Anti-botnet effort continues – takeover of Domain Silver, Inc .pl domains

Date of publication: 31/07/2013, CERT Polska

Today we publish an overview of domains registered through Domain Silver, Inc, a registrar operating in the .pl domain. This Registrar started operating in May 2012. Since that time, the CERT Polska team started to observe a large increase in the amount of malicious domains registered in .pl and to receive many complaints concerning domains registered through Domain Silver. Most of the malicious domains present in the .pl were registered through Domain Silver. In May 2013, dozens of domains used for botnet C&C purpose were seized and sinkholed by NASK and CERT Polska. Following further unsuccessful attempts to remedy the situation, NASK (the .pl ccTLD registry) decided to terminate its agreement with the Registrar. In the following sections of the document we explain what the malicious domains registered were used for (as of 9th July 2013), what botnets used the domains and why they posed a threat to the Internet community.

Most important findings:

    • Out of all the registered 641 domains (status as of 9th July 2013 plus previously sinkholed domains), only one active domain was benign (domainsilver.pl itself).
    • 404 domains were malicious, with 179 being used for C&C purposes.
    • The domains were used to manage and distribute botnets such as Citadel, Dorkbot, ZeuS Ice IX, Andromeda, RunForestRun and ransomware.
    • We identified at least 16 instances of the above botnets.
    • 179 domains were used to either sell pharmaceuticals or to recruit money mules and they were advertised using spam campaigns performed by botnets.

     

Currently all the changes to the domains registered trough Domain Silver, Inc are prohibited. Their registrar is set to vinask.

Full text of the report can be found here or under the “Reports” tab.