Malware networks are typically perceived and discussed as vast, distributed structures that are capable of spanning the entire globe. Attacking such networks often requires a significant degree of international cooperation between government agencies as well as the private sector. Successful takedowns are difficult—but not impossible.

Despite notable successes, there's a clear need for faster, more flexible methods of disabling malware networks. New data from security researchers at KnujOn might just hold the answer.

According to KnujOn, a relatively small group of 10 registrars are responsible for a full 83 percent of all the spam and malware distributed over the past eight months. Here are the top 10 offenders; we'll be discussing the ones in bold further down

XIN NET (also #1 in KnujOn's May report) eNom Network Solutions Register.com PLANETONLINE RegTime OnlineNIC SpotDomains Wild West Hichina Web Solutions

KnujOn is quick to point out that being on the list is not proof of ill intent on the part of the registrar. When the researchers released their first report in May, a number of the registrars listed in the top ten took action to remove themselves. Beijing Innovative Networks and Joker (no. 2 and no. 4 back in May) were told by ICANN to clean house or lose accreditation status; KnujOn claims both companies took the warnings seriously and have since solved their problems.

Only two of the companies on the May list—eNom and Xin—are repeat offenders. KnujOn attempted to contact both companies and requested comment; neither responded. Xin is currently the worst spammer in the bunch, with over three million recorded instances of spamming over just 9,000 domains. eNom is a very distant second at 1.2 million instances of spam across 32,610 domains. Average the two out, and Xin sent 345.4 spam messages per domain while eNom sent just 39.7.

Data source: KnujOn

It's clear that registrars can significantly reduce the amount of spam flowing across their networks by actively monitoring and shutting down illicit users—provided they are willing to do so. In this case, that provision is significant; comments from the registrars that participated in ICANN's recent report on fast flux hosting indicate the companies are anything but eager to serve as Internet police. Even if they were, it's not clear we'd want them to.

Don't send wolves to guard the henhouse

The ICANN fast flux working group was composed of 33 members, 12 of whom represented a total of nine registrars. Three of the nine registrars—eNom, Network Solutions, and Register.com—are on the list of top offenders. Again, as KnujOn noted, this is not evidence of evil intent or bad faith on the part of any of the three registrars in question—but the included comments of these major organizations are a bit unsettling.

When we originally covered ICANN's report we noted that it portrayed registrars as victims of these illicit malware authors and botnets. Five of the registrars—eNom, GoDaddy, Melborne IT, Network Solutions, and Register.com—jointly submitted additional commentary on the working group's goals and achievements. The joint statement is defensive, to say the least. Again, we see registrars are painted as the poor, unwitting saps in an evil malware author's plot.

"There were suggestions that sophisticated criminal networks may create or control an ICANN-accredited registrar to facilitate illicit activities using fast flux hosting, but no data has been provided to support this claim... also, no data has been offered to corroborate claims that some Registrars are 'involved' in fast-flux hosting activities," reads the statement.

According to the registrars in question, the issue of fast flux hosting is entirely outside ICANN's purview. The group can recommend no best practices in regards to protecting oneself from fast flux, cannot state who might benefit and who might be harmed if fast flux hosting was eliminated, and can't even separately define a victim of fast flux hosting from a beneficiary of the same. It did, however, manage to note the need for some form of registrar liability protection in the event that a domain was falsely identified as an illicit fast fluxer and shut down.

Evidence of evil? No. Disquieting? Definitely. One third of the registrars that participated in the working group are organizations with very real spam problems. Given the chance to present a firm stance against malware fast flux hosting, the registrars in question emphasized their vulnerability. If the statements in Section 2 (quoted above) were accurate, eNom wouldn't be moving up the list of malware-hosting registrars.

The registrars on KnujOn's list are in a position to shut down a substantial amount of illegal traffic. Malware wouldn't just go away, even if every registrar shut down every illict host tonight, but it'd be a tremendously positive sign of good faith to see eNom, Network Solutions, and Register.com off that list entirely six months from now.

Listing image by JOE M500