Home / Blogs

TLD Domain Abuse: Threat Report - First Half 2011

Gunter Ollmann

When it comes to building a robust globe-spanning network of crimeware and making the victims dance to a tune of the cyber-criminals' choosing, you're guaranteed to find domain name abuse at the heart of the operation. DNS provides the critical flexibility and underlying scalability of modern command-and-control (C&C) infrastructure. Cyber-criminals that master DNS (and manage to maintain the stream of new domain registrations that keep it fed) tend to find themselves in command of the largest and most profitable crimeware networks.

A critical ingredient in constructing a C&C infrastructure capable of shrugging off takedown requests, sinkholing by security vendors and hijacking attempts from competitors, lies in the ability to procure new domain names from various registrars around the world at a pace quicker than those being taken away.

There are thousands of domain registration and server hosting companies around the world only too happy to register a particular domain on behalf of their customer for a small annual fee. Armed with a keyword, phrase or random-gibberish, the customer can pick from over a hundred top-level domains (TLD) — ranging from popular generic TLDs (gTLD) such as .com, .biz and .name, through to any country with its own flag and dedicated country-code TLD (ccTLD); such as .ru for Russia or .tv for the Tuvalu Islands.

Over the years cyber-criminals have tended to favor particular TLDs. This favoritism is a reflection of many different factors — such as the registrars responsiveness to external takedown requests, the enforcement and verification of registrant details, and the ease of registration, etc. — but the net result is that some TLDs are more commonly abused than others.

Damballa Labs decided to take a closer look at the domain names that cyber-criminals were actively using to control their networks of victims throughout the first half of 2011. The following analysis relates to new findings disclosed in the Damballa Threat Report — First Half 2011 (available HERE).

Over the years, cyber-criminals have registered millions-upon-millions of TLDs, the vast majority of which are no longer under their control or represent no immediate threat to the Internet at large. In our study we wanted to understand precisely which TLDs are most actively being abused by the bad guys — so we removed the domain names from our analysis that were no longer under their criminal control (e.g. sinkholed, shutdown, unregistered, etc.) or were associated with domain generation algorithm (DGA) registrations (e.g. the domains generated daily by Conficker and registered by security analysts hoping to count the number of victims that still remain).

For the first time ever, based upon our analysis, we were able to construct a Top 10 list of the most abused TLDs currently being used by cyber-criminals for C&C:

gTLD or ccTLDPercentage
.com40.5%
.ru22.8%
.info8.5%
.net5.9%
.in3.3%
.org2.8%
.biz2.8%
.cn1.7%
.tk0.7%
.cc0.4%

As expected, the most popular and frequently registered gTLDs on the Internet (.com, .info, .net, .org and .biz) all featured within the Top 10 list. The .com gTLD stands out by a substantial margin as the most commonly abused TLD — which is unlikely to surprise many people. It is interesting to note however that the .biz gTLD sits at 6th position with only 2.8% of the identified C&C abuse; it was not too many years ago that .biz was widely acknowledged as being the most frequently abused gTLD for all types of cybercrime.

For many threat analysts the presence of the Russian ccTLD ".ru" is not particularly surprising, as it has had a long history of abuse — and will likely remain that way without a substantial overhaul of their registration practices and increases in responsiveness to external law enforcement requests. A surprise is that the Chinese ccTLD, .cn, is so much lower than .ru. This is likely a reflection of some of the more recent changes in the Chinese registrar to reduce abuse — such as requiring valid government documents proving the identity of the registrant.

The biggest surprise relates to the presence of the Indian ".in" ccTLD within this Top 10 list. The .in ccTLD has found itself increasingly the focus of abuse over recent months as the genesis for many C&C servers. This is likely a reflection of several TLD registrars becoming better at identifying and responding to abuse, rather than any regressive changes in the way in which the India ccTLD is being managed.

One key takeaway from this analysis of current TLD abuse is that ccTLDs are disproportionally represented when compared to the number of legitimate domain registrations typically registered with them. gTLDs like ".com" still have a long way to come in reducing the frequency of abuse though.

In the meantime Damballa Labs will continue to track domain registration abuse and monitor the C&C situation.

Damballa FirstAlert, our cyber threat early warning system, has recently incorporated some new technologies — such as Kopis — that help to identify maliciously abused domains weeks, if not months, in advance of crimeware samples being detected by legacy threat detection systems.

By Gunter Ollmann, CTO at NCC Group Domain Services. More blog posts from Gunter Ollmann can also be read here.

Related topics: Cybercrime, Cybersquatting, DNS, Domain Names, Registry Services, Policy & Regulation, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Minds + Machines in 2014 and 2015

New .VOTE and .VOTO Domains Launched

Consumers Prefer the .ORGANIC Domain for True-Organic Goods

DNN Podcast Interview with Antony Van Couvering

TLD Registry and Right of the Dot Establish a Domain Name Industry "Dream Team"

TLD Registry Ltd Welcomes New Board Members

New .LGBT Top-Level Domain Launched

.sydney Domain Names Now Available in Pre-Release

"Chinese Domaining Masterclass" to be Presented at NamesCon Las Vegas in January 2015

Auction and Sales Channel Update

Radix Set to Launch .SITE TLD in 2015

Annual Manthan Award Event This Week

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

List of New gTLD Availability & Key Information Provided for Download

Radix Launches .Space for Individuals, Freelancers and Professionals

TLD Registry Wins Best Marketing Award at China New gTLD Roadshow

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNSSEC

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign