Blue Coat Labs

Labs Blog

Exploring .XYZ (Another Shady TLD Report)

Exploring .XYZ (Another Shady TLD Report)

Chris Larsen, Adnan Shukor

[It's been a couple of months since the last post in our "Shady TLD" series, with plenty of interesting candidates for another expedition, but other R&D kept getting in the way. Then, last week, I saw a short post from Adnan in our internal blog, which included several ".XYZ" sites, and that tipped the balance in favor of choosing this top level domain for analysis. So here we go... --C.L.]

 

.XYZ Overview

The first step was to check our "all time" list: .xyz places in the Top Ten, with 97.07% of its sites in our database having shady ratings: Suspicious, Spam, Scam, etc. (That's only a little bit better than .gq, the last "lifetime achievement winner" we profiled a few months ago.)

The next step involved looking at recent traffic, to see how those statistics might compare to the historical data. The recent traffic data came from two different lists from our WebPulse logs:

  • The top 100 .xyz sites in our overall traffic (using a one-week window).
  • The top 250 .xyz sites in our "most interesting" logs (using a two-week window; many of these sites were also in the Top 100 list above).

[As a refresher, I consider our "most interesting" traffic to be the sites that aren't yet in our main database. These are relatively new sites, or low traffic ones -- or both -- what you might call the "edge of the map" or "out in the weeds"... --C.L.]

 

Looking at the most active sites (about the top 130 of them), there were just 23 with non-shady category ratings, or about 1 in 6. However, skimming further down the list, it was very apparent that all of the remaining sites in the "Top 250" were shady (nearly all of them part of a big spam network), so the actual percentage of shady sites in recent .xyz traffic is roughly 91% (227 out of 250).

 

Examples of Shady .XYZ Sites

As in past expeditions into Shady TLD lands, the majority of the shady activity is not traditional malware.

  • There were quite a few examples of sites in a "shocking video" network

screenshot of _shocking video_ site

(It's a different look, but a similar concept, to the example we showed in the blog post on .GQ sites.)

 

  • There was a large junk network (looks like spammers), using subdomains on random-six-letter-domains (e.g., mtmiss.xyz, mineex.xyz, useesp.xyz, rudead.xyz, ineats.xyz, scrami.xyz, ...)

 

  • There was a nice assortment of scam sites: a work-from-home site pretending to be a major Indian news site (indianews.com-40rxk6itwdk71bdcb6xlq9cst3upsp.xyz), several "amazing deals" type sites (e.g., amazingdeals.xyz), and a large network of Chinese sites peddling medicines for a variety of needs:  heart attacks, aphrodisiacs, looking younger, abortions, etc. The Chinese sites used domains consisting of random words glued together: areaairports.xyz, shiftingsmokers.xyz, theyrefriends.xyz, and my personal favorite, retirementspacecraft.xyz. Clearly, these domain names have nothing to do with the content:

screenshot of scammy health site

(Area Airports? Really?)

 

  • There were multiple PUS (potentially unwanted software -- adware/spyware) networks using .xyz domains, the largest being associated with the InstalleRex/MultiPlug group. (They managed to place several sites in the Top 20, including findville.xyz, levelstate.xyz, providerstore.xyz, and more.)

 

  • There were a lot of junk-content sites associated with SEO (search engine optimization) networks.

 

  • There were quite a few porn sites (almost all of them non-English).

 

  • There were some "warez" and "torrent" sites. Warez are one of the "old standby" forms of bait for Bad Guys to attract victims, and sure enough, one of the warez sites was a false front for a Malware/PUS network:

screenshot of fake-warez site

Following the links from this site, I downloaded a "JewelQuest" game -- which wasn't what it appeared to be, earning almost 20 hits from VirusTotal. That's on the border between PUS and Malware, which brings us to our final examples...

 

.XYZ-sploits

Adnan's post caught my eye because it mentioned that we had seen an interesting change in one of the exploit kit families we track. [Provisionally identified as Angler.] Instead of its typical approach, using rogue subdomains on legitimate domains, it had begun using subdomains on new .xyz domains.

The family of domains in Adnan's write-up followed a pattern of "legitimate word + two random letters", such as:

overjoyedst.xyz
possessedaa.xyz
unfortunatest.xyz
publishedux.xyz
naturalistsky.xyz
flowerbeder.xyz
fireworksht.xyz
cultivatedci.xyz
magazinesdj.xyz
throbbingiv.xyz
intellectualme.xyz
proceedingsxu.xyz
ownershipep.xyz
agreeablefw.xyz
intimidatens.xyz
unanimouslyxy.xyz
wildernessax.xyz
hypothesisbx.xyz
likelihoodkp.xyz

These lived on a set of four IP addresses in a single /24 block in Germany:

5.1.82.185
5.1.82.184
5.1.82.178
5.1.82.103

 

Summary

The range of junk, shady, and malicious sites on .xyz pretty much runs the gamut of things that we keep an eye out for -- about the only thing missing was command-and-control (C&C) traffic for a botnet.

Adnan rectified this oversight last night, pointing out that one of our Malware Analysis Appliance sandboxes had reported C&C traffic in a malware sample it had detected as Emotet (a banking trojan) -- and the C&C domain was nsb.pizzanowijoin.xyz. (This didn't have enough traffic in our logs to even come close to making the Top 250 list, so it's a bonus item...)

 

In fairness to .xyz, there were a non-negligible number of legitimate sites, as mentioned, and if we measure by total number of requests, then .xyz isn't a ghetto, just a rougher section of town. However, if we focus on the much larger number of lower-traffic sites, the numbers look a lot worse, as mentioned above in the Overview.

Accordingly, as with most of the other shady TLDs we've profiled in this series, we recommend that you stay away from .xyz sites.

 

--C.L.  @bc_malware_guy

--A.M.S.  @xanda