Wrapping up this week of 2009 Top-10 botnet analysis, I’d like to share with you information related to the command and control (CnC) channels used and abused by criminal botnet operators. While I’m sure you’ve seen plenty of news throughout the year related to the abuse of .cn (China) domain registrations for all kinds of malicious attacks (in particular Phishing and drive-by-download site hosting), I thought it would be valuable to look at all the Top Level Domains (TLDs) used for botnet CnC.
Damballa looked at all of the CnC domains used and abused by several thousands botnets targeting enterprise networks in 2009.
As you can see from the table above, the generic commercial TLD “.com” accounts for 19 out of 20 botnet CnC command channels. While “.cn” domains are commonly employed for all kinds of fraud attacks, they account for less than 1 out of 1,000 botnet CnC domain registrations.
Topping out the Top-10 are the four most popular generic TLDs (.com, .org, .info and .biz). The remaining 6 TLD’s (.cn, .tw, .cc, .ws, .ru and .tt) are commonly associated with cheap and easily abused country registrars that conduct little validation and verification of the people purchasing domains from them. It will be interesting to see whether “.cn” domains remain in the Top-10 for 2010 since the China domain registration authority is supposedly hardening it’s registration process and clamping down on abuse.
Readers should note though that the country-level TLDs do not necessarily represent where the CnC servers for the botnet are actually hosted. Anyone, in any country, can register a new domain with these country registrars – which is one of the reasons why they are so popular to criminals and are frequently abused for fraud and botnet CnC purposes.
What is perhaps surprising is the high level of “.com” use for botnets. There are many influences as to why this is the case – factors such as the following:
- Practically every domain registrar on the planet provides a convenient portal for purchasing and registering “.com” domains.
- “.com” domains are the most popular domains used by legitimate companies, so their is an air of additional credibility to suspicious domains which may attract less attention by causal inspection.
- Free dynamic DNS providers (DYN DNS) are popularly employed for CnC domains. Most of these DNS providers use “.com” TLD’s – so they have a heavy influence on “.com” usage for botnet CnC.
- “.com” domains have no country associations – therefore they help to anonymize the location of the CnC and likely draw less attention than say a “.ru” or “.cn” domain names if for example law enforcement were reviewing logs of an attack against the US government.
Watch out for CnC’s hiding in plain sight!
– Gunter Ollmann, VP Research
Could you expand on how you came up with these numbers?
They don’t match with mine.
[...] there have been some statistics published on botnet Command & Control (C2) channels. These statistics claim that 94.58% of botnet C2 [...]