16 September 2011

Damballa Threat Report – First Half 2011 (Extract)



Most Abused Top Level Domains for Live Command‐and‐Control

Damballa Labs has analyzed and is reporting the TLDs (top level domains) most frequently abused and  utilized by cyber-criminals for controlling their victims. This analysis is based on activity observed during the first six months of 2011. The data is based on ‘live’ abuse; in other words, domains that are actively being looked up by infected assets and which resolve to IP addresses currently under criminal control, and for which  the criminal still maintains the capability to issue commands to their botnet victims.

gTLD or ccTLD                                                           Percentage
.com                                                                                 40.5%
.ru                                                                                     22.8%
.info                                                                                   8.5%
.net                                                                                    5.9%
.in                                                                                      3.3%
.org                                                                                    2.8%
.biz                                                                                     2.8%
.cn                                                                                      1.7%
.tk                                                                                       0.7%
.cc                                                                                       0.4%

                                        Figure 6

For this analysis we excluded:

  • Domains that were no longer under the control of the criminals (e.g. domain names associated with sinkholes)  


  • Domains that were no longer resolving to known command-and-control IP addresses (e.g. dead due to takedown requests) 
  • Domains associated with domain generation algorithms (DGA). DGA is a technique used by criminal operators to evade detection by block lists. Each day, based on a seed value (like the current date and time), the malware will generate hundreds or thousands of seemingly ‘random’ domain names. The criminal, with access to the same algorithm, will register and activate a few domain names - on that given day - to resolve to their active C&C infrastructure.  

Not surprisingly the most popular top generic TLDs (gTLD), .com, .info, .net, .org and .biz are among the Top 10 Most Abused by criminals. Due to the sheer volume of domain names registered for these TLDs, they are likely to have the largest number of abused domains.



Solutions : www.xcyss.in  

No comments:

Post a Comment