FWIW one of the people involved in the takedown has reported that most of the 800K domain names were DGA. Here was my nutshell overview summary synopsis posted elsewhere: DGA = Domain Generation Algorithm (term in wikipedia.) So an infected bot and a C&C (command and control computer) have an algorithm -- on the bot it's in the virus -- to generate seemingly random domains using seeds such as the current date. Usually more sophisticated but that's the idea, the goal is that both ends generate the same seemingly random domain. So they'll each generate for example xerv1dvm and attach it to a TLD, it doesn't matter what, xerv1dvm.foo, or it could be .com or whatever. They resolve it because they also infect the host's DNS resolver software (or just inject their own, same thing) so it queries a non-standard root server controlled by the attacker, could just be the C&C computer, which will return an IP address for the infected bot to use. This set up allows these systems to change these parameters as often as they like, every minute or less if needed tho that's probably not necessary, every hour might do or even just once a day. Whatever it takes to stay one step ahead of anyone seeking to interfere with them such as law enforcement. TL;DR: There needn't be any (accredited) registrars/registries involved. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*