The first quarter of 2020 saw a decrease in the number of botnet Command & Controllers (C&Cs) tracked and listed by the Spamhaus research team, but in the second quarter they were back to levels typically seen in 2019.
The ccTLD for the Lao People’s Democratic Republic, which has gained a second home in Los Angeles, became the TLD with the second most botnet Command and Control (C&C) domains on the Spamhaus chart of most abused TLDs in its first appearance on the top 20 chart.
As usual, .com was the most abused top-level domain with 3,291 abusive domain names registered out of its 145.4 million and 45% of the top-level botnet C&C domains. There were 1,151 abusive domains for .la followed by .pw (Palau – 575) and then .xyz (278), these being the only TLDs with more than 200 abusive registrations.
For .pw and .xyz, these two TLDs have appeared in the Top 20 for over a year, although there was a significant increase in the number of botnet C&C domain registrations associated with these TLDs in Q1 2020, placing them at third and fourth respectively.
In the first quarter of 2020, Spamhaus Malware Labs also identified a total number of 2,738 new botnet Command and Controllers (C&Cs). Out of these, 2,014 (average 671 per month) were under the direct control of miscreants i.e. as a result of a fraudulent sign-up. That’s a decrease of 57% compared to Q4 2019. This, Spamhaus notes, is welcome news for internet users, following the significant increases throughout 2019.
The reason for this decrease, Spamhaus notes, is currently unproven. They believe “it could be partially related to a VPN provider who refuses to take action on abuse reports and is failing to shut down traffic from existing botnet C&Cs. If botnet C&Cs, which have been detected and reported, are allowed to continue to operate, there is no reason why miscreants should spin up new ones.”
When it comes registrars Namecheap continues to be the favourite place for malware authors to register their botnet C&C domains. For Internet Service Providers (ISPs) hosting botnet C&Cs Cloudflare came out top and while it does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks. Compared to Q4 2019, there was little change in the hosting provider landscape. The usual suspects were still present in Top Twenty, including Cloudflare (US), Google (US), OVH (FR) and Hetzner (DE). It would appear that these big players in the Cloud hosting market did little to improve the situation.
The report has a spotlight on the Raccoon Stealer malware. At the end of 2019 Raccoon Stealer was a newcomer on the cyber threat landscape. This Spamhaus notes is piece of malware usually delivered to the end-user through spam campaigns, dropper, or exploit kits by malware that is already present on the victim’s machine. Raccoon Stealer is a credential and information stealer that runs on MS Windows. However, it is also being used by threat actors to install additional malware. What makes Raccoon Stealer rather unique is where its botnet C&Cs are hosted: on the Google Cloud.
Spamhaus released their quarterly Botnet Threat Update for the third quarter of 2019 and almost half of the TLDs in their top 20 “most abused top-level domains” were within ccTLD name spaces: .ru (Russia), .pw (Palau), .eu (European Union), .ga (Gabon), .tk (Tokelau), .su (the former Soviet Union), .ml (Mali), .cf (Central African Republic) and .me (Montenegro). There were also a handful of new gTLDs: .top, .xyz, .icu, .name, .live, .site and .club. But the TLD with by far the most abused domains, and also by far the largest, was .com, with 4,058 abusive domain names and around 145 million domains in total while .net was second with 534 fraudulent domains.
During the third quarter the number of fraudulent domain names registered within Russia’s ccTLD .ru almost halved from 731 domains in Q2 to 392 domains in Q3. And 2 more gTLDs joined .com in Q3 in the top 3: .net and .info.
Of the registrars with the most abused domain names on their books, Namecheap easily came out top with 1,034 while the Chinese West263.com was second with 375. By country, there were 5 Chinese registrars on the top 20 list, 3 from the United States and 2 each from Russia and Germany.
The highlight, or rather lowlight, of the report from Spamhaus’ point of view was the number of newly detected botnet command & control servers (C&Cs) reached an all-time high in July this year with more than 1,500 botnet C&Cs detected by Spamhaus Malware Labs. This is far in excess of the monthly average, set in the first half of this year, of 1,000 botnet C&Cs.
One of the most notorious botnets called “Emotet”, however, did appear to go on vacation. This botnet went silent for several months, but returned in September with a large scale spam campaign. Emotet, also known as “Heodo”, was a former e-banking Trojan that targeted e-banking customers around the world. In 2018, Emotet ceased it’s e-banking fraud activities and started to offer infected computers on a “Pay-Per-Install” model to other cybercriminals. As of 2019, Emotet is one of the most dangerous botnets and indirectly responsible for a large amount of ransomware campaigns like Ryuk.
The most notable change between Q2 and Q3 Spamhaus observed was TrickBot. They identified a 550% increase in the number of botnet C&Cs that were associated with this malware family. There were additional smaller changes in the malware landscape, with some families dropping out of the charts and others appearing.
Spamhaus observed they continued to see Cloudflare, a US-based content delivery network (CDN) provider, being one of the preferred options by cybercriminals to host botnet C&C servers. This trend has been evident since 2018. Disappointingly, Spamhaus say they’ve still seen no apparent attempts from Cloudflare to battle the ongoing abuse of their network for botnet hosting and other hostile infrastructure. However, as of Q3, Cloudflare got beaten by the Chinese cloud provider Alibaba, by a narrow margin of 4.
There was also a surge in the number of Botnet C&Cs hosted in Russia with a proliferation of botnet C&Cs hosted across various hosting providers in Russia, notably ispserver.com, reg.ru, simplecloud.ru, marosnet.ru and spacenet.ru. After a short period of respite, there is once again a trend among cybercriminals moving their infrastructure to Russian Internet service providers.
The Spamhaus Botnet Threat Update: Q3-2019 can be downloaded in full from: https://www.spamhaus.org/news/article/789/spamhaus-botnet-threat-update-q3-2019
In the first quarter of 2019, Spamhaus Malware Labs has observed an upswing in the number of fraudulent domain name registrations in .ug (Uganda) and .ng (Nigeria).
But it is the number of fraudulent registrations in .ug that has caught their eye and they note they have “gone through the roof”. In February 2019, 35% of all domain names within .ug that Spamhaus observed were registered for the sole purpose of hosting a botnet controller (C&C).
Digging deeper Spamhaus discovered a single bulletproof hosting outfit is connected to these domain registrations which is selling its services on underground sites and the dark web.
The setup is simple: They register a .ug domain name for their customer with the operator i3c.co.ug and use a Chinese based DNS provider DNSPod (Tencent). From a cybercriminalâs perspective, Spamhaus explain this has a big advantage: Both i3c.co.ug and DNSPod are exceptionally slow to investigate abuse reports, thatâs if they are investigated at all. This makes a cybercriminalâs botnet C&C infrastructure almost 100% bulletproof to takedown requests.
To sort the problem Spamhaus is trying to work together with both i3c.co.uh and DNSPod to resolve this issue. While communication between these operators can be challenging these efforts are starting to pay off, with the percentage of fraudulent .ug domain registrations has reduced to 29% from the 35%.
In the first three months of this year, Spamhaus observed significant changes in the malware thatâs associated with botnet Command & Control (C&C) servers, most notably a preference for cybercriminals to utilise crimeware kits.
The 2 top-level domains leading the way when it comes to those associated with botnet C&Cs continue to be .com (2,920 domains) and .uk (United Kingdom â 1,503). Following in the first quarter was .tk (Tokelau â 448), .net (436) and .ga (Gabon â 414). .ug came in 15th place with 100 while among the new gTLDs .xyz was 13th (149) and .icu was 16th (82).
However, thereâs no change when it came to the most abused hosting provider: Cloudflare. Register.com (1,137), Namecheap (757), Network Solutions/Web.com (742), Indiaâs PDR (664), Reg.ru (315) and NameSilo (311) were easily the registrars with the most abusive domain name registrations.
When Spamhaus looked at the number of newly detected botnet Command & Controllers (C&C), as a result of fraudulent sign-ups, they found the upward trend detected in 2018 is continuing into 2019.
In 2018 the number of botnet C&Cs identified from fraudulent sign-ups lifted 176% from 276 per month in January to 762 per month in December. The monthly average across 2018 was 530 botnet controller listings (BCL) per month.
In the first quarter of 2019 Spamhaus observed another significant step-up in numbers across the first three months of this year. The number of newly detected botnet C&Cs reached 1,281 in March 2019, an additional 519 botnet C&Cs compared to December 2018âs figures. Meanwhile, the monthly average in 2019 has increased by 110% to 1,113 per month. Spamhaus found no change in the location of botnet C&C traffic. The number one geolocation for botnet C&Cs remains the United States, followed by Russia and the Netherlands.
Spamhaus has released a list of what they consider to be the world worst top level domains for spam, and the top ten are all new gTLDs. The list shows the ratio of all domains registered that Spamhaus’ systems see and is a one month “snapshot”.
The worst of the TLDs is .review with 75.1 percent of all domains considered bad, followed by .diet (74.6%), .click (72.9%), .download (72.8%), .work (64.9%), .tokyo (51.8%), .science (49.8%), .racing (45.6%), .party (45.2%) and .uno (43.8%) rounding out the top ten.
This compares to .com, the world’s largest TLD now with over 126 million domains under management with 4.0 percent of its domains considered bad, .tk (the largest ccTLD and who gives away the vast majority of its domains) with 1.9 percent, .de (Germany – 0.1%) and .net (6.8%).
Of the largest new gTLDs, the only one in the top ten according to nTLDstats.com to be on the “bad” list is .science. But others feature prominently with 19.7 percent of all .xyz, the largest of all the new gTLDs with 2.6 million domains under management, domains considered bad while .top at second on the list has 16.5 percent of its 1.6 million domains considered bad.
Spamhaus notes that this list does not provide the worst TLDs in absolute quantity, other TLDs may have far more abusive domains, but they also have vastly more non-abusive domains. Instead, the list shows the ratio of all domains seen by the systems at Spamhaus versus the domains our systems profile as spamming or being used for botnet or malware abuse.
The problem largely comes about due to a few registries, registrars and resellers basing a business model based on high volumes of domain names being sold to spammers.
“Spam and other types of abuse continue to plague the internet because bad actors find it very cheap and very easy to obtain thousands of domain names from the Top Level Domain registries and their resellers, the registrars. A few registrars knowingly sell high volumes of domains to professional spammers for profit, or do not do enough to stop or limit spammers’ access to this endless supply of domains. These registrars end up basing their entire business model on network abuse.”
“Unsurprisingly, most of the TLDs listed on this page are the ‘new gTLDs’ recently introduced by ICANN; this is largely the result of a combination of factors:
New companies are constantly being targeted by phishers, with some phishers attacking targets where consumers may least expect it while the ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. These are some of the findings of the Global Phishing Survey for Second Half of 2014, released by the Anti-Phishing Working Group (APWG) on Wednesday.The report found phishing occurred in 272 top level domains (TLDs) with 56 in new gTLDs. And the number of domain names used for phishing has reached an all-time high, but the interest in new gTLDs has so far been limited. However with the registration fees for some of the new gTLDs dropping to below .com prices, the APWG believes this will attract phishing and other kinds of abuse.However the report notes that tens of thousands of domains in the new gTLDs are being consumed by spammers and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the report notes the total number of them being used maliciously is much higher.Of the new gTLDs, the largest, .xyz, had the most phishing domains with 288. The .xyz gTLD became notorious as Network Solutions gave their .com registrants a .xyz domain. But only four of the .xyz domains were registered with Network Solutions. Most of the .xyz phishing registrations (298) were made at Xin Net and other Chinese registrars, and were used to attack Chinese targets. A lesson here, the report notes, is that when it comes to abuse, who can obtain domains in a TLD (and in what quantities) may be as important as the (low) price of the domain. .XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .com’s score of 4.7. SinceBut there only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof.According to the report, there were at least 123,972 unique phishing attacks worldwide during the six-month period. This was almost the same number as in the first half of 2014, and the most seen in a six-month period since the second half of 2009. The APWG defines an attack as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.These attacks occurred on 95,321 unique domain names, the most ever recorded in a half-year period. The number of domain names in the world grew from 279.5 million in April 2014 to 287.3 million in December 2014.Of the 95,321 phishing domains, the APWG identified, 27,253 are believed to have been registered maliciously by phishers. This is an all-time high, and much higher than the 22,629 identified in the first half of 2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.The registrations were concentrated in just five TLDs with seventy-five percent of the malicious domain registrations in .com, .tk, .pw, .cf and .net.In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: http://77.101.56.126/FB/) But none were observed on IPv6 addresses.There were also 569 targeted institutions, down significantly from the all-time high of 756 observed in the first half of 2014.The average uptime in the second half of 2014 was 29 hours and 51 minutes. The median uptime in the six-month period increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.
