Sinkholing has long been employed as an effective cybersecurity solution to curb the spread of dangerous malware. Remember the infamous WannaCry ransomware outbreak in 2019? Security teams put a stop to the threat through sinkholing.

More recently, Microsoft sinkholed the web properties associated with Strontium, a Russian threat actor group that has been targeting Ukrainian sites via various cyber attacks.

While the tactic undoubtedly works, some trends related to ongoing threats may remain unknown. We hope to change that with this analysis conducted by WhoisXML API threat researcher Dancho Danchev, which gives cybersecurity teams more insights into sinkholed domains. The know-how can clue them into more web properties that may need to be taken offline as well.

Our in-depth analysis revealed:

• More than 13,000 malware and botnet hosts sinkholed recently
• A huge majority of the sinkholed domains appeared to be created using domain generation algorithms (DGAs)
• Most of the sinkholed domains used the .com top-level domain (TLD) extension
• A majority of the sinkholed domains existed for at least five years prior to being taken down

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download Danchev’s report and related threat research materials here.

Analysis and Findings

We began our investigation by obtaining 24 email addresses that are known to have been used to sinkhole domains connected to ongoing malware and botnet operations.

Sinkholed Domains

Using these email addresses as reverse WHOIS search terms led to the discovery of 13,265 domains. Examples include:

• lztorsixnikxicahclbrasqu[.]org
• azslrhksyldb[.]org
• bqkrtxgkmriwsiwcngtivpx[.]info
• fkbpvfnbhfwedagussg[.]com
• honeybot[.]us
• quicklygood[.]gdn
• gramblr[.]ca
• empire-js[.]us
• eitherplunge[.]gdn
• ee0[.]us

The domain distribution per email address (which we partially redacted for privacy reasons) is shown below.

Several nonprofit organizations, big cybersecurity companies, and government agencies like the Shadowserver Foundation, the Federal Bureau of Investigation (FBI), Secureworks, Kaspersky, Check Point Software, and the Spamhaus Project appear to employ sinkholing based on the email addresses used.

A huge majority of the domains in our sample were sinkholed by what we could expect to be independent cybersecurity professionals.

Domains by Type

Looking more closely at the sinkholed domains, we discovered that a huge majority were DGA-created as they contained randomly chosen alphanumeric characters. The following chart shows their volume distribution.

Four types of domains were detected—DGA-created, composed of generic terms, brand-related domains, and those containing persons’ names. The table below shows examples of each type.

Given the mention of several brands, their device or service users may need to be wary of clicking suspicious links usually embedded in emails from unknown senders.

Domains by TLD

While it’s difficult to block all suspicious domains from servers, monitoring domains that fall under the four categories above can ease the process, especially if they sport the TLDs the threat actors used, such as .com, .net, and .xyz. All in all, the sinkholed domains were distributed across 27 TLDs.

Domains by Age

Finally, we looked at 5% of the total number of sinkholed domains and found that they were live for an average of 2,078 days or five years and eight months. The youngest domains were 495 days or one year and five months old. Examples include:

• 00e43dd307d4[.]com
• 02576d2be122[.]com
• 07b77b06b3d4[.]com
• 08763cfb0f47[.]com
• 0f9f3cb6e5d4[.]com
• 0fb4f4af4222[.]com
• 1298b712ac47[.]com
• 14870912fd47[.]com
• 15989f77bf47[.]com
• 17e617039847[.]com
• 180a4b35d547[.]com

The oldest domain—2gambling[.]us—was 4,042 days or 11 years and one month old.

What Our Findings Mean for Cybersecurity Professionals

Given the results of our in-depth study, companies need to be wary of suspicious domains that fall under the four categories mentioned above, especially if they sport the TLDs the actors behind the ongoing campaigns seem to have a fondness for. Looking out for relatively old domains, given the average age of the sinkholed sites, may also ease the monitoring and blocking process.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.