Is malware in the domain of registrars?

What role should domain name registrars and registries play in combating web-based badware? And what stands in their way of being effective?

During our most recent Partners Forum call, we had an animated discussion related to these two questions. Our conversation covered a lot of ground, but here are a few key points that came up:

  • There is substantial variation in how registries and registrars see their own roles. Some disavow any responsibility for addressing malicious name registrations. Others are much more hands-on.
  • Registries and registrars come in all shapes and sizes. Smaller ones may need tools or support to manage abuse effectively.
  • Often, for those reporting malicious URLs/sites, it's the hosting providers rather than the registrars/registries that are the best first point of contact. (Though in some cases, the hosting providers are the registrars.)
  • Registrars/registries have understandable concerns about being overzealous in shutting down domains. It's easier to justify takedowns of harmful code than undesirable/illegal content, and of purely malicious domains than compromised domains. Registrars and registries need tools and data sources that help increase their confidence in differentiating between these cases.
  • Takedowns are not the only remedy. Education of customers (in cases of compromise) can be a valuable role for registrars/registries (possibly in collaboration with StopBadware or other parties).

It's clear that we have not definitively answered our two questions, but we've come up with great fodder for further discussion and action. If you want to be part of the conversation, we're always looking to add new Partners.

China restricts registration of .cn names

The China Internet Network Information Center (CNNIC) announced new rules a few days ago that are intended to "enhance the authenticity, accuracy, and integrality [sic] of the domain name registration information."
These rules require applicants for .cn domain names to submit copies of their business license and personal ID for review by the registrar within five days of registering the name. There are two big questions that aren't clear from the announcement:
First, does the requirement to submit a business license apply only to registrations on behalf of businesses, or does this mean that individuals are no longer allowed to register .cn domain names? The latter would be a substantial restriction on the Internet privileges of individuals in the country.
Second, what happens between the time an online registration occurs and the end of the five day period? Is the domain active during this time, or does the domain not become active until after the paperwork is reviewed? The exact language is "From the day of the submission of online application, if CNNIC does not receive the formal paper based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted." This implies that someone can sign up for a domain name with fake information, use it for five days, and then have the name revoked. I suppose that's better than being able to use a fake domain indefinitely (sort of - it may make tracking down the perpetrator more difficult), but we've seen with domain tasting that this can be abused for creating ephemeral phishing and malware sites.
Underlying all of this, of course, is a long-running battle between privacy advocates who argue that being able to anonymously register a domain name extends the free speech opportunities, especially for dissidents in repressive regimes, and the security and law enforcement communities, which fret about the lack of accountability if the operator of a domain name cannot be tracked down. I'm not sure whether ICANN's requirement for registrars to disable domains with false registrant information applies to country-level TLDs, but the CNNIC policy for .cn domains would certainly be consistent with that requirement, if more heavy-handed than we've seen from most registrars.
[Update 12/18: Berkman Center Fellow Donnie (Hao Dong) posted this piece explaining even more aggressive measures being taken by the Chinese government to crack down on malicious use of domain registrations. This will almost certainly reduce the number of misused Chinese domain names, but as indicated above, we may see some additional consequences.

Directi, KnujOn, HostExploit to work together

Posted on September 10, 2008 - 13:07 by mweinstein

I recently blogged about two reports related to business practices of web-related companies. One of those companies, Directi, was the direct target of the KnujOn report and was mentioned in Jart Armin's report, as well. I blogged about Directi's response to the KnujOn report last week.
This week, Directi, KnujOn, and HostExploit (Jart's company) released a joint statement:

In light of recent developments, Jart Armin of, Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement as an accurate representation of facts, clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet.

You can read the statement for the specifics, but I want to applaud the public commitment by all three parties to working together to fight badware. So far, Jart tells us that they have removed thousands of badware and spam domains. It will be interesting to see how this plays out and, in particular, how Garth, Jart, and other members of the security community evaluate Directi's follow-through.
Also this week, both Directi and EstDomains (which was mentioned prominently in Jart's report) contacted us to request that we send any data about domains registered through their respective services to them so they can take appropriate action. We don't currently analyze registrars, though we hope to sometime soon, and we will, of course, make the data available to the registrars to the extent practicable if/when we have such data.
All of this activity raises an interesting (and long-standing) question about the role of domain registrars in policing content of sites. Should a domain registrar be expected to deactivate a domain that is known to be associated with badware? If so, who is the authority that decides which sites should be taken down? How is the process kept transparent? How are errors corrected? What about legitimate sites that have been infected without the owner's knowledge (like many of those that are in our Clearinghouse?) What about sites that are potentially "bad" in other ways, like violating local laws, perpetuating defamation, or trafficking in child pornography? Let us know what you think in the comments.