kreizihorse - Fotolia

Malicious domain name service infrastructure rebounds to near-record levels

Infoblox calls for the US, Germany and other sources of malicious domain name service (DNS) infrastructure to improve processes for removing the threat

The creation of malicious domain name service (DNS) infrastructure surged in the last quarter of 2015, returning to near-record levels, a study shows.

Just over 90% of new malicious domains in the same period were hosted in either the US or Germany, according the DNS Threat Index compiled by network control firm Infoblox.

After dipping slightly in the third quarter of 2015, the Infoblox DNS Threat Index increased in the fourth quarter to 128 – near the record high of 133 established in the second quarter of 2015.

This is a rise of 49% compared with the same period in the 2014, and an increase of 5% from the previous quarter.

This means the number of malicious domains is increasing from quarter to quarter and year to year, said the DNS Threat Index report.

The results also show a change from the past when the “planting” of malicious infrastructure was followed by several quarters of relative quiet as cyber criminals used that infrastructure to harvest data and harm victims.

The results showed the threat index for all of 2015 was well above its historical average, meaning that organisations of all sizes and types continue to face unrelenting attacks.

“Our findings may indicate we’re entering a new phase of sustained and simultaneous planting [of malicious infrastructure] and harvesting [of data],” said Rod Rasmussen, vice-president of cyber security at Infoblox.

“As we see this escalation of efforts by cyber criminals, it is essential we go after the infrastructure that cyber criminals are using to host these domains. So, for the first time, we are using the index to highlight the countries with the most hosting locations for bad domains,” he said.

Read more about DNS security

  • Thirty years after creating the Internet's domain name system, co-creator Paul Mockapetris talks about addressing internet challenges with a more secure DNS.
  • Third-party DNS providers claim to improve browsing times and speeds, but are they a secure enterprise option? Expert Michael Cobb explains.
  • Cloud customers need to make sure cloud providers are taking steps to secure their DNS infrastructure, including DNSSEC signed zones.
  • Network control supplier Infoblox expands into security with a DNS firewall and a firewall management product, and adds a branch Trinzic box.

US top destination for malicious DNS

Infoblox tracks the creation of malicious DNS infrastructure through the registration of new domains and the hijacking of previously legitimate domains or hosts.

The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

DNS is the address book of the internet, translating domain names such as into machine-readable internet protocol (IP) addresses such as

Because DNS is required for almost all internet connections, cyber criminals are constantly creating new domains and subdomains to unleash a variety of threats, including exploit kits, phishing and distributed denial of service (DDoS) attacks.

It would be a silver lining if US hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not
Lars Harvey, Infoblox

Infoblox revealed that it found that the clear country of choice for hosting and launching attacks using malicious DNS infrastructure in the fourth quarter of 2015 was the US, which accounted for 72% of newly observed malicious domains.

Germany accounted for 20% and was the only other country to account for more than 2% of the observed malicious sites.

Those countries accounting for more than 1% were Turkey (1.8%), Ireland (1.79%), Switzerland (1.27%) and the UK (1.14%).

While much cyber crime originates from hotspots in Eastern Europe, Southeast Asia and Africa, this analysis shows the underlying infrastructure used to launch the attacks themselves sits elsewhere – in the backyard of the world’s top economies.

Infoblox calls for quick take-down

It is important to note, the report said, that the geographical information is not an indication of “where the bad guys are”, because exploit kits and other malware can be developed in one country, sold in another and used in a third to launch attacks through systems hosted in a fourth.

But the geographical location of malicious infrastructure does suggest which countries tend to have either lax regulations or policing, or both, the report said.

The report said location does not denote protection. Just because a domain is hosted in the US or Germany does not make it safe and criminals are just as likely to exploit the rich technology and service infrastructure that exists in these countries as is any legitimate business, the report said, noting that it would be difficult to harden that infrastructure against exploits without limiting much of the speed and responsiveness that makes it attractive for business.

“It would be a silver lining if US hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not,” said Lars Harvey, vice-president of security strategy at Infoblox.

“The fact of the matter is that many hosting providers can be slow to respond, allowing exploits to propagate for considerably longer than they should. This should be a key area of focus for improvement,” he said.

Exploit kits are a particularly alarming category of malware because they represent the automation of cyber crime. A small number of highly skilled hackers can create the kits – packages for delivering a malware payload – and then sell or rent these toolkits to ordinary criminals with little technical experience.

This can vastly increase the ranks of malicious attackers capable of going after individuals, businesses, schools and government agencies.

Reappearance of old threats

While Angler continues to lead DNS exploit kit activity, RIG – an older kit – surged into second place. Infoblox analysis of RIG activity in 2015 showed that it began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies.

Domain shadowing is the process of stealing domain registration logins to create subdomains.

Infoblox said that indicates that, as exploit kits are updated in future, there may be a reappearance of past threats in a new guise or location.

The report said Infoblox was highlighting the top-source countries for malicious domain creation, in the hope that greater awareness and scrutiny can help slow the spread of malware.

Read more on Hackers and cybercrime prevention