The groups of attackers that employ the Zeus toolkit for their scams and malware campaigns have long used sites in the .ru Russian TLD as homes for their botnet controllers. Security researchers and law enforcement agencies have had a difficult time making headway in getting these domains taken down, but now it seems that some changes in the way that the Russian organization in charge of the .ru domain is enforcing rules for fraudulent domains is forcing attackers to move to a long-forgotten TLD owned by the former Soviet Union.
Botherders tend not to be too picky about where they locate their command-and-control servers. Any domain and hosting provider that will leave them alone typically fits the bill. For the past few years, that description has fit many domains in the Russian TLD, as well as many others in smaller Eastern European countries that haven’t dedicated a lot of resources to rooting out these C&C servers. Security researchers have known for a long time where the C&C servers are and have been exposing them online, and the attackers will change the location of those servers frequently in response to takedowns or other actions.
Now it appears that some of the Zeus attack crews are moving away from the .ru TLD altogether and migrating to the .su TLD, which was the property of the former Soviet Union. According to statistics on the Zeus Tracker site, three of the Zeus C&C servers with the longest uptimes are currently running on .su domains. Also, two of the C&Cs with the most files online are on .su domains.
“For those of you who don’t know: .su is (or should I say was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (which is operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su,” the researcher at Abuse.ch, which runs the Zeus Tracker site, wrote in an analysis of the TLD shift.
“Since the Soviet Union isn’t any more and I see legit .su domains pretty rarely, I think it’s a good idea to block .su on the network edge (web proxies / content filtering systems).”
Since the demise of the Soviet Union, the .su TLD has remained active and companies and organizations located in countried that were part of the Soviet Union are allowed to register domains using that TLD. But, because the Soviet Union no longer exists and there are a relatively small number of sites on the TLD, it has gone unnoticed. Attackers have shown a remarkable ability to find obscure TLDs and infest them with malware-serving domains or C&C servers in a short period of time, and the .su TLD is now having its moment in the sun.