Home / Blogs

TLD Domain Abuse: Threat Report - First Half 2011

Gunter Ollmann

When it comes to building a robust globe-spanning network of crimeware and making the victims dance to a tune of the cyber-criminals' choosing, you're guaranteed to find domain name abuse at the heart of the operation. DNS provides the critical flexibility and underlying scalability of modern command-and-control (C&C) infrastructure. Cyber-criminals that master DNS (and manage to maintain the stream of new domain registrations that keep it fed) tend to find themselves in command of the largest and most profitable crimeware networks.

A critical ingredient in constructing a C&C infrastructure capable of shrugging off takedown requests, sinkholing by security vendors and hijacking attempts from competitors, lies in the ability to procure new domain names from various registrars around the world at a pace quicker than those being taken away.

There are thousands of domain registration and server hosting companies around the world only too happy to register a particular domain on behalf of their customer for a small annual fee. Armed with a keyword, phrase or random-gibberish, the customer can pick from over a hundred top-level domains (TLD) — ranging from popular generic TLDs (gTLD) such as .com, .biz and .name, through to any country with its own flag and dedicated country-code TLD (ccTLD); such as .ru for Russia or .tv for the Tuvalu Islands.

Over the years cyber-criminals have tended to favor particular TLDs. This favoritism is a reflection of many different factors — such as the registrars responsiveness to external takedown requests, the enforcement and verification of registrant details, and the ease of registration, etc. — but the net result is that some TLDs are more commonly abused than others.

Damballa Labs decided to take a closer look at the domain names that cyber-criminals were actively using to control their networks of victims throughout the first half of 2011. The following analysis relates to new findings disclosed in the Damballa Threat Report — First Half 2011 (available HERE).

Over the years, cyber-criminals have registered millions-upon-millions of TLDs, the vast majority of which are no longer under their control or represent no immediate threat to the Internet at large. In our study we wanted to understand precisely which TLDs are most actively being abused by the bad guys — so we removed the domain names from our analysis that were no longer under their criminal control (e.g. sinkholed, shutdown, unregistered, etc.) or were associated with domain generation algorithm (DGA) registrations (e.g. the domains generated daily by Conficker and registered by security analysts hoping to count the number of victims that still remain).

For the first time ever, based upon our analysis, we were able to construct a Top 10 list of the most abused TLDs currently being used by cyber-criminals for C&C:

gTLD or ccTLDPercentage
.com40.5%
.ru22.8%
.info8.5%
.net5.9%
.in3.3%
.org2.8%
.biz2.8%
.cn1.7%
.tk0.7%
.cc0.4%

As expected, the most popular and frequently registered gTLDs on the Internet (.com, .info, .net, .org and .biz) all featured within the Top 10 list. The .com gTLD stands out by a substantial margin as the most commonly abused TLD — which is unlikely to surprise many people. It is interesting to note however that the .biz gTLD sits at 6th position with only 2.8% of the identified C&C abuse; it was not too many years ago that .biz was widely acknowledged as being the most frequently abused gTLD for all types of cybercrime.

For many threat analysts the presence of the Russian ccTLD ".ru" is not particularly surprising, as it has had a long history of abuse — and will likely remain that way without a substantial overhaul of their registration practices and increases in responsiveness to external law enforcement requests. A surprise is that the Chinese ccTLD, .cn, is so much lower than .ru. This is likely a reflection of some of the more recent changes in the Chinese registrar to reduce abuse — such as requiring valid government documents proving the identity of the registrant.

The biggest surprise relates to the presence of the Indian ".in" ccTLD within this Top 10 list. The .in ccTLD has found itself increasingly the focus of abuse over recent months as the genesis for many C&C servers. This is likely a reflection of several TLD registrars becoming better at identifying and responding to abuse, rather than any regressive changes in the way in which the India ccTLD is being managed.

One key takeaway from this analysis of current TLD abuse is that ccTLDs are disproportionally represented when compared to the number of legitimate domain registrations typically registered with them. gTLDs like ".com" still have a long way to come in reducing the frequency of abuse though.

In the meantime Damballa Labs will continue to track domain registration abuse and monitor the C&C situation.

Damballa FirstAlert, our cyber threat early warning system, has recently incorporated some new technologies — such as Kopis — that help to identify maliciously abused domains weeks, if not months, in advance of crimeware samples being detected by legacy threat detection systems.

By Gunter Ollmann, Chief Technology Officer at IOActive. More blog posts from Gunter Ollmann can also be read here.

Related topics: Cybercrime, Cybersquatting, DNS, Domain Names, Registry Services, Policy & Regulation, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Landrush Opens for .Website, .Press and .Host

Afilias Announces General Availability of .BLACK Top-Level Domain

Nominum Announces Future Ready DNS

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

Sponsored Topics