NordVPN Promotion

Home / Industry

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long been employed as an effective cybersecurity solution to curb the spread of dangerous malware. Remember the infamous WannaCry ransomware outbreak in 2019? Security teams put a stop to the threat through sinkholing.

More recently, Microsoft sinkholed the web properties associated with Strontium, a Russian threat actor group that has been targeting Ukrainian sites via various cyber attacks.

While the tactic undoubtedly works, some trends related to ongoing threats may remain unknown. We hope to change that with this analysis conducted by WhoisXML API threat researcher Dancho Danchev, which gives cybersecurity teams more insights into sinkholed domains. The know-how can clue them into more web properties that may need to be taken offline as well.

Our in-depth analysis revealed:

  • More than 13,000 malware and botnet hosts sinkholed recently
  • A huge majority of the sinkholed domains appeared to be created using domain generation algorithms (DGAs)
  • Most of the sinkholed domains used the .com top-level domain (TLD) extension
  • A majority of the sinkholed domains existed for at least five years prior to being taken down

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download Danchev’s report and related threat research materials here.

Analysis and Findings

We began our investigation by obtaining 24 email addresses that are known to have been used to sinkhole domains connected to ongoing malware and botnet operations.

Sinkholed Domains

Using these email addresses as reverse WHOIS search terms led to the discovery of 13,265 domains. Examples include:

  • lztorsixnikxicahclbrasqu[.]org
  • azslrhksyldb[.]org
  • bqkrtxgkmriwsiwcngtivpx[.]info
  • fkbpvfnbhfwedagussg[.]com
  • honeybot[.]us
  • quicklygood[.]gdn
  • gramblr[.]ca
  • empire-js[.]us
  • eitherplunge[.]gdn
  • ee0[.]us

The domain distribution per email address (which we partially redacted for privacy reasons) is shown below.

Several nonprofit organizations, big cybersecurity companies, and government agencies like the Shadowserver Foundation, the Federal Bureau of Investigation (FBI), Secureworks, Kaspersky, Check Point Software, and the Spamhaus Project appear to employ sinkholing based on the email addresses used.

A huge majority of the domains in our sample were sinkholed by what we could expect to be independent cybersecurity professionals.

Domains by Type

Looking more closely at the sinkholed domains, we discovered that a huge majority were DGA-created as they contained randomly chosen alphanumeric characters. The following chart shows their volume distribution.

Four types of domains were detected—DGA-created, composed of generic terms, brand-related domains, and those containing persons’ names. The table below shows examples of each type.

DGA-Created DomainsDomains Comprising Generic Term Combinations
lztorsixnikxicahclbrasqu[.]org
azslrhksyldb[.]org
bqkrtxgkmriwsiwcngtivpx[.]info
fkbpvfnbhfwedagussg[.]com
yjwcms[.]com
1ceh5qxzn05qmwgt0d9uch994[.]com
38213ebe88d4[.]com
2uye6myuyiua[.]com
34dar0py74ha[.]com
89erk1ijs9a7[.]com
quicklygood[.]gdn
eitherplunge[.]gdn
plungeannounce[.]gdn
monthsaturday[.]net
deviceinstead[.]net
beginthrown[.]net
key-curve-project[.]com
foot-cancel-profile[.]com
companyfinish[.]net
thelaboratorysp[.]com
Domains Containing Individuals’ NamesBrand-Related Domains
rosalynnecharnette[.]net
jacquettawinthrop[.]net
chantellenathaniel[.]net
hendersonmontgomery[.]net
thomasinasummerfield[.]net
grenvillehuddleston[.]net
rosalynnesackville[.]net
priscillawilfreda[.]net
zachariahsamuelson[.]net
magdalenagrenville[.]net
applequestion[.]netthearpamotorola[.]com
icloud-diagnostics[.]com
googleapiserver[.]net
sendtwitter[.]com
nokia-upgrade[.]com
gonfu-android[.]com
amaz0n-cloud[.]com
dellswdlb[.]com
winupdate[.]us

Given the mention of several brands, their device or service users may need to be wary of clicking suspicious links usually embedded in emails from unknown senders.

Domains by TLD

While it’s difficult to block all suspicious domains from servers, monitoring domains that fall under the four categories above can ease the process, especially if they sport the TLDs the threat actors used, such as .com, .net, and .xyz. All in all, the sinkholed domains were distributed across 27 TLDs.

Domains by Age

Finally, we looked at 5% of the total number of sinkholed domains and found that they were live for an average of 2,078 days or five years and eight months. The youngest domains were 495 days or one year and five months old. Examples include:

  • 00e43dd307d4[.]com
  • 02576d2be122[.]com
  • 07b77b06b3d4[.]com
  • 08763cfb0f47[.]com
  • 0f9f3cb6e5d4[.]com
  • 0fb4f4af4222[.]com
  • 1298b712ac47[.]com
  • 14870912fd47[.]com
  • 15989f77bf47[.]com
  • 17e617039847[.]com
  • 180a4b35d547[.]com

The oldest domain—2gambling[.]us—was 4,042 days or 11 years and one month old.

What Our Findings Mean for Cybersecurity Professionals

Given the results of our in-depth study, companies need to be wary of suspicious domains that fall under the four categories mentioned above, especially if they sport the TLDs the actors behind the ongoing campaigns seem to have a fondness for. Looking out for relatively old domains, given the average age of the sinkholed sites, may also ease the monitoring and blocking process.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

NordVPN Promotion