Disorganized crime and state-backed hackers: The cybercrime landscape is changing Watch Now

OpenNIC, an organization that runs an alternative DNS network, has voted to drop support for .bit domains after rampant abuse from malware operators.

Besides problems with malware botnets, the organization also cited fears that OpenNIC members might get in trouble with law enforcement if .bit domains would become the home of child abuse portals.

The decision was approved on June 25, after a 13-2 vote from OpenNIC members. A first voting proposal to drop support for .bit domains in December 2018, but it did not reach a voting stage.

What are .bit domains and what is OpenNIC?

.bit is a decentralized top-level domain (dTLD) that runs on the blockchain infrastructure of the Namecoin cryptocurrency, an older fork of Bitcoin.

To access a website with a .bit domain, users need to run a Namecoin client, or the app making the request for the .bit domain must query a DNS server that supports .bit domain queries.

OpenNIC is one of those services and the biggest of them all.

The project was set up in the early 2000s as an alternative to the ICANN-managed DNS network and is primarily focused on supporting decentralized top-level domains (such as .bit and others).

OpenNIC manages its own dTLDs, such as .cyb, .dyn, .null, or .pirate, but it also supports dTLDs that have been set up by other organizations.

Until last month's vote, OpenNIC also had a peering agreement with Namecoin to support .bit domains, allowing users who used the OpenNIC DNS servers to access .bit domains and effectively open it up to all its users.

Rampant malware abuse

But now, the OpenNIC team says that .bit domains are very often used by malware operations to host command and control (C&C) servers that are almost impossible to track and take down due to its decentralized architecture.

Furthermore, as a side effect, OpenNIC servers are getting blacklisted instead of .bit domains -- in an attempt by maintainers of cyber-security software of blocking .bit domain queries before malware communications are established on infected hosts.

But while OpenNIC highlighted an increase in malware domains relaying on .bit domains in the past year, in reality, this practice has been going on for years.

According to a Trend Micro report, malware operators first began using .bit domains in 2013.

Since then, the practice has spread. Some of the recent malware strains that have abused .bit domains include the GandCrab ransomware, the Dofoil coinminer, the Terdot and Neutrino trojans, the Azorult infostealer, and various others.

In a 2017 article, malware-fighting organization Abuse.ch described .bit as "the next generation of bulletproof hosting."

US cyber-security firm FireEye and spam list operator Spamhaus also criticized and highlighted the hidden danger that comes with .bit domains.

All of these reports, along with some criticims from the Namecoin team against OpenNIC operators, factored in the organization dropping its peering agreement for .bit domains.

Fear of prosecution for child pornography crimes

But besides the "malware problem," the OpenNIC team also cited fears that its members might accidentally get dragged into investigations related to child pornography.

"There is the possibility of child pornography also being spread across .bit domains, and since the owners of that content cannot be found it could come back to us (OpenNIC) as the responsible party for making that content more easily available on the internet," the OpenNIC team said.

"I'm not saying this HAS happened, just that it is worth considering as a worst-case scenario."

However, .bit is not the only recent TLD to be abused by cyber-criminals. A Proofpoint report also highlighted that the recently created generic top-level domains (gTLDs) have also entered the arsenal of common cybercriminals as well.

Related malware and cybercrime coverage: