SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

Usage of .ch domain names for spamming malware Tofsee stopped


It is rare that a malware family uses .ch or .li domain names in their domain name generation algorithm (DGA). The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

Since then we have been watching the use of .ch and .li domain names in malware DGAs and prepared for this by making an agreement with the Registrar of Last Resort (RoLR) to prevent the registration of domain names used in DGA algorithms of malware.

This week the Swiss Govermental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Together with GovCERT and RoLR we used our planned process and added around 520 names to a list of .ch domain names that cannot be registered while they are actively used by the malware. Now, these domain names can not be registered by the operators of Tofsee anymore to control their malware and send millions of annoying and dangerous spam emails, like these analyzed by Talos. Out of curiosity, we looked at the DNS requests sent towards one of the .ch name server. As the world heat map below indicates, this spam bot malware has a rather world wide infection rate.

Tofsee DNS lookups on one .ch name server during the last few days

Tofsee DNS lookups on one .ch name server during the last few days

I want to point out that these domain names are only temporarily unavailable and will be register-able again once they are not used by the malware anymore. As a registry it is our duty to make .ch domain names available for registration, even if there are not many people, besides botnet operators, that want to register a domain name like dqhdqhj[.]ch. Unfortunately it is not visible in whois that the domain names cannot be registered, but we are working to make this more transparent in the future.

GovCERT published an excellent blog article that describes the details of Tofsee and the DGA used. We want to thank GovCERT and RoLR for alerting us and working together to protect Internet users from the Tofsee malware.