Botnet Domains Highlight Global Reach
The electronic underground ecosystem has been firmly entrenched throughout nearly every corner of the planet for years, but new research highlights the fact that botnet command and control (CnC) infrastructure has truly become a pervasive and global phenomenon.
In a recent study conducted by researchers at anti-botnet specialists Damballa, experts took a closer look at the spread of botnet CnCs in direct relation to the Top Level Domains (TLDs) they reside on. And while unsurprisingly there are still far more CnCs running on plain old .com, .org, .info and .biz domains, the rest of the top ten compromises an interesting mix of nations located all over the world.
In fact .coms alone make up 94.5 percent of all botnet CnC TLDs. But what do the other involved nations have in common?
Well, after recognizing the fact that the aforementioned TLDs likely represent a lion's share of the sites located in places like the U.S. and Europe, the countries who rank next on Damballa's list are all (shocking, I know...) nations where Internet regulators are known to be fairly unresponsive to efforts by outsiders to force them to better police domain registrations.
Damballa Vice President of Research Gunter Ollmann concedes that he went into the project in an attempt to first measure the number of botnets being run out of infrastructure in China (or on .cn TLDs), so it's no surprise to find that the nation indeed leads the world in hosting zombie network CnCs outside of the more generic TLDs.
Recent work by the Chinese government to make .cn domain registrations more stringent may or may not have an affect on the botnet problem someday, but clearly the issue still rages on, Ollmann notes.
"It will be interesting to see whether '.cn' domains remain in the Top-10 for 2010 since the China domain registration authority is supposedly hardening it's registration process and clamping down on abuse," he said.
Beyond China, the list features a handful of far flung island countries and of course the big bear that is Russia. Damballa noted that Taiwan (.tw), the Cocos Islands (.cc), Western Samoa (.ws) come in ahead of Russia (.ru), respectively, with the top ten rounded out by Trinidad and Tobago (.tt).
The Russian cyber crime industry is well understood to be among the most prolific and sophisticated in the world, but these other tiny countries are having their TLDs abused simply because they "conduct little validation and verification of the people purchasing domains from them," Ollmann said.
Though, it is always worth noting that many of the people using the domains for botnet CnCs are likely located in other countries.
As for .coms, they remains the biggest vehicle for CnCs simply because they are available everywhere around the globe and thus harder to trace, since the TLD remains the one most used by legitimate organizations, and because entities such as so-called free dynamic DNS providers also utilize the domains.
Just as with matters of international terrorism and human trafficking, clearly, if progress is to be made in controlling the botnet epidemic, international cooperation will be a major catalyst.
For now, as the expert warns, "watch out for CnC's hiding in plain sight!"
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.