|Tweet Follow @spamhaus||
Spamhaus Botnet Summary 2016
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Older News Articles:
Spamhaus News INDEX
Some of you may remember Spamhaus' dispute with Nic.at (the registry of .at ccTLD - "country code Top Level Domain") back in 2007. At that time, we saw a massive amount of the "Rock Phish" gang's phishing domain names being registered within .at for the exclusive purpose of hosting phishing sites. We reached out to Nic.at several times regarding these issues but Nic.at refused to take action against the malicious domains. In accordance with Spamhaus' SBL Listing Policy we then issued a listing of Nic.at IP space, for providing Spam Support Services. That same day we received a statement from Nic.at telling us that the reported domain names had been suspended. Finally there was some good news for the internet and the phishers moved away from ccTLD .at. They tried other TLDs but they were quickly shut down, and not long after leaving .at ccTLD the Rock Phish gang faded away completely.
Since that time, it had been fairly quiet in the .at zone in terms of abuse, at least until the end of 2014 when we started to see miscreants register new domain names within the .at namespace again. The story is almost the same as in 2007: Miscreants registering domain names for exclusively malicious purposes. This time, instead of hosting phishing content, these domains are being used solely to provide DNS resolution for botnets. We call this "malware DNS hosting." To this end, they are hijacking modems and routers around the world and installing their own DNS servers that are then configured to resolve and service these botnet domains. Typically for botnets such as Zemot a click fraud bot or ebanking trojans such as KINS and Gozi.
Below are some sample domains that are actively being used for malware DNS hosting at the time of writing. Note that the A-records point to end-user IP address space, meaning that these are all hijacked router/modems or otherwise compromised devices.
$ dig +norec +noqu jeteligold.at @d.ns.at NS ;; AUTHORITY SECTION: jeteligold.at. 10800 IN NS bb.jeteligold.at. jeteligold.at. 10800 IN NS dd.jeteligold.at. jeteligold.at. 10800 IN NS cc.jeteligold.at. jeteligold.at. 10800 IN NS aa.jeteligold.at. ;; ADDITIONAL SECTION: aa.jeteligold.at. 10800 IN A 184.108.40.206 bb.jeteligold.at. 10800 IN A 220.127.116.11 cc.jeteligold.at. 10800 IN A 18.104.22.168 dd.jeteligold.at. 10800 IN A 22.214.171.124 $ dig +norec +noqu uhilod.at @d.ns.at NS ;; AUTHORITY SECTION: uhilod.at. 10800 IN NS aa.uhilod.at. uhilod.at. 10800 IN NS dd.uhilod.at. uhilod.at. 10800 IN NS cc.uhilod.at. uhilod.at. 10800 IN NS bb.uhilod.at. ;; ADDITIONAL SECTION: aa.uhilod.at. 10800 IN A 126.96.36.199 bb.uhilod.at. 10800 IN A 188.8.131.52 cc.uhilod.at. 10800 IN A 184.108.40.206 dd.uhilod.at. 10800 IN A 220.127.116.11 $ dig +norec +noqu hjll.at @d.ns.at NS ;; AUTHORITY SECTION: hjll.at. 10800 IN NS cc.hjll.at. hjll.at. 10800 IN NS dd.hjll.at. hjll.at. 10800 IN NS aa.hjll.at. hjll.at. 10800 IN NS bb.hjll.at. ;; ADDITIONAL SECTION: aa.hjll.at. 10800 IN A 18.104.22.168 bb.hjll.at. 10800 IN A 22.214.171.124 cc.hjll.at. 10800 IN A 126.96.36.199 dd.hjll.at. 10800 IN A 188.8.131.52
But this is merely the tip of the iceberg. Since January of this year we have seen many such .at domains all being used for the same purpose:
2015-08-20 12:50:10 rikklacrt.at Malware DNS 2015-08-16 09:02:54 serverweb.at Malware DNS 2015-08-14 09:52:37 zartrusrokl.at Malware DNS 2015-08-02 09:17:49 jeteligold.at Malware DNS 2015-07-25 08:38:48 zyzaeloft.at Malware DNS 2015-07-14 06:45:32 dfuktilor.at Malware DNS 2015-07-04 08:15:16 dirrolkh.at Malware DNS 2015-07-01 09:46:48 metanet.at Malware DNS 2015-06-25 05:54:48 gilkolt.at Malware DNS 2015-06-20 10:33:32 deorzae99.at Malware DNS 2015-06-07 07:52:44 kilofrogs.at Malware DNS 2015-06-04 06:47:33 hjll.at Malware DNS 2015-05-30 20:05:53 dudiklor.at Malware DNS 2015-05-30 09:07:15 rekmilk.at Malware DNS 2015-05-28 06:10:19 fgfj.at Malware DNS 2015-05-22 10:37:46 uhilod.at Malware DNS 2015-05-18 07:51:33 rhzq.at Malware DNS 2015-05-15 11:07:59 wxj.at Malware DNS 2015-05-15 08:41:01 lukpin.at Malware DNS 2015-05-14 07:28:50 zorjbneon.at Malware DNS 2015-05-13 12:40:01 wzq.at Malware DNS 2015-05-06 17:25:57 geokcha.at Malware DNS 2015-05-02 15:40:04 flurilk.at Malware DNS 2015-05-01 14:38:37 deosli.at Malware DNS 2015-04-25 07:02:13 mizare.at Malware DNS 2015-04-21 12:53:25 qlj.at Malware DNS 2015-04-20 07:34:25 cormk.at Malware DNS 2015-04-18 08:06:56 xwz.at Malware DNS 2015-04-04 10:49:02 qwj.at Malware DNS 2015-04-04 10:36:20 uwpi.at Malware DNS 2015-03-30 12:17:02 zjw.at Malware DNS 2015-03-26 09:23:58 techost.at Malware DNS 2015-03-24 12:00:33 qjq.at Malware DNS 2015-03-13 14:11:41 maxdns.at Malware DNS 2015-03-11 09:37:01 gogot.at Malware DNS 2015-03-09 11:28:02 qxq.at Malware DNS 2015-03-08 09:14:20 xqk.at Malware DNS 2015-03-05 08:19:36 pabla.at Malware DNS 2015-01-09 14:00:40 uberhosting.at Malware DNS 2014-12-26 09:46:42 webcore.at Malware DNS 2014-12-26 09:46:36 wqj.at Malware DNS 2014-11-12 12:17:13 keyhost.at Malware DNS
Nic.at is one of the very few ccTLDs/TLDs that does not reveal the name of the registrar of a domain name, hence it is not possible to report malicious domain names directly to the registrar. Fortunately, Nic.at introduced an API shortly after our initial dispute that allows a reporter to reach out to the registrar. One still has no visibility as to which .at domain name has been registered through which registrar, but at least you have a possibility to reach them through Nic.at's API. Unfortunately this works very poorly as there is no guarantee that anyone at that domain's registrar takes care of, or even reads, reports that are sent - and no way to follow up with them.
Contacting Nic.at about this with appeal to fix these abuse problems will get one nowhere:
Dear Mr. X, I am referring to your e-mails below. [...] Regarding the legal situation of nic.at: Being located in Salzburg, nic.at is subject to Austrian law. The Austrian Supreme Court clearly stated in various decisions that nic.at as the registry cannot be held liable for the content of a website. Only the domain itself is the subject of the contract between nic.at and the domain holder. Therefore it is impossible for us to withdraw or lock a domain just on the request of a private company only referring to the content of a website and without a court order applicable in Austria as nic.at would face full liability against the domain holder. Reasons for nic.at to withdraw a domain according to the terms and conditions are wrong holder data, non-payment, non-working name servers, a court judgement or the violation of third parties rights through the domain itself, but not through the content. Below we forwarded you the contact data of the responsible registrar for the named domain and ask you kindly to contact this company for further activities. Best regards X X General Counsel nic.at
We know that most of the malicious domain names shown above are registered through a German based registrar called Key-Systems. We have contacted them and outlined the problem. While some of the reported domain names have been suspended by Key-Systems, the registrar seems to have recommended their customer to move the domain name to a different registrar / reseller. What we are now seeing within ccTLD .at is ridiculous: Several registrars, mostly German-based, are moving malicious domain names around between each other. Once you report a malicious domain name to one of these registrars, they will just transfer it to a different registrar. Of course you won't notice that, because Nic.at does not reveal the registrars name on their whois system. So the only thing you see is that the domain name is still active even many weeks after your abuse report. If you report the domain name again through Nic.at' API, the abuse report will go to the new registrar and the miscreants will move the domain to a different registrar again. It is a cat and mouse game and Nic.at seems to be unable or unwilling to take effective action against the abuse of their domain name space. By "their domain name space" we really mean the domain name space belonging to the Austrian nation and its people and companies.
We at Spamhaus are sad to see that more than eight years after dealing with the Rock Phish gang at Nic.at, the situation hasn't changed. Nic.at has not made essential changes in their policies in order to fight cybercrime. While the rules allow to revoke the delegations in the case of an instruction from a competent authority, to our knowledge no competent authority capable of instructing Nic.at to revoke the delegations of domains obviously registered for exclusively malicious purposes has been established. In a 2007 Document, Nic.at suggests that the "solution" is: "If we receive a proof of wrong domain holders data, we could withdraw domain according to our T&C." But this can not work in practice, as discussed in more detail below, registration data of malicious domains are either invalid - but proving that could well be a lengthy and labor-intensive proposition (who would do it?) that can exceed the domain lifetime expected by the miscreant - or refer to real innocent persons whose credentials were stolen. In contrast, the malicious nature of a domain is typically assessed by security researchers within minutes from its first appearance on the Internet, thanks to a multitude of technical indicators.
Therefore, as a matter of fact, today Nic.at continues to refuse to suspend malicious domain names. At the same time, Nic.at does not provide the domain registrars the authority and permission to suspend malicious domain names, nor does it provide identification of those registrars. The result is that miscreants have "bulletproof" domains to control their botnets provided by Nic.at.
It gets worse: Nic.at is not the only registry that is suffering from these abuse problems. DENIC, which is the provider of the German ccTLD .de, also has a weak registrar agreement in place and is providing insufficient information on their Whois gateway - again, not revealing the sponsoring domain name registrar - and are hence being heavily abused by spammers and phishers recently. Below is a list of recent spamming, phishing and botnet domains that have been registered in DENIC's ccTLD .de space:
2015-07-30 20:33:53 moncler-online-shop.de Fake product domains 2015-07-28 15:44:55 radio-def.de Malware C&C 2015-07-15 06:38:54 ssl-pp-authentifizierungsverfahren.de Phishing domain 2015-07-06 06:25:04 diazepamrezeptfrei.de Spammer domain (pillz gang) 2015-07-05 21:38:29 viagrakaufenonline.de Spammer domain (pillz gang) 2015-06-25 19:11:16 verifizierung-kundendienst.de Phishing domain 2015-06-25 19:10:47 paypal-datenabgleich.de Phishing domain 2015-06-16 09:29:43 postbank-zentrale.de Phishing domain 2015-06-14 14:04:07 kontoschutz-ssl-verfahrensabgleich.de Phishing domain 2015-05-22 12:57:01 archimagazine.de Italian spammer gang 2015-05-21 14:21:37 paypal-kundenverifizierung.de Phishing domain 2015-05-21 14:21:25 paypal-sicherer.de Phishing domain 2015-05-21 14:21:18 paypal-sicherheitsservice.de Phishing domain 2015-05-21 14:20:24 paypal-verifizieren.de Phishing domain 2015-05-21 14:20:21 paypal-authentifizierung.de Phishing domain 2015-05-09 08:16:52 pantozol40mg.de Spammer domain (pillz gang) 2015-05-09 08:16:52 bisoprolol5mg.de Spammer domain (pillz gang) 2015-05-09 08:16:52 doxycyclin100.de Spammer domain (pillz gang) 2015-05-09 08:16:52 torasemid10mg.de Spammer domain (pillz gang) 2015-05-09 08:16:52 mirtazapin15mg.de Spammer domain (pillz gang) 2015-05-09 08:16:52 azithromycin500.de Spammer domain (pillz gang) 2015-05-09 08:16:52 prednisolon20mg.de Spammer domain (pillz gang) 2015-05-09 08:16:52 tadalafil-kaufen.de Spammer domain (pillz gang) 2015-05-09 08:16:51 tabmd.de Spammer domain (pillz gang) 2015-05-09 08:16:51 apotheketop.de Spammer domain (pillz gang) 2015-05-09 08:16:51 ramilich5mg.de Spammer domain (pillz gang) 2015-05-09 08:16:51 amlodipin5mg.de Spammer domain (pillz gang) 2015-05-09 08:16:51 gesundeliebe.de Spammer domain (pillz gang) 2015-05-09 08:16:51 finasterid1mg.de Spammer domain (pillz gang) 2015-05-09 08:16:51 omeprazol40mg.de Spammer domain (pillz gang) 2015-05-09 08:16:51 prednisolon20.de Spammer domain (pillz gang) 2015-05-09 08:16:51 kaufen-viagra69.de Spammer domain (pillz gang) 2015-05-09 08:16:51 kaufentadalafil.de Spammer domain (pillz gang) 2015-05-09 08:16:51 pantoprazol40mg.de Spammer domain (pillz gang) 2015-05-08 12:37:38 potenzmittelapotheke24.de Spammer domain (pillz gang) 2015-05-03 08:34:31 flirtfair.de Spammer domain 2015-05-03 08:34:31 treffpunkt69.de Spammer domain 2015-05-03 08:34:31 sexpartnerclub.de Spammer domain 2015-05-03 08:34:31 images-flirtfair.de Spammer domain 2015-05-03 08:34:31 static-flirtfair.de Spammer domain 2015-04-28 08:52:32 hochzeit-im-garten.de Snowshoe spam 2015-04-28 08:52:32 it-loesungen-lange.de Snowshoe spam 2015-03-28 07:44:25 meine-db-aktualisierungskonto.de Phishing domain 2015-02-27 08:51:01 bekanntgabe-service.de Phishing domain 2015-02-27 08:50:46 kundeninformation-service.de Phishing domain 2015-02-27 08:50:27 consumerinformation.de Phishing domain 2015-02-23 13:43:09 sicherheit-veriifizierung.de Phishing domain 2015-02-10 12:26:54 kundendienst-commerzbanking.de Phishing domain 2015-02-02 08:23:21 abcnyx98cz.de Neurevt C&C
Looking at the phishing domains that have been registered within ccTLD .de in the first half of 2015, it is interesting to see that the phishers are not only abusing ccTLD .de to target PayPal customers but also to target customers of certain German banks, such as Postbank and Commerzbank. So, phishers are weaponizing Germany's own internet infrastructure (in this case the ccTLD .de) to harm German citizens - yet DENIC refuses to take any action against offensive domain names. We can imagine how frustrating this is for both German citizens that are victims of these phishing attacks and for the affected financial institutions in Germany. The financial losses from these phishing fraud domains are all too real.
We have contacted DENIC several times regarding these abuse problems. Unfortunately, their response was nearly exactly the same as the one we got from Nic.at:
Hello, DENIC is only responsible for the registration of domains directly under the Top Level Domain (TLD) .de. It is the domain holders who are responsible for their individual domains as well as the contents and services that are available through them or processed by them. It is thus never possible for DENIC to be able to find out directly who is the source of spam mails or hacker attacks. DENIC is not able to block them, nor is it able to take any further steps. For further information, please visit our website at http://www.denic.de/en/hintergrund/spam/index.html Mit freundlichen Grüßen / Kind regards -- Business Services DENIC eG Kaiserstraße 75-77 60329 Frankfurt am Main GERMANY E-Mail: XXX@denic.de Fon: +49 69 XXX Fax: +49 69 XXX http://www.denic.de
Taking a look at DENIC Domain Terms and Conditions, the statement made by DENIC appears in a somehow strange light:
Ref.: http://www.denic.de/en/bedingungen.html§ 3 Duties of the Domain Holder (1) In submitting the application for registration of a domain, the Domain Holder gives an explicit assur-ance that all the data about them in the application is correct and that they are entitled to register and/or use the domain and, in particular, that the registration and intended use of the domain does not infringe anybody else’s rights nor break any general law. If the Domain Holder is not domiciled in Germany, they must appoint an Administrative Contact domiciled in Germany; this Administrative Contact is also the Domain Holder’s authorized representative for receiving the service of official or court documents for the purposes of § 184 of the German Code of Civil Procedure, § 132 of the German Code of Criminal Procedure, §56 (3) of the Rules of the Administrative Courts, and § 15 of the Administrative Procedures Act and the corresponding provisions of the Administrative Procedures Acts of the respective states of the Federal Republic of Germany. [...] § 7 Termination [...] (2) DENIC is only permitted to terminate the contract on substantial grounds. These grounds include, in particular, any case in which: [...] d) the registration of the domain for the Domain Holder manifestly infringes the rights of others or is otherwise illegal, regardless of the specific use made of it; or [...] f) the data supplied to DENIC regarding the Domain Holder or the Administrative Contact is incorrect; or [...]
The Terms and Conditions allows DENIC to terminate a domain name if it is "manifestly infringes the rights of others or is otherwise illegal" (§7, 2d) or "the data supplied to DENIC regarding the Domain Holder or the Administrative Contact is incorrect" (§7, 2f). These two statements (specially the term "otherwise illegal", which is pretty generic and hence gives DENIC a big scope of interpretation) appear to be quite solid. But having a look at recent fraudulent registrations within the ccTLD .de, the situation looks a bit different, e.g. ssl-pp-authentifizierungsverfahren.de - which was actually a phishing domain that was targeting PayPal:Whois can be found here: http://pastebin.com/raw.php?i=UBHJNdtK
Checking the registrants email address (firstname.lastname@example.org) reveals that the domain name (dermails.net) doesn't have an MX record and the registrant is not able to receive any email. But it actually gets worse: The domain name (dermails.net) is not even registered:
No match for "DERMAILS.NET". >>> Last update of whois database: Wed, 22 Jul 2015 10:58:01 GMT <<<
The situation we have here appears to be pretty clear: DENIC is apparently doing no validation and verification (automated or otherwise) of the data provided by the registrant. This opens big doors for spammers, malware coders and botnet operators to abuse the German domain name space. Beside the fact that the data provided by the registrant is incorrect and hence violating the Terms and Conditions of DENIC, the domain name can also be treat under §7, 2d ("or is otherwise illegal"), unless identity theft is legal Germany (which we really doubt).
Beside the fact that many fraudulent domain name registration we see are being committed using incorrect registrant data, we also see a trend, specially in the ccTLD .de zone, of stealing the identity of someone else. Cybergangsters are registering malicious domain names using a stolen identity by impersonating being someone else. For example potenzmittelapotheke24.de (a pill domain that was being heavily spammed out by the Slenfbot botnet recently):
Whois can be found here: http://pastebin.com/raw.php?i=Ab5uncDd
A short search on Google reveals that the person that has registered this domain name is a painter in Schwerin (Germany): http://www.maler-schwerin.de/Wilfried+Wandschneider+Malermeister.html
We doubt that a painter is able to run such a large spam botnet operation and, specially, using his real name for this purpose.
We wonder, and are concerned, as to how this innocent individual who is being victimized by the cybercriminal botnet drug-spamming operation would ever be able to remove his personal information from the domain registration. It does not seem that any report to DENIC would have any effect.
According to DENIC, victims whose identities have been abused for registration of domain names by third parties can request deletion of the domain names by filing a written statement to DENIC. However, this requires the victim, a) being aware his identity has been abused, and b) being familiar with the domain registration system to address DENIC and explain the situation to them. According to our experience, this isn't the case with most domain names registered using stolen identities. Therefore, DENIC should also take action and look into potential fraudulent domain registrations when being notified by third parties and provided with appropriate evidence.
Nic.at and DENIC try to excuse their inaction to abuse reports with claims that they are not responsible for the content or use of a domain name. These claims seem to have the short-sighted and narrow goal of keeping responsibility away from themselves. Their procedures and regulations seem to be based on the idea of protecting the rights of the domain owners and their freedom to publish contents on their web sites without being shut down. While that is commendable in legitimate cases, the issue here is not legitimate domains. Cybercrime domains should not benefit from this kind of protection, as keeping them connected brings an immense damage to the Internet at large and is of benefit only to the cybercrime gangs that registered them. It is clear that the procedures and regulations need to be modified in order to take into account the existence of purely malicious domains, identified by security researchers, and stop the abuse quickly and effectively.
In fact, a registry may act to stop malicious domain names in several ways. The most important mechanism is having a strong registrar agreement / registrant agreement in place, an "Acceptable Use Policy." Many registries create their own registrar agreement, so they can write a comprehensive agreement as long as it aligns with their local legislation and ICANN's policy. It should be noted that though neither Nic.at and DENIC are directly governed by ICANN policy, both work with and are involved in ICANN and have funded ICANN's operations (see https://www.icann.org/resources/pages/cctlds/cctlds-en).
Some registries are bound to a registrar / registry agreement that has been setup by the local regulator, for example under telecommunication statutes. For both cases, there are two very good examples on how you can deal with abusive customers.
1. The ccTLD .ru (responsible for the domain name space .ru) introduced new terms and conditions in 2011 to battle cybercrime. That allows registrars to suspend malicious domain name upon the receipt of a request from a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet:
Ref.: http://cctld.ru/en/docs/rules.php5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for: 1. receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing); 2. unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control); [...]
2. The Swiss Regulator BAKOM (Federal Office of Communications), which is the owner of ccTLD .ch, actually goes down the same path. BAKOM has recently updated their regulation which now allows the registry to suspend malicious domain names upon receipt of a request from an organisation which is recognized by the regulator to deal with cybercrime:
Ref.: https://www.admin.ch/opc/de/classified-compilation/20141744/index.html#a15Art. 15 Blockierung eines Domain-Namens bei Missbrauchsverdacht 1 Die Registerbetreiberin muss einen Domain-Namen technisch und administrativ blockieren, wenn die folgenden Voraussetzungen erfüllt sind: a. Es besteht der begründete Verdacht, dass der Domain-Name benutzt wird: 1. um mit unrechtmässigen Methoden an sensible Daten zu gelangen; oder 2. um schädliche Software zu verbreiten. b. Eine zur Bekämpfung der Cyberkriminalität vom BAKOM anerkannte Stelle hat die Blockierung beantragt.
If Switzerland and Russia are able to implement appropriate mechanisms in their regulation and/or registrar agreement to fight malicious domain names, it shouldn not be too difficult for Austria and Germany to do the same. If Nic.at or DENIC are not willing or allowed to implement appropriate mechanisms to deal with abuse of the scale we see, they should present the need for an urgent change to the appropriate regulatory bodies within their countries. In the end, both Nic.at and DENIC - as every other organisation, service provider and internet user - should accept their responsibility to make the internet a safer and civilized place, and to protect the reputation of their own national ccTLD.
We hereby urge Nic.at and DENIC to finally take the appropriate actions to battle fraudulent and illicit domain name registrations within their domain name space (ccTLD) by:
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
Ongoing abuse problems at Nic.at and DENIC
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.