Using ICANN zone files, we can search all active domains for fraudulent sites that have a similar domain and look-and-feel of legitimate products they’re trying to copy. These fake sites offer downloads to software that look real, but have malware attached. In this article, we’ll look at a fake Quickbooks site offering a download which contains the infamous Redline Stealer.

If you would like to download the files we’ll be analyzing to follow along, you can get them here:

How to find fraudulent sites

ICANN is the internet’s governing body that controls all domain TLD’s, from the public .com, .net, .org, etc. to private ones registered by companies, like .audi, .nike, etc. Creating an account with ICANN here allows you to apply for access to a list of all active domains for specific TLD’s (aka zone files). Once you’ve gone here to select the zone files you’d like to search, you’ll go through an application process that asks your personal information and what you intend on doing with the data. Most TLD’s will be approved within minutes to hours, some will take longer like 1-3 days. I applied for access to every TLD they offeredand over the course of two weeks, 99% of them had been approved.

If you don’t want to go through ICANN, you can buy a one-month subscription to a site like

Searching the zone files

Depending on where you get the zone files, they can be as large as 7GB+ gzipped. A trick I found to be able to search through these large zip files without extracting them is running a command like:

gunzip -c ALLZONES_zone_full.gz | grep "quickbooks" > quickbooks-domains.txt

Resulting in files like this: