Q4 saw a 23% rise in the number of new botnet command and controllers (C&Cs) identified by our research team. Despite this increase, our researchers are aware of botnet C&C activity they cannot track due to communications being made via DNS over HTTPS (DoH). This is worrying and certainly tilts the scales in the cybercriminals’ favor.
Welcome to the Spamhaus Botnet Threat Update Q4 2021.
The issues of DNS over HTTPS (DoH)
Remember FluBot & TeamBot from Q3?
Last quarter, we reported “an explosion in backdoor malware” due to FluBot & TeamBot. In Q4, from the perspective of botnet C&C infrastructure Spamhaus observed, this malware family completely disappeared. However, this doesn’t mean they weren’t active. That is far from the truth – they were active!
Why are they not being detected by Spamhaus?
This malware isn’t appearing in our listings because those miscreants responsible for them have changed their operating procedures. Instead of making C&C communications using traditional HTTPS protocol, they use DNS over HTTPS (DoH) and abuse large DoH providers, including Google and Alibaba.
Preventing abuse on the internet gets harder
While DoH was heralded with fanfares and touted as the next best security development of the internet, some security professionals (including Spamhaus) sighed as they realized the good guys would lose even more visibility over what the bad guys were doing. And by “even more,” we refer to other issues like losing visibility of WHOIS data.
Why is DoH an issue?
DoH encrypts DNS traffic, making a resource private and secure that previously has always been public (unencrypted). You may be thinking that this has
to be a good thing, however as you can see, in this circumstance, our researchers have no visibility of FluBot & TeamBot’s DNS requests. Consequently, we can’t list the IP addresses, and therefore this data can’t be used to protect users. While DoH is meant to be protecting the internet community, it is also enabling cybercriminals. It’s a double-edged sword.
Not only does DoH make hunting down miscreants even more challenging, but it also means that security products based around DNS monitoring and filtering could be less effective, which is far from ideal. Security issues are compounded due to major DoH providers not filtering harmful DNS resolutions of botnet, phishing or malware domains.
Number of botnet C&Cs observed, Q4 2021
In Q4 2021, Spamhaus identified 3,271 botnet C&Cs compared to 2,656 in Q3 2021. This was a 23% increase quarter on quarter. The monthly average increased from 885 in Q3 to 1,090 botnet C&Cs per month in Q4.
Geolocation of botnet C&Cs, Q3 2021
Russia continues with significant increases
We reported last quarter that the number of botnet C&Cs in Russia had increased dramatically. However, this quarter saw even bigger increases:
- Q1 to Q2 – 19% increase
- Q2 to Q3 – 64% increase
- Q3 to Q4 – 124% increase
In Q4, almost 30% of botnet C&C servers were located in Russia.
LatAm presence continues
Several countries from Latin America (LatAm) were new entries in Q3 and remained in the Top 20 in Q4, including Mexico, Dominion Republic, Brazil, and Uruguay. Uruguay had the largest percentage increase (181%) of all geos in Q4.
Ups and downs across Europe
After continuing increases across various European countries, we’re pleased to report that several have reduced numbers; the Netherlands, France, Sweden and Romania. Meanwhile, Switzerland has dropped off the Top 20 List completely. However, Germany has moved into third place with a 35% increase, and Great Britain has experienced a 56% increase.
Malware associated with botnet C&Cs, Q4 2021
Credential stealers were the most prevalent malware type associated with Botnet C&Cs in Q4. This doesn’t come as a surprise, given that the top two malware listed, RedLine & Loki, are both Credential Stealers.
GCleaner emerging
We saw a considerable uptick in GCleaner activity, leading to it being placed at #4, despite being a newcomer to the Top 20. GCleaner is similar to Smoke Loader in its modus operandi, and it is utilized in a Pay-Per-Install (PPI) model, dropping other malware on already infected hosts. While this malware threat has been around for some time, it is the first time that GCleaner has made it onto our Top 20 listings.
FluBot/TeamBot disappear
As discussed in our Spotlight section, this malware that had the #1 spot last quarter has disappeared from our listings; however, it is still operational having switched across to using DoH.
Malware type comparisons between Q3 and Q4 2021
|
Most abused top-level domains, Q4 2021
A new entry at #4
We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.
.de reappears
The ccTLD de (Germany) re-entered our quarterly ranking at #20, having dropped off the Top 20 in Q2.
Reductions and departures
We’d like to congratulate all the registries that manage TLDs who departed from our listings along with those who significantly reduced the number of associated botnet C&Cs using their TLDs, including .buzz and .net, who both saw an 80% reduction.
Q3 data inaccuracy
Apologies to Verisign for an error in our Q3 2021 statistic for .com. We misreported the number of botnet C&Cs for the TLD, and the correct figure was 3,730. Various issues led to this error, but we are pleased to confirm that we have worked with Verisign to rectify these.
Interpreting the data
Registries with a greater number of active domains have greater exposure to abuse. For example, in Q4 2021, .net had more than 13 million active domain zones, of which 0.00103% were associated with botnet C&Cs. Meanwhile, .xxx had just over 9,000 active domains, of which 2.4% were associated with botnet C&Cs. Both are in the top ten of our listings, but one had a much higher percentage of active domains associated with botnet C&Cs than the other.
Working together with the industry for a safer internet
Naturally, our preference is for no TLDs to have botnet C&Cs associated with them, but we live in the real world and understand there will always be abuse.
What is crucial is that abuse is dealt with quickly. Where necessary, if domain names are registered with the sole purpose of distributing malware or hosting botnet C&Cs, we would like registries to suspend these domain names. We appreciate the efforts of many registries who work with us to ensure these actions are taken, including .xyz and .top.
Most abused domain registrars, Q4 2021
Overall, we saw a decrease in fraudulent domain registrations in Q4 2021, which is positive news. But some countries’ registrars are still clearly struggling.
Canadian based registrars
Registrars in Canada had the most fraudulent botnet C&C registrations in Q4, overtaking China from Q3.
German based registrars
There was a noticeable increase (136%) in the number of botnet C&Cs associated with registrars operating out of Germany. This was due to Key Systems experiencing a 74% increase and 1API re-entering our charts at #12, having dropped off the Top 20 in Q2.
Atak
This domain registrar appeared for the first time in our rankings. Atak operates out of Turkey and hasn’t responded to any of our abuse reports to date. We have therefore filed a complaint against Atak with ICANN’s policy enforcement. It is imperative that everyone who is part of the internet ecosphere work together to protect internet users.
Nicenic.net (China) & PDR (India)
These registrars experienced significant increases in the number of botnet C&C domains registered through them in Q4. However, while registrations are increasing for PDR their response times to abuse reports are excellent.
Thank you to those who’ve departed from our listings
Last quarter we highlighted that CentralNic, West263, and Network Solutions had all experienced considerable increases in the number of newly registered botnet C&C domains. In Q4, all three of these registrars, along with eName, Xin Net, 22net, and OVH, departed from our Top 20 this quarter, so we’d like to applaud all their efforts in preventing fraudulent registrations.
Location of Most Abused Domain Registrars
|
Networks hosting the most newly observed botnet C&Cs, Q4 2021
As usual, there were many changes in the networks hosting newly observed botnet C&Cs.
Does this list reflect how quickly abuse is dealt with at networks?
While this Top 20 listing illustrates that there may be an issue with customer vetting processes, it doesn’t reflect on the speed abuse desks deal with reported issues. See “Networks hosting the most active botnet C&Cs”
to view networks where abuse isn’t dealt with promptly.
A mixed bag
Uninet.net.mx (#1), serverion.com (#5) and cloudflare.com (#9) – all three appear within the Top 10 of our listings, but there are big differences between them.
Uninet is a telecom and network operator in Mexico. All newly hosted botnet C&Cs we identified in their IP space resulted from compromised customer equipment.
Serverion is a hosting company based in the Netherlands. All botnet C&Cs we identified on their network in Q4 resulted from fraudulent sign-ups.
Last but not least, we have Cloudflare who is not hosting any content rather providing a reverse proxy service and DDoS protection to botnet C&Cs, hiding their actual location.
Networks hosting the most active botnet C&Cs, Q4 2021
Finally, let’s review the networks that hosted the largest number of active botnet C&Cs at the end of 2021. Hosting providers who appear in this ranking either have an abuse problem, do not take the appropriate action when receiving abuse reports, or omit to notify us when an abuse problem has been dealt with.
Network operators in LatAm region need to get on top of abuse rapidly
Over 60% of active botnet C&C listings are on networks located in the LatAm region. We implore these operators to quickly respond to abuse reports and work with Spamhaus to reduce botnet C&C abuse on their networks.
That’s all for now. Stay safe and see you in April!