America’s 10 most-wanted botnets
Criminals are amassing domain names by registering them under phony information, paying with stolen credit cards or hard-to-trace digital currencies like eGold, and breaking into legitimate domain-name accounts. To add to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in.
“There’s absolutely a big problem,” says Ben Butler, director of network abuse at Go Daddy, an Arizona-based domain-name registrar that’s authorized by the Internet Corporation for Assigned Names and Numbers and the appropriate ICANN-accredited registries to sell domain names based on the generic top-level domains (gTLD) that include .com, .aero, .info, .name and .net.
Go Daddy has 36 million domain names under management for more than 6 million customers, making it one of the largest registrars around the globe. It fights a round-the-clock battle to identify domain-name abuse, and if a domain name is determined to be used for harmful purposes Go Daddy will essentially “kill the domain name,” Butler says. (See related story, “How registrars tackle domain name abuse”)
During the suspension process, a malicious domain is redirected to a non-resolving server that delivers an error message. That’s the preferred process instead of outright cancellation, since it’s not always clear who the owner of a malicious domain is. “We investigate literally thousands of complaints on domain names each week,” Butler says. “And we suspend hundreds of domain names per week.”
In spite of all these efforts, criminals still slip through the net, in part because registration services are highly automated, validation processes are insufficient, and the criminals are cagey, determined and technically savvy.
ScanSafe researcher Mary Landesman last month uncovered evidence that a handful of Go Daddy domains were being farmed out for use in three distinct botnet-controlled SQL injection attacks against Web sites in India, U.S. and China.
But the larger issue is not about Go Daddy, which has a good reputation for fighting domain-name abuse, Landesman says. Rather, the problem encompasses the entire domain-name registration system, along with the faulty Whois database of registrant information (overseen by ICANN) that contains fake data, even total gibberish.
“It’s not intentionally designed for this kind of abuse, but it works in favor of the criminals,” Landesman notes. Effective reform of the domain-name registration process would strike at the heart of Internet crime, she says.
Criminals who mastermind botnets for spam, phishing, and denial-of-service attacks have come to rely on domain names because it gives them “stability” in their controls, says Joe Stewart, a researcher at Atlanta-based SecureWorks. “All the bots can map to the new IP address when it comes up.”
“It would be a lot less convenient to use an IP address,” says Amichai Shulman, CTO at Imperva, since this would tend to limit criminals to a more specific set of servers.
Many note that criminals today can be seen making clever use of what’s known as “fast flux” to rotate a botnet through “thousands of IP addresses using a single domain or group of domains,” says Dean Turner, director of Symantec’s global intelligence network. “It’s designed to defeat IP blacklists.”
“Domain names are easily portable,” says Sam Masiello, director of threat management at McAfee. “They use fast flux for content delivery.”
A report published in May highlights the role of domain names in phishing cybercrime. The Anti-Phishing Working Group’s report, “Global Phishing Survey: Trends and Domain Name Use in the 2nd Half of 2008,” shows that there were 56,959 phishing attacks for that period occurring on 30,454 unique domain names.
Within that number, “we identified 5,591 that we believe were registered by phishers,” the report says. “These ‘malicious’ domains represents about 18.5% of the domain names involved in phishing. Virtually all the rest were hacked domains belonging to innocent site owners.”
The report notes that the number of phishing methods based on unique IP addresses rather than domain names is steadily dropping, from the 6,336 seen in the first half of 2007 to just 2,809 unique IP addresses in the second half of last year.
Another trend, according to the report, is for phishers to use so-called “subdomain registration services” via providers that give customers subdomain “hosting accounts” beneath a domain name the provider owns. This practice can only be mitigated by the subdomain providers themselves, “and some of these services are unresponsive to complaints,” the report says.
This takes the problem to another level, particularly for ICANN, which has no obvious authority outside of its direct contractual relationships with registrars and registries in the ICANN-driven domain-name world.
Subdomains now count for about 12% of all domains involved in phishing, with Russian freemail provider Pochta.ru and French hosting provider Wistee.fr said to be the worst offenders among 360 subdomain registration providers. However, the report notes the .com domain still scores as the largest single TLD favored by phishers, accounting for 46% of the phishing domains monitored for the period.
VeriSign, the authoritative ICANN-accredited registry for .com and .net, declined to discuss the topic of domain-name abuse. ICANN recognizes the problem of domain-name abuse by the criminal underworld, but its policies are still evolving, and there are a lot of uncertainties about ICANN’s authority in this area.
“Criminal activity that concerns the abuse of domain names is a huge concern to ICANN,” says Stacy Burnette, director of contractual compliance for the Marina Del Ray, Calif.-based organization. “It disrupts the system.”
The tip of the iceberg can be seen in irregularities in the Whois database. ICANN gets thousands of complaints about registrars every year, many related to perceived inadequacies or wrong information in the Whois database. ICANN must review them all, and then contact registrars to report and remedy any identified failings.
But when it comes to the broader problem of cyber-criminals’ abuse of domain names, ICANN today is not in a position to play cop. “ICANN is a non-profit organization, we are not a regulatory authority or a police authority,” Burnette points out.
But ICANN has held meetings, including the “Generic Names Supporting Organization Registration Abuse Policy Workshop” that took place in Mexico in March, to discuss policies and guidelines it might want to embrace for domain abuse and registration abuse.
Dave Piscitello, ICANN’s senior security technologist who works on such issues, says ICANN plans to introduce a proposal in October for possible new guidelines for tighter security in advance of ICANN’s planned expansion of new gTLDs http://www.networkworld.com/news/2009/062409-icann-new-domains.html next year.
Though not at liberty to discuss the specifics, he points out this proposal will have to undergo a review by the entire ICANN community, and hold up to criticism, before it has any chance to be adopted by the ICANN Board.
“We are focusing more on registration issues and malicious conduct,” Piscitello says. “I don’t think anyone wants to see the DNS abused.”
VeriSign, he notes, recently proposed adding a strong-authentication service for registrars and registrants for two-factor authentication. Other ideas, such as requiring auditing of registrars, are definitely on the table at ICANN, Piscitello says.
But he notes that the ICANN community is broad, consisting of countries that have more influence over how their country-code top-level domains (ccTLD) are used than ICANN. “We can set an example with the gTLDs, but only a cooperative effort with all governments can solve this problem.”
Meanwhile, an ICANN committee last month issued a 154-page report on the topic of fast flux and criminal abuse of domain names. Like any paper, it doesn’t by itself necessarily mean change, but ICANN does note it could lead the organization to “consider whether registration abuse policy provisions could address fast flux by empowering registries/registrars to take down a domain name involved in malicious or illegal fast flux.”
Piscitello says so far no consensus has been reached about what to do on this issue. Detection methods to uncover criminal fast flux are quite reliable, but there have been worries expressed about liability in the case of false positives.
The domain name may be a handy tool in cybercrime today, “but one goal of the DNS community is to take that tool out of the toolbox,” he said.
There are many language and jurisdictional legal issues that make tackling domain-name abuse problems extremely hard, says Ram Mohan, CTO at Dublin-based registry services provider Afilias and a liaison for the ICANN Security and Stability Advisory Committee (SSAC) on the ICANN Board of Directors.
His opinion is that ICANN, which has overall responsibility for the Whois database of registration information, has to find a way to validate the entries.
“Some rules in ICANN are just broken,” Mohan says. The overall domain-name registration system “was created at a time of a benign Internet. Today we have no burden of validation and that can be fixed.” He also says it might be a wise move to require some sort of security audit of the registrars and registries.
Some doubt ICANN really has authority or the will to adequately police the system it oversees. Stewart at SecureWorks, for instance, thinks the national CERTS chartered in each country for emergency response and security warning should have their roles expanded to coordinate response to cybercrime, such as domain-name abuse.
Mohan says he hopes some reform can be carried out before ICANN proceeds with its plans next year to set up a whole new set of top-level domains. “ICANN is opening up the floodgates for top-level domains,” says Mohan. If the domain-name registration system can’t be improved, the problem of abuse can only be expected to get worse.
Attempts by industry to cut off criminal access to domain names is proving difficult. The first globally organized effort to attempt that -- the Conficker Working Group -- sought to disable domains targeted by the Conficker worm for use in its command-and-control system. But after six months of trying, there’s not much to show for it.
“Hats off to Microsoft for organizing this,” says Neustar’s Neuman. Neustar joined the Conficker Working Group with others that have a measure of power to influence the domain name system, including VeriSign, Afilias, Public Internet Registry, Global Domains International, ICANN, and the Chinese CNNIC, among others, including security vendor Symantec.
But the complex Conficker botnet -- now fairly quiet outside of attempts to sell fake anti-virus software -- remains undiminished as a command-and-control structure of about 4.5 million compromised computers it quietly holds as zombies.
The Conficker Working Group, in spite of efforts to tie up of millions of domain names that Conficker was pre-programmed to use, was outflanked when the botnet’s designers switched to ccTLDs in the .C version of Conficker earlier this year.
The Conficker Working Group hasn’t been able to get enough ccTLD participants on board to effectively tie up Conficker domains. “We have 90% of the ccTLDs partipating but 10% are not involved,” says Symantec’s Turner.
“It didn’t work,” says Dan Holden, X-Force product manager at IBM’s Internet Security Systems division.
Microsoft, which has offered a $250,000 award for information leading to the arrest and conviction of those responsible for Conficker, said in a statement that the Conficker Working Group has established “a new level of industry collaboration and cooperation” for a quick response effort and method of defense, and that the Conficker investigation is still ongoing.
ICANN’s Piscitello says the importance of the Conficker Working Group is that it “demonstrated that if we do get significant collaboration, we can inflict a little pain on the criminal, make it more difficult. Its success is having established a collaborative response.”