SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

fish

Usage of .ch domain names for spamming malware Tofsee stopped

6 Comments


It is rare that a malware family uses .ch or .li domain names in their domain name generation algorithm (DGA). The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

Since then we have been watching the use of .ch and .li domain names in malware DGAs and prepared for this by making an agreement with the Registrar of Last Resort (RoLR) to prevent the registration of domain names used in DGA algorithms of malware.

This week the Swiss Govermental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Together with GovCERT and RoLR we used our planned process and added around 520 names to a list of .ch domain names that cannot be registered while they are actively used by the malware. Now, these domain names can not be registered by the operators of Tofsee anymore to control their malware and send millions of annoying and dangerous spam emails, like these analyzed by Talos. Out of curiosity, we looked at the DNS requests sent towards one of the .ch name server. As the world heat map below indicates, this spam bot malware has a rather world wide infection rate.

Tofsee DNS lookups on one .ch name server during the last few days

Tofsee DNS lookups on one .ch name server during the last few days

I want to point out that these domain names are only temporarily unavailable and will be register-able again once they are not used by the malware anymore. As a registry it is our duty to make .ch domain names available for registration, even if there are not many people, besides botnet operators, that want to register a domain name like dqhdqhj[.]ch. Unfortunately it is not visible in whois that the domain names cannot be registered, but we are working to make this more transparent in the future.

GovCERT published an excellent blog article that describes the details of Tofsee and the DGA used. We want to thank GovCERT and RoLR for alerting us and working together to protect Internet users from the Tofsee malware.

6 thoughts on “Usage of .ch domain names for spamming malware Tofsee stopped

  1. Pingback: Switzerland’s GovCERT Cracks DGA and Blocks 500 Domains Used by Tofsee Botnet (SecurityWeek) – sec.uno

  2. Pingback: Switzerland Cracked DGA and Blocked 500 Domains Used by Botnet

  3. Pingback: Switzerland Cracked DGA and Blocked 500 Domains Used by Botnet | Tech-Chat

  4. Pingback: Switzerland Cracked DGA and Blocked 500 Domains Used by Botnet

  5. Pingback: Switzerland GovCERT Cracked DGA and Blocked 500 Domains Used..

  6. Pingback: ZATAZ La Suisse bloque 520 URL générés par le botnet Tofsee - ZATAZ

What's your opinion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s