Strategic Security Survey: Global Threat, Local Pain
|(click for larger image and for full photo gallery)|
The impetus for the move appears to be a tightening of domain registration rules by Chinese authorities, in particular China's domain regulator, China Internet Network Information Center. But while authorities in Russia have also tightened their anti-spam domain name registration rules, "the Russian domain registrars have not seen much of an effect on the volume of spam domain registrations," according to research from M86 Security.
The two domain name registrars in question are Naunet, through which M86 Security said that 4,000 new spam-related domains were registered in the last month, relating to such campaigns as Eurosoft Software, Online Casinos, and Ultimate Replica. Meanwhile, Russian registrar Reg.ru saw 1,800 new domains registered through its service, all of which lead to pharmacy websites based in Canada. "Reg.ru offers an interesting feature to customers which allows customers to register up to 600 domains at one time -- a perfect boon for spammers," said M86 Security.
Unfortunately, these domains don't just serve spam emails, since at any given time, approximately 3% of spam comes with malware attached, according to research from Symantec.
These domain names are no exception, said M86 Security. "In addition to being tied to spam campaigns, domains registered through these registrars have been used as botnet controllers for the Zeus crimeware kit" -- Zeus being a financial malware kit, which is an automated toolset for generating attacks and running botnets, typically with the aim of stealing people's financial details and thus money.
M86 Security said that spam domains registered with Naunet have also been seen serving "as control servers for the Asprox botnet," which targets websites which use Microsoft Active Server Pages (ASP).
Unfortunately, even when security researchers trace back these botnets to specific spam domains in Russia, it can be difficult to push them offline, unless through coordinated takedowns by security researchers. "These registrars are notorious for ignoring abuse notification requests to suspend these illegal domains," said M86 Security.