digging-dns-logo

Malware Takedowns

Last Updated: 2025-05-21

Malware Takedowns

Credit: PhishFort

The Nuance of Takedowns: Malware Takedowns

Takedowns are a common part of the Internet today. Companies, organizations, governments, and individuals regularly seek to have content removed for reasons ranging from the ideological to the legal. Here at PhishFort, we define a takedown as “the process of removing or restricting access to online content that is unauthorized, harmful, or infringes upon the rights of individuals or organizations.” As a victim in need of a takedown, the goal is binary: is the offending content gone or not? As practitioners, we know the answer is incredibly nuanced. While the outcome of a takedown is black-and-white, getting there requires traversing a spectrum of grey. Is the content a website? Where is it hosted? Are the services involved reputable? Does it live within a social media platform?

Exploring these questions helps us understand the challenges and outcomes possible when requesting a takedown.

Malware and the Domain Name System

The DNS Abuse Framework uses the Internet & Jurisdiction Policy Network’s definition of malware:

“Malware is malicious software, installed on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.”

Modern malware is rarely designed to simply destroy a system. Instead, it typically aims to exfiltrate data or recruit the device into a botnet to launch further attacks. Both goals require consistent communication with the outside world.

If you are a threat actor coding this malware, you generally avoid using hard-coded IP addresses because they are static and easy to block. Instead, you use domain names which are often generated via a Domain Generation Algorithm (DGA). The malware is programmed to “check-in” with specific domains based on the algorithm. If it successfully connects to a server via one of these domains, it can receive instructions or upload stolen data. Because these domains can be registered and abandoned in a heartbeat, they are the preferred way of staying connected for malicious software.

Traversing the Technical Chasm

The hardest part of a malware takedown is demonstrating exactly how a domain is being used as a weapon. You are often trying to communicate a highly technical, invisible flow of data to an analyst at a registrar or registry.

In many cases, the person staffing the “abuse” inbox may not be a dedicated security researcher. Their primary role might be in accounting, support, or legal compliance, with the abuse queue serving as an ancillary task. When you send a dense, 20-page report filled with hex dumps and packet captures, you aren’t being “thorough”. You are being confusing.

If an analyst is overwhelmed or doesn’t understand the evidence, they will almost always err on the side of caution and take no action. They are terrified of accidentally suspending a legitimate domain and facing the resulting liability. To get a “yes,” you must remove the technical friction.

The Power of Simplicity

To succeed, you must assume the person receiving your report has no technical background. Your job is to bridge the gap by explaining the harm in layman’s terms and providing “visual” proof of an invisible process.

If you have an executable that installs a keylogger and sends data to example[.]com, your report should focus on three “tangible” elements:

  1. The “Smoking Gun” Screenshot: Use tools like ANY.RUN or Joe Sandbox. A screenshot showing a process tree where a malicious file connects to the target domain is worth more than a thousand lines of logs.
  2. Third-Party Validation: Include a link to a VirusTotal scan. Registrars may not know who you are, but they recognize the authority of 60+ antivirus engines flagged in red.
  3. The “So What?”: Explain the impact. Instead of saying “The DGA-seeded binary exfiltrates via C2,” say “This file steals the victim’s passwords and sends them to this domain.”

What to Leave Out

Less is often more. To keep the analyst focused, avoid including:

  • Packet Flow Analysis: Unless specifically asked, raw PCAPs are usually too dense for a first report.
  • Esoteric Malware Names: Whether it’s Trojan.Win32.Generic or a specific fancy bear name doesn’t matter to a registrar; what matters is the behavior.
  • Tangential Evidence: You might have noticed the registrant used the same email for fifty other domains. While interesting for your investigation, it can distract an analyst from the immediate task of killing the active malware domain.

Making the Decision Easy

In the world of malware, the domain is the infrastructure of the crime. But to a registrar, a domain is a customer asset. To bridge this divide, the practitioner must act as a translator.

When you provide a simple link chart, a clear screenshot of a sandbox execution, and a plain-English explanation of the theft occurring, you give the registrar the “cover” they need to act. By making the report easy to understand, you make the decision to suspend the domain easy to justify. In the nuance of takedowns, simplicity is your most effective tool.
Get new posts and updates in your inbox
Connect with me
Buy me a coffeeAbout