CERT-SEI
CERT/CC Blog

Finding Patterns of Malicious Use in Bulk Registrations

By Leigh Metcalf on 04/24/2013 | Permalink

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. In 2011, .co.cc [1] and .co.tv [2] were removed from Google’s search results because of the high incidence of malicious domains (.cc is the TLD for the Cocos Islands and .tv is the TLD for Tuvalu). Neither of these domains is an official TLD of its respective country of origin, but is a zone in which the owner happens to make single subdomains freely available and charge a nominal fee for bulk registrations. Similarly, an APWG report for the second half 2011 lists .tk, the TLD of the island of Tokulu, as the most common TLD used in phishing attacks. It also permits free domain registration.

Our goal is to look for patterns of (malicious) use in free and bulk registrations effective TLDs (eTLD). For this task, we use a passive DNS data source, the SIE (http://sie.isc.org). Figure 1 shows the number of unique subdomains resolved in .co.cc from January 1 through December 31 of 2012. Figure 2 displays the same data but for .co.tv, and Figure 3 likewise displays data for .tk.

 

copy.png

Figure 1

The .co.cc results spike on May 17, 2012 to almost double of any other peak during the year. The IP address used by the domains on that are peculiar; 47% of the domains (about 69,000) pointed to just four IP addresses. All four of which are listed on popular blacklists as malware distribution locations as well as spam hosts and senders.

In the .co.tv graphic, there is a spike in the number of active domains on October 6, 2012. The domains in this spike likewise had curious IP use. Of these 124,864 domains, 98% of them pointed to a single IP address, which is listed by SpyEye tracker as a known command and control IP, and is listed elsewhere as a known phishing IP, malware distributor, and spammer. The number of domains (124,864) is also about 45 times the median number of unique resolved domains for .co.tv for 2012 (2,824), which means the usual number of domain names make up the other 2% on that day.

 

tv .png

Figure 2

The .tk TLD demonstrates similar spikes, namely on May 21, 2012. In this case, approximately 81% of the domains resolved to only 2 IP addresses. Again, both of these IP addresses are on external blacklists as being related to Zeus, SpyEye, and other malicious activity.

 

tk.png

Figure 3

As demonstrated in our previous blog post, the popular and respected generic TLDs do not exhibit such extreme behavior (the scales of the charts are not equivalent). These three cases indicate that these peculiar bursts of activity are malicious in nature. There are too many smaller jumps throughout the year to investigate all of them; however, they appear to largely be microcosms of the larger bursts, which are generally malicious.

Despite such high-profile efforts as Google’s delisting effort, the .co.tv eTLD is still active and is still hosting bursts of malicious domains. There was a lull at the end of 2012, but activity resumes in 2013 (not pictured). These bursts are likely correlated with important campaigns for the domain owners. Examples might be upgrading malicious software or delivering particularly important commands. We are not able to positively identify these actions explicitly with passive DNS data. Such bulk activation largely defeats domain block list efforts since there are too many individual domains. The .co.tv and .tk domains remain dangerous to the internet community because they allow these sorts of bulk registrations.

The .co.cc eTLD is another story. On November 13-14 2012, it precipitously disappeared. There have been no more than a handful of .co.cc domains with IP addresses, and all are name servers in glue records that do not come from the official .co.cc name server. The zone is dead; as of this writing, it remains so. Slashdot reported on this situation at the time <http://tech.slashdot.org/story/12/11/15/2215256/free-registrar-cocc-goes-the-way-of-the-dodo>, including the remark that .tk was available to replace any free domain needs the user had. There does not seem to be any technical reason for the cessation of operations. We believe this emphasizes the need for non-technical solutions to the other related problem areas. Send your comments to netsa-contact@cert.org.

Topics: Network Situational Awareness