SEI Insights

CERT/CC Blog

Vulnerability Insights

Top-10 Top Level and Second Level Domains Found in Malicious Software

Posted on by in

Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awareness group at CERT. They write:

Recently there have been some statistics published on botnet Command & Control (C2) channels. These statistics claim that 94.58% of botnet C2 channels are under the .com top level domain (TLD). While it's impossible to accurately comment on those statistics without knowing the methodology used to arrive at them, we at CERT have been doing research concerning malicious domain names that arrives at a different result.

Over a period of the 6-months from July 2009 until February 2010, our malicious software collection expanded by over 250,000 samples. Those samples reference nearly 120,000 domain names. The top 10 domain names were

Count

TLD

Percentage of total domains

28191

.net

~23.9%

25040

.com

~21.0%

23674

.info

~19.9%

19889

.org

~16.7%

8020

.biz

~6.7%

3561

.cn

~3.0%

1894

.br

~1.6%

1046

.cc

~.9%

902

.ru

~.8%

594

.de

~.5%

Our collection shows a much more even distribution of domain names over top level domains.

As for second-level domains we have the following top 10.

Count

TLD

Percentage of Total Domains

7200

.no-ip.biz

~6%

5810

.3322.org

~4.9%

1980

.no-ip.info

~1.6%

1897

.no-ip.org

~1.6%

1488

.dyndns.org

~1.3%

1420

.yi.org

~1.2%

628

.vicp.net

~.5%

495

.gicp.net

~.4%

311

.zapto.org

~.3%

269

.mooo.com

~.2%

The "no-ip" domains account for approximately 10% of malicious domain names when aggregated.

There are a couple of caveats regarding this data.

First, these are only the domain names as they appear in the malicious code. This doesn't mean that 23.9% of malicious traffic is routed to domain names underneath the .net top level domain, nor that 23.9% of malicious activity occurs because of the .net TLD.

This also doesn't mean that 3.0% of malicious domain names are physically located in China. It simply means that the .cn-Registrar has allowed those names to be registered.

They could be serving an exploit payload, serving as a drop point for data exfiltration, or serving as a point to grab the RAT software.

Lastly, these samples have been sorted and made unique. This means that if a domain name appeared 100 times, we only counted that domain name once. If we kept all occurrences of domain names, we would have nearly 500,000 instances of domain names being used within that 6-month period.

About the Author

Chad Dougherty

Contact Chad Dougherty
Visit the SEI Digital Library for other publications by Chad
View other blog posts by Chad Dougherty