During the past few years the Top Level Domain (TLD) .ru has been heavily abused by cybercriminals. According to ZeuS Tracker, TLD .ru was one of the most abused Top Level Domains that were used by criminals to run ZeuS botnet controllers.
The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains which came into force on November 11 2011.
One of the most interesting parts of the new terms and conditions is the following passage:
- receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing);
- unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control);
In fact this means that a registrar can terminate a domain name when it is being used for phising attacks or when it is being used to control a botnet. However, there is one part which seems to be not well defined:
I’m asking myself what the definition of “organization indicated by the Coordinator as a competent one to determine violations in the Internet” might be. As we all know there are many security vendors and non-profit organisations out there which do a great job in tracking down malicious and fraudulent content. Will registrars accept takedown requests received from such parties? I don’t know…
However, what I can say so far is that the number of fraudulent .ru domains used by ZeuS botnet herders decreased in the beginning of 2012. I can also see that malicious .ru domains which are being added to ZeuS Tracker have a much shorter life span. While malicious .ru domains used to stay active for several weeks or months in the past, they are now getting nuked much faster (mostly within 4-24hrs). That’s great news for the internet community!
Unfortunately we all know that there is a never ending cat and mouse game between the security industry / infosec community and cybercriminals. Criminals have already noticed that their domains are getting shut down much faster. So they started to look for another TLD to use for their dirty business and found a TLD that nearly has been forgotten: the TLD .su.
For those of you who don’t know: .su is (or should I say was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (which is operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su.
Since the Soviet Union isn’t any more and I see legit .su domains pretty rarely, I think it’s a good idea to block .su on the network edge (web proxies / content filtering systems). If you are operating a gateway in your company / network you should take the time and have a look at your logs. If you don’t see any legit .su domains being hit/used in your company just simply block it.
Follow me on Twitter: