Welcome to the Spamhaus Botnet Threat Update Q4 2021.<\/strong><\/p>\n <\/p>\n Last quarter, we reported \u201can explosion in backdoor malware\u201d due to FluBot & TeamBot. In Q4, from the perspective of botnet C&C infrastructure Spamhaus observed, this malware family completely disappeared. However, this doesn\u2019t mean they weren\u2019t active. That is far from the truth \u2013 they were active!<\/p>\n This malware isn\u2019t appearing in our listings because those miscreants responsible for them have changed their operating procedures. Instead of making C&C communications using traditional HTTPS protocol, they use DNS over HTTPS (DoH) and abuse large DoH providers, including Google and Alibaba.<\/p>\n While DoH was heralded with fanfares and touted as the next best security development of the internet, some security professionals (including Spamhaus) sighed as they realized the good guys would lose even more visibility over what the bad guys were doing. And by \u201ceven more,\u201d we refer to other issues like losing visibility of WHOIS data<\/a>.<\/p>\n DoH encrypts DNS traffic, making a resource private and secure that previously has always been public (unencrypted). You may be thinking that this has Not only does DoH make hunting down miscreants even more challenging, but it also means that security products based around DNS monitoring and filtering could be less effective, which is far from ideal. Security issues are compounded due to major DoH providers not filtering harmful DNS resolutions of botnet, phishing or malware domains.<\/p>\n <\/p>\n In Q4 2021, Spamhaus identified 3,271 botnet C&Cs compared to 2,656 in Q3 2021. This was a 23% increase quarter on quarter. The monthly average increased from 885 in Q3 to 1,090 botnet C&Cs per month in Q4.<\/p>\n <\/p>\n We reported last quarter that the number of botnet C&Cs in Russia had increased dramatically. However, this quarter saw even bigger increases:\n<\/p>\n In Q4, almost 30% of botnet C&C servers were located in Russia. <\/p>\n Several countries from Latin America (LatAm) were new entries in Q3 and remained in the Top 20 in Q4, including Mexico, Dominion Republic, Brazil, and Uruguay. Uruguay had the largest percentage increase (181%) of all geos in Q4.<\/p>\n After continuing increases across various European countries, we\u2019re pleased to report that several have reduced numbers; the Netherlands, France, Sweden and Romania. Meanwhile, Switzerland has dropped off the Top 20 List completely. However, Germany has moved into third place with a 35% increase, and Great Britain has experienced a 56% increase.<\/p>\n <\/p>\n Credential stealers were the most prevalent malware type associated with Botnet C&Cs in Q4. This doesn\u2019t come as a surprise, given that the top two malware listed, RedLine & Loki, are both Credential Stealers.<\/p>\n We saw a considerable uptick in GCleaner activity, leading to it being placed at #4, despite being a newcomer to the Top 20. GCleaner is similar to Smoke Loader in its modus operandi, and it is utilized in a Pay-Per-Install (PPI) model, dropping other malware on already infected hosts. While this malware threat has been around for some time, it is the first time that GCleaner has made it onto our Top 20 listings.<\/p>\n As discussed in our Spotlight section, this malware that had the #1 spot last quarter has disappeared from our listings; however, it is still operational having switched across to using DoH.<\/p>\n <\/p>\n We don\u2019t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.<\/p>\n The ccTLD de (Germany) re-entered our quarterly ranking at #20, having dropped off the Top 20 in Q2.<\/p>\n We\u2019d like to congratulate all the registries that manage TLDs who departed from our listings along with those who significantly reduced the number of associated botnet C&Cs using their TLDs, including .buzz and .net, who both saw an 80% reduction.<\/p>\n Apologies to Verisign for an error in our Q3 2021 statistic for .com. We misreported the number of botnet C&Cs for the TLD, and the correct figure was 3,730. Various issues led to this error, but we are pleased to confirm that we have worked with Verisign to rectify these.<\/p>\n Registries with a greater number of active domains have greater exposure to abuse. For example, in Q4 2021, .net had more than 13 million active domain zones, of which 0.00103% were associated with botnet C&Cs. Meanwhile, .xxx had just over 9,000 active domains, of which 2.4% were associated with botnet C&Cs. Both are in the top ten of our listings, but one had a much higher percentage of active domains associated with botnet C&Cs than the other.<\/p>\n Naturally, our preference is for no TLDs to have botnet C&Cs associated with them, but we live in the real world and understand there will always be abuse. <\/p>\n Overall, we saw a decrease in fraudulent domain registrations in Q4 2021, which is positive news. But some countries\u2019 registrars are still clearly struggling.<\/p>\n Registrars in Canada had the most fraudulent botnet C&C registrations in Q4, overtaking China from Q3.<\/p>\n There was a noticeable increase (136%) in the number of botnet C&Cs associated with registrars operating out of Germany. This was due to Key Systems experiencing a 74% increase and 1API re-entering our charts at #12, having dropped off the Top 20 in Q2.<\/p>\n This domain registrar appeared for the first time in our rankings. Atak operates out of Turkey and hasn\u2019t responded to any of our abuse reports to date. We have therefore filed a complaint against Atak with ICANN\u2019s policy enforcement. It is imperative that everyone who is part of the internet ecosphere work together to protect internet users.<\/p>\n These registrars experienced significant increases in the number of botnet C&C domains registered through them in Q4. However, while registrations are increasing for PDR their response times to abuse reports are excellent.<\/p>\n Last quarter we highlighted that CentralNic, West263, and Network Solutions had all experienced considerable increases in the number of newly registered botnet C&C domains. In Q4, all three of these registrars, along with eName, Xin Net, 22net, and OVH, departed from our Top 20 this quarter, so we\u2019d like to applaud all their efforts in preventing fraudulent registrations.<\/p>\n <\/p>\n As usual, there were many changes in the networks hosting newly observed botnet C&Cs.<\/p>\n While this Top 20 listing illustrates that there may be an issue with customer vetting processes, it doesn\u2019t reflect on the speed abuse desks deal with reported issues. See \u201cNetworks hosting the most active botnet C&Cs\u201d Uninet.net.mx (#1), serverion.com (#5) and cloudflare.com (#9) \u2013 all three appear within the Top 10 of our listings, but there are big differences between them.<\/p>\n Uninet is a telecom and network operator in Mexico. All newly hosted botnet C&Cs we identified in their IP space resulted from compromised customer equipment.<\/p>\n Serverion is a hosting company based in the Netherlands. All botnet C&Cs we identified on their network in Q4 resulted from fraudulent sign-ups.<\/p>\n Last but not least, we have Cloudflare who is not hosting any content rather providing a reverse proxy service and DDoS protection to botnet C&Cs, hiding their actual location.<\/p>\n <\/p>\n Finally, let\u2019s review the networks that hosted the largest number of active botnet C&Cs at the end of 2021. Hosting providers who appear in this ranking either have an abuse problem, do not take the appropriate action when receiving abuse reports, or omit to notify us when an abuse problem has been dealt with.<\/p>\n Over 60% of active botnet C&C listings are on networks located in the LatAm region. We implore these operators to quickly respond to abuse reports and work with Spamhaus to reduce botnet C&C abuse on their networks.<\/p>\n That\u2019s all for now. Stay safe and see you in April!<\/p>\n Download the Spamhaus Botnet Report 2021 Q4 as PDF<\/a><\/p>\nThe issues of DNS over HTTPS (DoH)<\/h2>\n
Remember FluBot & TeamBot from Q3?<\/h3>\n
Why are they not being detected by Spamhaus?<\/h3>\n
Preventing abuse on the internet gets harder<\/h3>\n
Why is DoH an issue?<\/h3>\n
\nto be a good thing, however as you can see, in this circumstance, our researchers have no visibility of FluBot & TeamBot\u2019s DNS requests. Consequently, we can\u2019t list the IP addresses, and therefore this data can\u2019t be used to protect users. While DoH is meant to be protecting the internet community, it is also enabling cybercriminals. It\u2019s a double-edged sword.<\/p>\nNumber of botnet C&Cs observed, Q4 2021<\/h2>\n
\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-01-total-number-of-botnet-c2s-observed.png\")
<\/td>\n<\/tr>\n<\/table>\nGeolocation of botnet C&Cs, Q3 2021<\/h2>\n
Russia continues with significant increases<\/h3>\n
\n
LatAm presence continues<\/h3>\n
Ups and downs across Europe<\/h3>\n
\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-02-top-20-locations-of-c2s-table.png\")
<\/td>\n<\/tr>\n\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-03-top-20-locations-of-c2s-map.png\")
<\/td>\n<\/tr>\n<\/table>\nMalware associated with botnet C&Cs, Q4 2021<\/h2>\n
GCleaner emerging<\/h3>\n
FluBot\/TeamBot disappear<\/h3>\n
\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-04-top-20-malware-table.png\")
<\/td>\n<\/tr>\n<\/table>\n\n
\n \n Malware type comparisons between Q3 and Q4 2021<\/h3>\n
![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-05-top-20-malware-type.png\")
<\/td>\n<\/tr>\n<\/table>\nMost abused top-level domains, Q4 2021<\/h2>\n
A new entry at #4<\/h3>\n
.de reappears<\/h3>\n
Reductions and departures<\/h3>\n
Q3 data inaccuracy<\/h3>\n
Interpreting the data<\/h3>\n
Working together with the industry for a safer internet<\/h3>\n
\nWhat is crucial is that abuse is dealt with quickly. Where necessary, if domain names are registered with the sole purpose of distributing malware or hosting botnet C&Cs, we would like registries to suspend these domain names. We appreciate the efforts of many registries who work with us to ensure these actions are taken, including .xyz and .top.<\/p>\n\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-06-tlds.png\")
<\/td>\n<\/tr>\n<\/table>\nMost abused domain registrars, Q4 2021<\/h2>\n
Canadian based registrars<\/h3>\n
German based registrars<\/h3>\n
Atak<\/h3>\n
Nicenic.net (China) & PDR (India)<\/h3>\n
Thank you to those who\u2019ve departed from our listings<\/h3>\n
\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-07-registrars.png\")
<\/td>\n<\/tr>\n<\/table>\n\n
\n \n Location of Most Abused Domain Registrars<\/h3>\n
![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-08-registrars-location.png\")
<\/td>\n<\/tr>\n<\/table>\nNetworks hosting the most newly observed botnet C&Cs, Q4 2021<\/h2>\n
Does this list reflect how quickly abuse is dealt with at networks?<\/h3>\n
\nto view networks where abuse isn\u2019t dealt with promptly. <\/p>\nA mixed bag<\/h3>\n
\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-09-networks-newly-observed.png\")
<\/td>\n<\/tr>\n<\/table>\nNetworks hosting the most active botnet C&Cs, Q4 2021<\/h2>\n
Network operators in LatAm region need to get on top of abuse rapidly<\/h3>\n
\n
\n ![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q4\/2021-q4-10-networks-most-active-botnets.png\")
<\/td>\n<\/tr>\n<\/table>\n