Last year, Cybercriminals were exceptionally busy registering domain names which were used to host a botnet command & control (C&C).  The team at Spamhaus, whose threat intelligence powers Deteque’s services, observed a large 52% increase compared to 2017! Here’s everything you need to know when it comes to the most abused top-level domains (TLDs) in 2018, along with a steer on how to protect yourself from a worrying trend concerning decentralized TLDs (dTLDs).

The importance of domain names

Cybercriminals prefer to use a domain name registered exclusively to host a botnet C&C.  A dedicated domain name allows them to fire up a new virtual private server (VPS), load the botnet C&C kit, and immediately be back in contact with their botnet after their (former) hosting provider shuts down their botnet C&C server. Not having to change the configuration of each infected computer (bot) on the botnet is a significant advantage.

Number of botnet C&C domain names registered in 2018

Last year, compared to 2017, Spamhaus Malware Labs saw a 100% increase in the number of the domain names registered and set up by cybercriminals for the sole purpose of hosting a botnet C&C:

2017: 50,000 domains

2018: 69,961 domains*

Top-level domains – a brief overview

Before we get into the detail of which top-level domains were abused the most by botnet C&Cs in 2018 let’s take a look at some of the different types of top-level domains:

  • Generic TLDs (gTLDs)– can be used by anyone
  • Country code TLDs (ccTLDs)– some have restricted use within a particular country or region; however, others are licensed for general use which provides the same functionality of gTLDs
  • Decentralized TLDs (dTLDs) –independent top-level domains that are not under the control of ICANN.

Most abused top-level domains in 2018

There were some interesting (and concerning) developments in this area, perhaps most notably was the rise of domain names registered to ‘.bit,’ a decentralized top-level domain (dTLD). Domain names with this type of TLD create additional issues when it comes to blocking malicious traffic and taking down these bad operators.

Top abused TLDs

List of most abused top-level domains in 2018 by botnet C&C traffic

Most abused top-level domains by botnet C&C traffic in 2018

Palau ‘.pw’ was the most abused TLD: The listings associated with ‘.pw’ rose by 56% in 2018, which was an additional 4,835 botnet C&Cs connected with this domain from the previous year.

Russia ‘.ru’ had a reduced number of domain registrations for botnet C&Cs:  We noted a small decrease from 1,370 domain listings in 2017 to 1,183 in 2018. This saw ‘.ru’ ccTLD move out of the top ten rankings, down to #17.

Historically cybercriminals heavily abused ‘.ru’ & ‘.su’ ccTLDs, however, over recent years their operator has implemented measures which are having positive effects in reducing the amount of abuse across these 2 TLDs.

‘.tk,’ ‘.ml,’ ‘.ga,’ ‘.gg’ and ‘.cf’ made their first appearances in the Top 20: Originally ccTLDS;  Freenom now operate them, and they are considered to be gTLDs. As the name implies ‘Freenom’ provide domain names for free.

Given this business model, it’s not surprising that there has been a massive increase in abusive activity associated with them: Cybercriminals realize that their nefarious actions are likely to lead to their domain name being shut down, therefore prefer to obtain them for free rather than pay for them.

dTLD ‘.bit’ had an upsurge in listings: This dTLD didn’t make it into the ‘Top 20’ however we observed 108 domain names hosting botnet C&Cs with the dTLD ‘.bit.’ dTLDs provide criminals with advantages over other TLDs and consequently pose additional threats to users; therefore we feel it is necessary to highlight them:

  • These domain names cannot be taken down or suspended when being used for malicious purposes, because there is no governing body associated with a dTLD.
  • Researching malicious activity becomes more challenging as domain name registrations within dTLDs are usually entirely anonymous, with registrant information not being required.
  • dTLDs bypass DNS Firewalls/Response Policy Zones (RPZ) that many ISPs and businesses use to protect their customers/users from cyber threats.

They by-pass DNS Firewalls because dTLD domains are not resolvable through common DNS.  Instead, they are resolved through nameservers that support ‘.bit,’ such as OpenNIC.

How can you protect against botnet C&C traffic on dTLD’s?

How Border Gateway Protocol Feeds protect your network

How Border Gateway Protocol Feeds protect your network

Border Gateway Protocol data feeds provide an added layer of protection.  These block connections to IPs involved in the most dangerous cybercrime and DDoS attacks via your edge router.

By taking just a few minutes to configure your edge router to peer with a Deteque BGP router and a null route, you can provide your network with up-to-date protection against botnets, alongside phishing and external attacks on your organization’s servers.

IT security has always required a multi-faceted approach, and with new threats continually coming to the fore, such as those posed by botnet C&C traffic registered to a dTLD, it is vital to continue to add layers of additional security.

 If you’d like to read the full Botnet Threat Report click here or fill in a contact form to get in touch with a member of our team who can discuss BGP feeds with you further.

*N.B. These numbers exclude hijacked domain names; domains owned by non-cybercriminals that were used without permission, and domains on ‘free sub-domain’ provider services.


Spamhaus is the engine that powers Deteque’s services with its carefully researched threat intelligence.  In 2018 the researchers at Spamhaus blocked over 10,000 botnet command & control (C&C).  That is the highest number on record.   But what was the malware associated with each botnet C&C?  Here’s your chance to find out, and discover an automated way to protect your network and users against these threats at the DNS level.

The malware that came and went in 2018

As always, the threats from malware were highly dynamic in 2018.  While some trends such as remote access tools (RATs) continued to gather momentum, additional ones started to rear their heads, such as CoinMiners.

Credential Stealers: As in 2017, credential stealers were still accounting for the most significant amount of botnet C&C traffic; however there were changes as to which were top of the leader board.

Loki malware associated with malware in 2018‘Pony’ held the #1 spot for two years, however in 2018 ‘Loki’ took pole position, having more than doubled the number of unique botnet C&Cs associated with it.

Remote Access Tools (RATs): This type of malware saw a significant increase in 2018, in particular, a Java-based RAT, called JBifrost (aka Adwind).JBifrost malware associated with botnet C&C in 2018

Back in 2017, we reported that JBifrost was starting to flood the botnet landscape, however, in 2018 we witnessed an explosion in the number of unique botnet C&C listings associated with it. The sheer volume of these listings has placed JBifrost at #2 on our leader board.

ebanking Trojans associated with botnet C&C in 2018Ransomware & e-banking Trojans: Botnet C&Cs associated with both types of malware dropped significantly in 2018.

CoinMiners: Making their first appearance in the Top 20 list last year were CoinMiners. These are malicious pieces of software that silently mine cryptocurrencies, such as Bitcoin and Monero, without the consent or approval of the user. In 2018, we identified 83 botnet C&Cs associated with CoinMiners.

Mining pools: In addition to CoinMiner botnet C&C listings, in 2018 we also issued 156 SBL listings for 111 cryptocurrency mining pools that were used by the CoinMiners. Some of these cryptocurrency mining pools appeared to be rogue; however, the majority were legitimate pools that were being abused by CoinMiners.

The Spamhaus Project has tried to approach the responsible hosting providers, asking them to have the offending user(s) of the mining pool suspended, to stop the fraudulent activity. Unfortunately, this was not always possible because some cryptocurrencies, such as Monero, are entirely anonymous, unlike Bitcoin. 

An extra layer of security against malware

Charts showing Malware blocked by DNS Firewall in 2018The increased threat from CoinMiners is apparent when you view the statistics from users of Deteque’s DNS Firewall Threat Feeds.   These threat feeds are consumed at the DNS level, allowing security teams to automatically block users (blocks/redirects), and IoT devices’ from accessing bad sites.

In April 2018 only 21% of blocks/redirects were for CoinMiner/Cryptoblocker traffic, whereas at the end of last year, in December 2018, CoinMiner redirects accounted for 66% of all blocked/redirected traffic.

It is evident that the botnet C&C landscape underwent some significant changes in 2018.  With ‘lean teams’ and ‘lean budgets’ security professionals are caught between a rock and a hard place in attempting to keep on top of the ever-changing threats.  Therefore, it’s crucial to identify solutions that are quick to install, ‘set & forget,’ and leverage the best threat intelligence in the industry.  In doing so, security & IT teams are enabled to focus on other urgent matters, confident in the knowledge that teams of professional security researchers and investigators are identifying the threats on their behalf.

Download the full Botnet Threat Report

We have observed a significant increase in the amount of botnet activity across the past few months.  Watch the video below to find out what’s driving this.

Cyber attacks across the healthcare sector are rampant and show no signs of abating. Security and network teams within this industry have the odds stacked against them; proving that it’s crucial to build a multi-faceted security strategy that is smart, both in regards to spend and resources.

Healthcare under attack

When it comes to cyber attacks healthcare is the highest targeted sector.  In 2017 there were over 300 breaches.  That is over 29 times the number of breaches reported across the hospitality industry.

There are many reasons why healthcare is such an attractive target to cybercriminals, including:

    1. table showing healthcare had 328 breaches in 2017

      Data published by in ‘Top Industries Affected by Data Leaks in 2017’

      Patient data is valuable data – the information contained in a patient’s files include personally identifiable information (PII) including names, date of births and social security numbers, as well as a whole host of additional information that has a high value on the dark web.

    2. Open to extortion – where data has a high worth the incentive for extortion increases.
    3. An increasing attack surface – the ever-expanding areas healthcare networks have to support is only going to increase. From internet based consulting to remote workers and patients requiring online access to records, not to mention the proliferation of the Internet of Medical Things (IoMT), the attack surface of the healthcare sector is growing exponentially.
    4. Vulnerable infrastructure – historically there has been a lack of investment in cybersecurity within this industry, both concerning human resources and infrastructure investment. Historically, expenditure has averaged 50% compared to that of other sectors. ‘Lean’ teams coupled with a rapidly changing cyber threat landscape significantly increases an organization’s vulnerability to threats.

The consequences of a cyber attack

When a provider within healthcare is subject to an IT security breach the ramifications go far beyond the initial internal IT ‘mop-up’:

The potential risk to life – on multiple levels there is a risk to human life, from operations having to be canceled to no access to medical records for emergency treatment, not forgetting the number of IoMT devices which can be compromised. Take a glance at the numerous articles on the web concerning a pacemaker’s vulnerability to hacking, and you’ll soon understand the risk IoMT devices can present.

Brand & reputation – once a data breach becomes public the media feeding frenzy commences.  One only has to look to the National Health Service in the UK in 2017 which was effectively brought to a standstill by the WannaCry ransomware. The media coverage was global and prolonged.

In countries where an individual can choose their healthcare provider it’s hardly likely they will trust an organization with their life if that organization can’t be trusted with their personal data.

Financial – loss of productivity, cost of remediation, missing pay for performance deadlines and heavy financial fines from governing bodies and authorities such as HIPAA, not to mention penalties under GDPR, all contribute to weighty post-breach costs.

The costs of Healthcare data breaches far exceed other industries. Following a security breach, The University of Washington Medicine incurred a $750,000 HIPAA fine.  In Ponemon’s 2017 Data Breach report it was estimated that a data breach in the Healthcare industry costs an organization $380 per record, in comparison to a global average of $141!  For the NHS in the UK, the cost of the fall-out from WannaCry has nearly reached £100m.

Continually changing threats

Taking all the above into consideration, it is clear that security teams within the Healthcare sector have to be smart with their IT security spending.  With reduced resources and funds it’s almost impossible to keep abreast of the latest security threats.

Ransomware attacks declined by 32% in Q1 2018 from Q4 2017, while coin mining (cryptojacking/cryptomining) increased by 1,189%.  With such a quickly shifting threat landscape maintaining expertise across all areas is challenging for even large teams, let alone smaller ones.

Healthcare security teams have to look to solutions that automatically mitigate risk, protecting patient data and devices while freeing up precious manpower resources to focus on other issues, without a hefty price tag.

Going to HIMSS 2019?  Connect with the Deteque team on booth 400-36 and see how you can increase your network security for less.

Join the Deteque team at DNS-OARC 39th CENTR Technical Workshop, in Amsterdam, on 13-14 October 2018.

DNS-OARC logoFocused on DNS operations and research, the DNS-OARC event provides attendees with the opportunity to get a deeper understanding of the security and stability of the internet’s DNS infrastructure.

Connect with us to discuss how you can increase the security of your DNS infrastructure, through DNS Firewall Threat Feeds and Passive DNS.
Register here.

We look forward to connecting with attendees of ISF’s 29th Annual World Congress, in Las Vegas, on  27-30 October 2018.

Information Security logo Information Security Forum’s flagship event provides an opportunity for those attending to discuss and find solutions to current security challenges.  Leaning on both the expertise of security industry specialists from around the world and the experience of peers, there is a wealth of information available from best practices to the latest thought leadership.

Deteque’s resellers Security Zones will be on-hand to listen to the security challenges you are facing, and provide you with insights into how you can automatically prevent bad domain connections at a DNS level, alongside demonstrating a simple to use Passive DNS tool that provides a wealth of information for IT security teams, research teams and brand protection specialists. 

Register for ISF’s 29th Annual World Congress here.

We have now launched the production version of our improved Passive DNS Tool, so we are no longer looking for Beta Testers.  However, please click on the link below to get access for free.

Passive DNS Free Plan

Whether you are a security professional wanting to uncover patterns of malicious activity from networks across the world, or a brand protection specialist wanting to expose the deceptive use of specific domains, utilising Passive DNS data should be part of your toolset.

Digital globe with connections merged with screen with code and text "Passive DNS - Exclusive beta testing opportunity"

Passive DNS – exclusive beta testing opportunity

Passive DNS provides a wealth of valuable information to digital security professionals, enabling the user to review relationships that have both historically and currently exist between online properties e.g. domain names and internet protocol (IP) addresses, across the globe.  Discover more about Passive DNS here.

We are delighted to offer this the opportunity* to become one of the first  to use and provide feedback on our improved and simplified Passive DNS tool. 

Who can apply?

What do we offer?

  • Access to the web portal and API
  • Start-up documentation and a helping hand
  • Advice regarding how to use the tool for incident investigation and brand spoofing investigation

What do we require from you?

  • Must be available to engage in active testing.
  • Provide feedback via a phone call.

Please note that numbers are limited so please apply as soon as possible.

Good-luck and thank you!


*Sadly we can only accept those who meet the outlined requirements onto the beta testing program.

Brian Krebs investigates the Bitcanal “Hijack Factory” story which hit the news this week. Through continually hijacking Border Gateway Protocol (BGP) routes, Bitcanal leased swathes of IP addresses to spammers. Since 2014 Bitcanal has appeared in 103 SBL listings researched by Spamhaus. Read Brian’s article here .

This week sees Spamhaus featurning in the news in Doug Madory’s article focusing on Bitcanal; Shutting Down the BGP Hijack Factory.

The piece focuses on Bitcanal, who has been listed on various block lists of Spamhaus’s for over 3 years.  Doug Madory, Director of Internet Analysis at Oracle Dyn, shines the spotlight on Bitcanal, and focuses on the lessons Internet Exchange Points (IXPs) need to learn from this episode.

Spamhaus has published 103 SBL listings related to Bitcanal, going as far back as December 2014.  There have been inclusions on both their IPv6 Drop list, and ASN Droplist.






Enterprise business and technology service providers in the Japanese and Asia Pacific region now have global cyber threat intelligence on their doorstep. Thanks to a new partnership between Tokyo-based PIPELINE Security and Deteque, DNS threat protection, including DNS firewall data feeds, has never been easier to access.

logo of Pipeline Security

pipeline security delivers DNS protection to APAC

PIPELINE Security brings local delivery and support to the Japanese market. Their understanding of cyber security, combined with local knowledge is illustrated in their drive for precision and excellence.

Deteque provides network security intelligence, including DNS firewall data feeds, leveraging expertly researched threat intelligence from The Spamhaus Project.  The Project is a trusted third party currently protecting three billion user mailboxes and blocking the vast majority of spam and malware sent on the Internet.

Spamhaus and PIPELINE are positioned to help Internet Service Providers (ISPs), Email Service Providers (ESPs) and enterprises defend themselves from spam, malware, botnets and other online threats.

Simon Forster, CEO of Spamhaus Technology commented: “The move is designed to strengthen the Asia Pacific region against cyber attacks and broaden Deteque’s presence in Asian markets. With Pipeline Security we have an excellent partner to bring to new customers the threat intelligence that has been protecting our users for the past 20 years.”

Allan Watanabe, Managing Director of PIPELINE Security commented: “Cyber attacks are rapidly evolving and businesses are struggling to stay ahead of the cyber criminals. It is critical for businesses to utilize a threat intelligence strategy to transition from a reactive security to proactive security model. We are looking forward to providing Deteque’s real time threat intelligence to help secure our customers in Asia Pacific and Japan.