Home / Blogs

TLD Domain Abuse: Threat Report - First Half 2011

Gunter Ollmann

When it comes to building a robust globe-spanning network of crimeware and making the victims dance to a tune of the cyber-criminals' choosing, you're guaranteed to find domain name abuse at the heart of the operation. DNS provides the critical flexibility and underlying scalability of modern command-and-control (C&C) infrastructure. Cyber-criminals that master DNS (and manage to maintain the stream of new domain registrations that keep it fed) tend to find themselves in command of the largest and most profitable crimeware networks.

A critical ingredient in constructing a C&C infrastructure capable of shrugging off takedown requests, sinkholing by security vendors and hijacking attempts from competitors, lies in the ability to procure new domain names from various registrars around the world at a pace quicker than those being taken away.

There are thousands of domain registration and server hosting companies around the world only too happy to register a particular domain on behalf of their customer for a small annual fee. Armed with a keyword, phrase or random-gibberish, the customer can pick from over a hundred top-level domains (TLD) — ranging from popular generic TLDs (gTLD) such as .com, .biz and .name, through to any country with its own flag and dedicated country-code TLD (ccTLD); such as .ru for Russia or .tv for the Tuvalu Islands.

Over the years cyber-criminals have tended to favor particular TLDs. This favoritism is a reflection of many different factors — such as the registrars responsiveness to external takedown requests, the enforcement and verification of registrant details, and the ease of registration, etc. — but the net result is that some TLDs are more commonly abused than others.

Damballa Labs decided to take a closer look at the domain names that cyber-criminals were actively using to control their networks of victims throughout the first half of 2011. The following analysis relates to new findings disclosed in the Damballa Threat Report — First Half 2011 (available HERE).

Over the years, cyber-criminals have registered millions-upon-millions of TLDs, the vast majority of which are no longer under their control or represent no immediate threat to the Internet at large. In our study we wanted to understand precisely which TLDs are most actively being abused by the bad guys — so we removed the domain names from our analysis that were no longer under their criminal control (e.g. sinkholed, shutdown, unregistered, etc.) or were associated with domain generation algorithm (DGA) registrations (e.g. the domains generated daily by Conficker and registered by security analysts hoping to count the number of victims that still remain).

For the first time ever, based upon our analysis, we were able to construct a Top 10 list of the most abused TLDs currently being used by cyber-criminals for C&C:

gTLD or ccTLDPercentage
.com40.5%
.ru22.8%
.info8.5%
.net5.9%
.in3.3%
.org2.8%
.biz2.8%
.cn1.7%
.tk0.7%
.cc0.4%

As expected, the most popular and frequently registered gTLDs on the Internet (.com, .info, .net, .org and .biz) all featured within the Top 10 list. The .com gTLD stands out by a substantial margin as the most commonly abused TLD — which is unlikely to surprise many people. It is interesting to note however that the .biz gTLD sits at 6th position with only 2.8% of the identified C&C abuse; it was not too many years ago that .biz was widely acknowledged as being the most frequently abused gTLD for all types of cybercrime.

For many threat analysts the presence of the Russian ccTLD ".ru" is not particularly surprising, as it has had a long history of abuse — and will likely remain that way without a substantial overhaul of their registration practices and increases in responsiveness to external law enforcement requests. A surprise is that the Chinese ccTLD, .cn, is so much lower than .ru. This is likely a reflection of some of the more recent changes in the Chinese registrar to reduce abuse — such as requiring valid government documents proving the identity of the registrant.

The biggest surprise relates to the presence of the Indian ".in" ccTLD within this Top 10 list. The .in ccTLD has found itself increasingly the focus of abuse over recent months as the genesis for many C&C servers. This is likely a reflection of several TLD registrars becoming better at identifying and responding to abuse, rather than any regressive changes in the way in which the India ccTLD is being managed.

One key takeaway from this analysis of current TLD abuse is that ccTLDs are disproportionally represented when compared to the number of legitimate domain registrations typically registered with them. gTLDs like ".com" still have a long way to come in reducing the frequency of abuse though.

In the meantime Damballa Labs will continue to track domain registration abuse and monitor the C&C situation.

Damballa FirstAlert, our cyber threat early warning system, has recently incorporated some new technologies — such as Kopis — that help to identify maliciously abused domains weeks, if not months, in advance of crimeware samples being detected by legacy threat detection systems.

By Gunter Ollmann, Chief Technology Officer at IOActive. More blog posts from Gunter Ollmann can also be read here.

Related topics: Cybercrime, Cybersquatting, DNS, Domain Names, Registry Services, Policy & Regulation, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Afilias Announces Start of .BLACK Sunrise Period

Radix Launches Three New TLDs in Sunrise With Backing from 50+ Registrar Partners

.WANG General Availability Opens on June 30, 2014

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

.Press Domain Names - The Changing Face of Journalism

LogicBoxes Waives Upfront Fees for New gTLD Vertical Integration Solutions

Radix Announces .Website Launch Timeline

.Host Timeline Released As Pioneer Program Kicks Off

Verisign Named to the OTA's 2014 Online Trust Honor Roll

TLD Registry Sponsored Xinnet's Partner Conference in Nanjing

Afilias Selected for CIO 100 Award

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

Sponsored Topics