[AfrICANN-discuss] Domain-name abuse proliferates; rogue registrars turn a blind eye

[Anne-Rachel Inné]

 Domain-name abuse proliferates; rogue registrars turn a blind eye
http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B



  Ellen Messmer
14.09.2009 kl 07:25 | IDG News Service
A <http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B#>
A<http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B#>
 A <http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B#>

Domain names are a key part of botnet and phishing operations, and
cyber-criminals are plundering domain-name registrars around the world to
get them.
    Latest news
fromNetworking<http://news.idg.no/cw/cat.cfm?cid=4615F3C2-17A4-0F78-31344CE788AECA26>

   - Domain-name abuse proliferates; rogue registrars turn a blind
eye<http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B>
   (14.09.2009 kl 07:25)
   - How registrars tackle domain name
abuse<http://news.idg.no/cw/art.cfm?id=B809FD10-1A64-67EA-E407F92DD22463C9>
   (14.09.2009 kl 07:25)
   - Access control vendors unite to tackle Linux, Unix and
Windows<http://news.idg.no/cw/art.cfm?id=B809FF13-1A64-67EA-E4EDA7AA32F3C20B>
   (14.09.2009 kl 07:25)
   - BT reveal disaster recovery for call
centres<http://news.idg.no/cw/art.cfm?id=AF3709C6-1A64-67EA-E4BC10AD613A75A9>
   (12.09.2009 kl 16:49)
   - Blue Coat expands visibility with new PacketShaper
release<http://news.idg.no/cw/art.cfm?id=AF3712FD-1A64-67EA-E4CA59C6C98FC574>
   (12.09.2009 kl 16:44)
   - Palm Pre to be unveiled in UK next
week<http://news.idg.no/cw/art.cfm?id=AF371540-1A64-67EA-E4416112EDA85288>
   (12.09.2009 kl 16:43)

 For legitimate businesses, a domain name is a way to hang a shingle in
cyberspace. In the criminal world, domain names are a key part of
botnet<http://www.networkworld.com/news/2009/072209-botnets.html> and
phishing operations, and cyber-criminals are plundering domain-name
registrars around the world to get them.

America’s 10 most-wanted
botnets<http://www.networkworld.com/news/2009/072209-botnets.html>

Criminals are amassing domain names by registering them under phony
information, paying with stolen credit cards or hard-to-trace digital
currencies like
eGold<http://www.networkworld.com/news/2009/090209-five-indicted-in-long-running-cybercrime.html>,
and breaking into legitimate domain-name accounts. To add to the problem of
domain-name abuse, some rogue registrars often look the other way as the
money rolls in.

“There’s absolutely a big problem,” says Ben Butler, director of network
abuse at Go Daddy, an Arizona-based domain-name registrar that’s authorized
by the Internet Corporation for Assigned Names and Numbers and the
appropriate ICANN-accredited registries to sell domain names based on the
generic top-level domains (gTLD) that include .com, .aero, .info, .name and
.net.

Go Daddy has 36 million domain names under management for more than 6
million customers, making it one of the largest registrars around the globe.
It fights a round-the-clock battle to identify domain-name abuse, and if a
domain name is determined to be used for harmful purposes Go Daddy will
essentially “kill the domain name,” Butler says. (See related story, “How
registrars tackle domain name
abuse<http://www.networkworld.com/news/2009/091409-domain-name-abuse-side.html>
”)

During the suspension process, a malicious domain is redirected to a
non-resolving server that delivers an error message. That’s the preferred
process instead of outright cancellation, since it’s not always clear who
the owner of a malicious domain is. “We investigate literally thousands of
complaints on domain names each week,” Butler says. “And we suspend hundreds
of domain names per week.”

In spite of all these efforts, criminals still slip through the net, in part
because registration services are highly automated, validation processes are
insufficient, and the criminals are cagey, determined and technically savvy.

ScanSafe researcher Mary Landesman last month uncovered
evidence<http://www.networkworld.com/news/2009/082709-sql-attacks-linked.html>
that
a handful of Go Daddy domains were being farmed out for use in three
distinct botnet-controlled SQL injection attacks against Web sites in India,
U.S. and China.

But the larger issue is not about Go Daddy, which has a good reputation for
fighting domain-name abuse, Landesman says. Rather, the problem encompasses
the entire domain-name registration system, along with the faulty Whois
database of registrant information (overseen by ICANN) that contains fake
data, even total gibberish.

“It’s not intentionally designed for this kind of abuse, but it works in
favor of the criminals,” Landesman notes. Effective reform of the
domain-name registration process would strike at the heart of Internet
crime, she says.

Domain-name appeal

Criminals who mastermind
botnets<https://www.networkworld.com/news/2009/070909-botnets-increasing.html>
for
spam, phishing, and denial-of-service attacks have come to rely on domain
names because it gives them “stability” in their controls, says Joe Stewart,
a researcher at Atlanta-based SecureWorks. “All the bots can map to the new
IP address when it comes up.”

“It would be a lot less convenient to use an IP address,” says Amichai
Shulman, CTO at Imperva, since this would tend to limit criminals to a more
specific set of servers.

Many note that criminals today can be seen making clever use of what’s known
as “fast flux” to rotate a botnet through “thousands of IP addresses using a
single domain or group of domains,” says Dean Turner, director of Symantec’s
global intelligence network. “It’s designed to defeat IP blacklists.”

“Domain names are easily portable,” says Sam Masiello, director of threat
management at McAfee. “They use fast flux for content delivery.”

A report published in May highlights the role of domain names in phishing
cybercrime. The Anti-Phishing Working Group’s report, “Global Phishing
Survey: Trends and Domain Name Use in the 2nd Half of 2008,” shows that
there were 56,959 phishing attacks for that period occurring on 30,454
unique domain names.

Within that number, “we identified 5,591 that we believe were registered by
phishers,” the report says. “These ‘malicious’ domains represents about
18.5% of the domain names involved in phishing. Virtually all the rest were
hacked domains belonging to innocent site owners.”

The report notes that the number of phishing methods based on unique IP
addresses rather than domain names is steadily dropping, from the 6,336 seen
in the first half of 2007 to just 2,809 unique IP addresses in the second
half of last year.

Another trend, according to the report, is for phishers to use so-called
“subdomain registration services” via providers that give customers
subdomain “hosting accounts” beneath a domain name the provider owns. This
practice can only be mitigated by the subdomain providers themselves, “and
some of these services are unresponsive to complaints,” the report says.

This takes the problem to another level, particularly for ICANN, which has
no obvious authority outside of its direct contractual relationships with
registrars and registries in the ICANN-driven domain-name world.

Subdomains now count for about 12% of all domains involved in phishing, with
Russian freemail provider Pochta.ru and French hosting provider Wistee.fr
said to be the worst offenders among 360 subdomain registration providers.
However, the report notes the .com domain still scores as the largest single
TLD favored by phishers, accounting for 46% of the phishing domains
monitored for the period.

ICANN responds

VeriSign, the authoritative ICANN-accredited registry for .com and .net,
declined to discuss the topic of domain-name abuse. ICANN recognizes the
problem of domain-name abuse by the criminal underworld, but its policies
are still evolving, and there are a lot of uncertainties about ICANN’s
authority in this area.

“Criminal activity that concerns the abuse of domain names is a huge concern
to ICANN,” says Stacy Burnette, director of contractual compliance for the
Marina Del Ray, Calif.-based organization. “It disrupts the system.”

The tip of the iceberg can be seen in irregularities in the Whois database.
ICANN gets thousands of complaints about registrars every year, many related
to perceived inadequacies or wrong information in the Whois database. ICANN
must review them all, and then contact registrars to report and remedy any
identified failings.

But when it comes to the broader problem of cyber-criminals’ abuse of domain
names, ICANN today is not in a position to play cop. “ICANN is a non-profit
organization, we are not a regulatory authority or a police authority,”
Burnette points out.

But ICANN has held meetings, including the “Generic Names Supporting
Organization Registration Abuse Policy Workshop” that took place in Mexico
in March, to discuss policies and guidelines it might want to embrace for
domain abuse and registration abuse.

Dave Piscitello, ICANN’s senior security technologist who works on such
issues, says ICANN plans to introduce a proposal in October for possible new
guidelines for tighter security in advance of ICANN’s planned expansion of
new gTLDs
http://www.networkworld.com/news/2009/062409-icann-new-domains.html next
year.

Though not at liberty to discuss the specifics, he points out this proposal
will have to undergo a review by the entire ICANN community, and hold up to
criticism, before it has any chance to be adopted by the ICANN Board.

“We are focusing more on registration issues and malicious conduct,”
Piscitello says. “I don’t think anyone wants to see the DNS abused.”

VeriSign, he notes, recently proposed adding a strong-authentication service
for registrars and registrants for two-factor authentication. Other ideas,
such as requiring auditing of registrars, are definitely on the table at
ICANN, Piscitello says.

But he notes that the ICANN community is broad, consisting of countries that
have more influence over how their country-code top-level domains (ccTLD)
are used than ICANN. “We can set an example with the gTLDs, but only a
cooperative effort with all governments can solve this problem.”

Meanwhile, an ICANN committee last month issued a 154-page
report<http://www.icann.org/en/topics/policy/update-aug09-en.htm#8> on
the topic of fast flux and criminal abuse of domain names. Like any paper,
it doesn’t by itself necessarily mean change, but ICANN does note it could
lead the organization to “consider whether registration abuse policy
provisions could address fast flux by empowering registries/registrars to
take down a domain name involved in malicious or illegal fast flux.”

Piscitello says so far no consensus has been reached about what to do on
this issue. Detection methods to uncover criminal fast flux are quite
reliable, but there have been worries expressed about liability in the case
of false positives.

The domain name may be a handy tool in cybercrime today, “but one goal of
the DNS community is to take that tool out of the toolbox,” he said.

Making changes

There are many language and jurisdictional legal issues that make tackling
domain-name abuse problems extremely hard, says Ram Mohan, CTO at
Dublin-based registry services provider Afilias and a liaison for the ICANN
Security and Stability Advisory Committee (SSAC) on the ICANN Board of
Directors.

His opinion is that ICANN, which has overall responsibility for the Whois
database of registration information, has to find a way to validate the
entries.

“Some rules in ICANN are just broken,” Mohan says. The overall domain-name
registration system “was created at a time of a benign Internet. Today we
have no burden of validation and that can be fixed.” He also says it might
be a wise move to require some sort of security audit of the registrars and
registries.

Some doubt ICANN really has authority or the will to adequately police the
system it oversees. Stewart at SecureWorks, for instance, thinks the
national CERTS chartered in each country for emergency response and security
warning should have their roles expanded to coordinate response to
cybercrime, such as domain-name abuse.

Mohan says he hopes some reform can be carried out before ICANN proceeds
with its plans next year to set up a whole new set of top-level
domains<http://www.networkworld.com/news/2009/062409-icann-new-domains.html>.
“ICANN is opening up the floodgates for top-level domains,” says Mohan. If
the domain-name registration system can’t be improved, the problem of abuse
can only be expected to get worse.

Attempts by industry to cut off criminal access to domain names is proving
difficult. The first globally organized effort to attempt that -- the
Conficker Working Group -- sought to disable domains targeted by the
Conficker worm<http://www.networkworld.com/news/2009/033109-blocking-conficker-domain-names.html>
for
use in its command-and-control system. But after six months of trying,
there’s not much to show for it.

“Hats off to Microsoft for organizing this,” says Neustar’s Neuman. Neustar
joined the Conficker Working Group with others that have a measure of power
to influence the domain name system, including VeriSign, Afilias, Public
Internet Registry, Global Domains International, ICANN, and the Chinese
CNNIC, among others, including security vendor Symantec.

But the complex Conficker botnet -- now fairly quiet outside of attempts to
sell fake anti-virus software -- remains undiminished as a
command-and-control structure of about 4.5 million compromised computers it
quietly holds as zombies.

The Conficker Working Group, in spite of efforts to tie up of millions of
domain names that Conficker was pre-programmed to use, was outflanked when
the botnet’s designers switched to ccTLDs in the .C version of Conficker
earlier this year.

The Conficker Working Group hasn’t been able to get enough ccTLD
participants on board to effectively tie up Conficker domains. “We have 90%
of the ccTLDs partipating but 10% are not involved,” says Symantec’s Turner.

“It didn’t work,” says Dan Holden, X-Force product manager at IBM’s Internet
Security Systems
division<http://www.networkworld.com/news/2009/082609-ibm-malware-trojans.html>
.

Microsoft, which has offered a $250,000 award for information leading to the
arrest and conviction of those responsible for Conficker, said in a
statement that the Conficker Working Group has established “a new level of
industry collaboration and cooperation” for a quick response effort and
method of defense, and that the Conficker investigation is still ongoing.

ICANN’s Piscitello says the importance of the Conficker Working Group is
that it “demonstrated that if we do get significant collaboration, we can
inflict a little pain on the criminal, make it more difficult. Its success
is having established a collaborative response.”
*Keywords:* Legal<http://news.idg.no/cw/cat.cfm?cid=0E37F053-17A4-0F78-314C13012C89F89A>
  Security<http://news.idg.no/cw/cat.cfm?cid=4615C177-17A4-0F78-316D8B5665910877>
  Networking<http://news.idg.no/cw/cat.cfm?cid=4615F3C2-17A4-0F78-31344CE788AECA26>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090914/9dab9d5f/attachment-0001.htm