Top 10 TLDs Used by Botnets For CnC
By Gina on February 19, 2010 | Vulnerabilities, TLDs, CnC, Domain, Botnet
Gunter Ollmann, who is currently works VP of Research at Damballa company, wants to share an information with the rest of the world related to the command and control (CnC) channels used and abused by criminal botnet operators.
He is claiming it would be useful to know about all the Top Level Domains (TLDs) used for botnet CnC. Damballa looked through all the domains used and abused by botnets targeting enterprise networks in 2009 (look at the table below).
Top10 TLDs used for CnC
- .com - 94.58%
- .org - 0.16%
- .info - 0.16%
- .biz - 0.15%
- .cn - 0.09%
- .tw - 0.08%
- .cc - 0.06%
- .ws - 0.06%
- .ru - 0.04%
- .tt - 0.04%
As you can see, there are four most popular generic top-level domains (TLDs) (.com, .org, .info and .biz). Other 6 TLD's (.cn, .tw, .cc, .ws, .ru and .tt) are often connected with cheap and easy to abuse country registrars.
Gunter Ollmann also says that users should know that the country-level TLDs do not necessarily represent where the CnC servers for the botnet are actually hosted. It is not difficult to anyone to register a new domain with these country registrars. Ollmann is surprised about the high level of “.com” use for botnets. The following reasons puts few clues why it is a case:
1)every domain registrar open portal for purchasing and registering “.com” domains;
2)“.com” domains are constantly used by legitimate companies;
3)free dynamic DNS providers (DYN DNS) usually use “.com” TLD’s;
4)“.com” domains have no country associations. That is why they are discreet about the location of the CnC and likely draw less attention to other domains.
More Vulnerabilities news
Shocking: 9 out of 10 websites still vulnerable to old attacks
Did you know that less than 10% of websites are safe from attacks that have struck the internet in 2009? Back then there was a breakout of Man-in-the-middle (MITH) attacks that included an injection of a malicious code in to the browser but even after 3 years these problems are very sensitive. SSL Pulse reportIt seems that companies live in a bubble as far as IT safety is concerned. A project called SSL Pulse that is monitoring 200. Read more.- Mozilla's decision: Firefox is blocked from running unpatched Java plugins
- Facebook still is a wonderland for cybercriminals
- Microsoft talks about dangerous flaw in a Windows
- 17 high-risk flaws are fixed in Chrome; Google pays $47,500 in bug bounties
- Google bypassed Safari's No Tracking settings
- Research reveals – 4/5 of security threats come from third-party software
- Google Wallet hack revealed
- Denial-of-service flaw is fixed by Oracle
- Firefox 9.0 and four critical flaws fixed
- Major flaw of Adobe Reader and Acrobat 9.x is patched
