcement and verification of registrant details, and the ease of registration, etc. — but the net result is that some TLDs are more commonly abused than others.

Damballa Labs decided to take a closer look at the domain names that cyber-criminals were actively using to control their networks of victims throughout the first half of 2011. The following analysis relates to new findings disclosed in the Damballa Threat Report — First Half 2011 (available HERE).

Over the years, cyber-criminals have registered millions-upon-millions of TLDs, the vast majority of which are no longer under their control or represent no immediate threat to the Internet at large. In our study we wanted to understand precisely which TLDs are most actively being abused by the bad guys — so we removed the domain names from our analysis that were no longer under their criminal control (e.g. sinkholed, shutdown, unregistered, etc.) or were associated with domain generation algorithm (DGA) registrations (e.g. the domains generated daily by Conficker and registered by security analysts hoping to count the number of victims that still remain).

For the first time ever, based upon our analysis, we were able to construct a Top 10 list of the most abused TLDs currently being used by cyber-criminals for C&C:

gTLD or ccTLDPercentage

As expected, the most popular and frequently registered gTLDs on the Internet (.com, .info, .net, .org and .biz) all featured within the Top 10 list. The .com gTLD stands out by a substantial margin as the most commonly abused TLD — which is unlikely to surprise many people. It is interesting to note however that the .biz gTLD sits at 6th position with only 2.8% of the identified C&C abuse; it was not too many years ago that .biz was widely acknowledged as being the most frequently abused gTLD for all types of cybercrime.

For many threat analysts the presence of the Russian ccTLD ".ru" is not particularly surprising, as it has had a long history of abuse — and will likely remain that way without a substantial overhaul of their registration practices and increases in responsiveness to external law enforcement requests. A surprise is that the Chinese ccTLD, .cn, is so much lower than .ru. This is likely a reflection of some of the more recent changes in the Chinese registrar to reduce abuse — such as requiring valid government documents proving the identity of the registrant.

The biggest surprise relates to the presence of the Indian ".in" ccTLD within this Top 10 list. The .in ccTLD has found itself increasingly the focus of abuse over recent months as the genesis for many C&C servers. This is likely a reflection of several TLD registrars becoming better at identifying and responding to abuse, rather than any regressive changes in the way in which the India ccTLD is being managed.

One key takeaway from this analysis of current TLD abuse is that ccTLDs are disproportionally represented when compared to the number of legitimate domain registrations typically registered with them. gTLDs like ".com" still have a long way to come in reducing the frequency of abuse though.

In the meantime Damballa Labs will continue to track domain registration abuse and monitor the C&C situation.

Damballa FirstAlert, our cyber threat early warning system, has recently incorporated some new technologies — such as Kopis — that help to identify maliciously abused domains weeks, if not months, in advance of crimeware samples being detected by legacy threat detection systems.

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cybercrime, Cybersquatting, DNS, Domain Names, Registry Services, Policy & Regulation, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Meet Boston Ivy, Home to Some of the Most Specialized TLDs in the Financial Services Sector

Move Beyond Defensive Domain Name Registrations, Towards Strategic Thinking

Is Your TLD Threat Mitigation Strategy up to Scratch?

Verisign Launches New gTLDs for the Korean Market, .닷컴 and .닷넷

Verisign Opens Landrush Program Period for .コム Domain Names

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

Afilias Announces Relaunch of .GREEN TLD

Encrypting Inbound and Outbound Email Connections with PowerMTA

New .PROMO Domain Sunrise Period Begins Today

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Minds + Machines Group Announces Outsourcing Agreements, Web Address Change

.STORE Opens its Doors to Brands

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Startup on .TECH New Top-Level Domain Receives $6.7 Million in Funding

What Holds Firms Back from Choosing Cloud-Based External DNS?

United States Court Has Granted an Interim Relief for DCA Trust on .Africa gTLD

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

February Biggest Month to Date for Radix, Over 750K Domain Registrations

Sponsored Topics



Sponsored by

DNS Security

Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by