
By sifting through the records for the high-ratio results, some interesting information can be discovered. In some cases, high-ratios were caused by numerous transactions to a popular site or service, such as a popular social networking site in a particular ccTLD. However, high-ratios may also represent malicious command and control (C&C) or information drop servers that have a large number of transactions beaconing to them.
An example of a TLD that bubbled to the top was .LY. This domain had more than double the monthly ratio value of .COM. This high-ratio is explained by the TLD being relatively unpopular for our customers in terms of unique domains visited, but having a large number of transactions to a popular domain: BIT.LY, a URL shortening service.
Another TLD, .NU, had more than double the monthly ratio of .LY. After conducting analysis on the results, I detected that there were several customers beaconing to a .NU site over HTTP on port 53/TCP (generally used for DNS). Upon further investigation the customers were infected with a previously undetected variant of the Win32.PcClient Backdoor. The full research report of the detection methodology and incident analysis can be read HERE.