- 2017-01-16 First English version. Updates in original Chinese version is merged.
Some domain names contains strings representing well-known companies are noticed in our abnormal traffic detecting system, including 360, ali, baidu, cloudflare, dnspod, google and microsoft. We later found these strings are adopted by a mature dedicated underground market infrastructure, supporting underground business like gambling, pornography, and server-emulator.
This infrastructure owns a complicated structure, lasted a few years, supporting tens of thousands of underground sites as their customer. All together, this is a mature underground ecosystem.
Fraudulent Top Site Domain Name List
The domain names we detected are listed as follows.
At the first glance of these domain names, they look like a CDN sponsored by top sites. But deeper analysis shows that the actual service on these domain names focus on gambling, pornography, server emulator and other underground business.
The Infrastructure Based on These Domains
Through analysis on these sites' DNS resolution records, we can see these domain names are used not only for direct content delivery, but also backbone by and for other nodes. Together with these new found nodes, we constitute a complicated infrastructure.
This network has its underground customers, in quite a large volume. Some nodes operated for quite a long time, and the business borders are clear. All together we saw a mature infrastructure dedicating on underground market.
The list of these sites and part of the related pre / post nodes are as follows:
The infrastructure network is a maze:
- yunfangyu1/2/5/7.com appeared before and after the fraudulent top sites, and share same whois registration information, changing the supporting chain to a loop.
- cdn88.net and cdn11/22/33.net (not appear in the table) share the same whois registration email address firstname.lastname@example.org, and microsoftcdn.com is right in the table.
- The entire business continues developing. For example, google-yun.com, google-cdn-all.com are registered the week before this article is written (2017.01.03).
An Evaluation for the Complicated Infrastructure and Its Customers
We extracted related PassiveDNS records to fill up following table, and evaluate the complicated infrastructure from several dimensions: domain stability, sub-domain diversity, and traffic volumes.
The domain stability looks quite good. As can be seen from the above, all domain names remain active until time of this article, except that googlecdn.win and microsoftcdn.com ceased activity in 2016-02-06 and 2016-08-03. It is worth noticing that admin of microsoft.com (email@example.com) registered cdn88.net on 2015-05-04. After a face-changing, they continue to be active in the infrastructure, as mentioned above.
In the sub-domain name diversity aspect, the biggest alicdn-kr.com has only 284 sub-domain. This distinguishes from a regular CDN provider.
In DNS access volume aspect, there is a large discrepancy among domains. The busiest alicdn-kr.com accumulated a total 1.3 billion DNS access, which is a really huge number. To better understand this figure, we use tv.cctv.com (China Central TV Network) as a benchmark for comparison to create the following chart. As shown below, the black line is alicdn-kr.com, and blue line is tv.cctv.com. You can roughly thought alicdn-kr.com's traffic is twice as tv.cctv.com.
In addition, let’s look at the daily business peak hours. Alicdn-kr.com daily peak comes at about 23:00 ~ 0:00 every night. This is a good match to the business it carries. Gambling and porn sites are more active in midnight.
As mentioned earlier, the main user of this infrastructure is gambling, pornography, and server emulator underground site. The total user base is very large, some figures:
- 24,033 domain names
- 53,699 subdomains
- The first user is vip1000.cdn88.net, starts on 2015-11-22
- The individual biggest user is 7966.ym009.com, with an accumulated DNS access count 93,192,746
An analysis of these domain IP’s national distribution shows that most of the IP are from United States, Hong Kong, China and India. This looks quite familiar compare to our early analysis on DWA(Domain Wild Abuse), especially the national distribution in United States and Hong Kong.
The IP inside China main land concentrated in data centers, and often these data centers claim a so-called GaoFang service (a high volume anti ddos service). Based on these GaoFang datacenter, this infrastructure is guaranteed somehow anti-DDoS capability.
The Autonomous System distribution of these IP is much more discrete than the geographical distribution, listed as below:
It is noteworthy that in the top-ranked AS8075 Microsoft Corporation belongs to Microsoft, and the AS45090 Shenzhen Tencent Computer Systems Company Limited belongs to Tencent.
Googleyuncdn.com and microsoftcloudcdn.com are responsible for the utility of above these two AS. They also used AS58593 Microsoft (China) Co., Ltd, AS15169 Google Inc and AS45102 Alibaba (China) Technology Co., Ltd, and other big names' AS, during different time in history.
If not carefully analyzed, people may think microsoftcloudcdn.com backboned by a Microsoft's AS looks very harmonious. However, their business are totally different, interesting.
From the domains' registration information, we can tell these domains are divided into several gangs.
In this figure, the same shading cells indicate the same group of people. Those domain name cannot attributed are not colored. Given the the infrastructure's complexity mentioned earlier, perhaps some smaller groups in the table can be attributed to a larger group in real world.
The earliest registered microsoftcdn.com is registered on May 4, 2015; the latest google-cdn-all.com is registered in December 29, 2016. Most of the domain name is paid for one year, but cdn-cloudflare.com and jiasucdn360.com are paid for 5 and 7 years. It looks like these people are ready to do this work in a long term.
Five out of 21 domains’ registrations are privacy protected. With the help of 360netlab's whoisdb database, we trace back the registrants not privacy protected to eliminate potential abuse from "corn farmers"(those who massive register domains and wait for a higher sales price like a farmer).
After the filtering, we found that different registrants often focus on their own business areas:
- The registrant "good good", and "jie ke" (Jack) registered a large number of gambling domain name
- And "qiu yang" focused on pornography domain.
- "Jack Tom", "google-cdn" and several other registrants are dedicating to register CDN-look domain names.
Besides the string fraudulent top site, we also found other analogous words indicating a strong anti-ddos capability to attract potential customers in the domain names.
- GaoFang, a strong capability of anti-ddos
- FangDDoS, anti-ddos
- FangCC, anti-cc-ddos, cc-ddos is a nick name of http flood in China.
Update on 2017-01-16:
After original Chinese version first published on 2017-01-10, some reader request an ip overlap analysis. We provided it here:
- Most servers own just a few IPs and even fewer overlaps. Keeping that in mind, the ip overlap in this case is a weak evidence, can be used only as a complimentary enhancement over an existing strong evidence.
- The overlap between cdn-baidu-google.com and cdm-google-baidu.com is about 25%, which strengthens the assertion of same origin of whois data analysis.
- On the other hand, since googleyuncdn.com is privacy protected and no same origin asserted in registration data analysis, no relationship between googleyuncdn.com and microsoftcloudcdn.com can be asserted solely by the 25% ip overlap ip itself.
In China, gambling and pornography are illegal, so it is not surprising these business are adopting an underground dedicated infrastructure. However, the use of top site string in the domain name is still interesting.
In this article, we analyze the fraudulent top site domain names from different perspectives like whois, PassiveDNS, and IP distribution. We can draw a few conclusions here:
- This infrastructure is quite stable. Most of them operate for a relatively long period, make it different from underground phishing business.
- Because business continuous is important for their service, the infrastructure operator prefer a formal and stable infrastructure, and this helps explain why they are adopting large companies' IP addresses.
- We do not think there is underground phishing in these domains;
- We do not think these domain names are owned by corn farmers (domain name mongers). We believe the guys behind these infrastructure is likely to be underground business operator themselves, or some other dedicated underground infrastructure provider.
We hope we have presented a new perspective of the underground business infrastructure in this article. We will keep track on these fraudulent ‘top site’ domain names and the infrastructure networks to observe their follow-up developments.