takedowns

takedowns

What's in a name?

Posted on September 28, 2011 - 15:31 by mweinstein

One of the most interesting aspects of yesterday's announcement of another botnet takedown engineered by Microsoft was the naming of the owners of the .cz.cc domain in their lawsuit.

...this case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.

Microsoft should be applauded for its effort, as well as for raising awareness of intermediary service providers' roles in perpetuating badware. I don't understand, though, their heavy handed focus on customer identification. True domain registrars, at least those accredited by ICANN, are already required to collect and publish valid contact information for domain registrants, yet this hasn't seemed to help a lot in preventing malicious registrations or tracking down the criminals. There are lots of reasons for that, such as privacy proxies that shield the identities of the registrants, weak enforcement by ICANN, use of stolen credentials, and the difficulty of verifying the validity of customer information.

I also wonder about dotFREE, the operator of the .cz.cc subdomain service. After the entire .cz.cc domain was pulled from Google Search results due to the high malware and low quality rates of cz.cc subdomains, dotFREE claimed to be implementing a number of reasonable security precautions, from hiring more abuse staff to suspending accounts that appeared on popular badware blacklists. All talk, no action? Could be. Too little, too late? Maybe. But what if they were doing all these things and making a good faith effort to prevent continued abuse of their domain? Was the fact that they didn't verify and publish contact information for their customers enough to make them liable for the malicious use of their subdomains? Perhaps the fact that they were marketing their service like a registrar, but not behaving like an accredited registrar, is enough to do them in?

It will be up to the courts to decide on whether dotFREE is liable under U.S. law. I'd push back against Microsoft, though, and say the industry discussion shouldn't be about "public and accountable subdomain registration practices," but rather about identifying more broadly the philosophical and perhaps legal expectations for how such providers should contribute to the safety of the Internet.

The Coreflood takedown: building a better, broader botnet response

Posted on April 15, 2011 - 11:33 by imeister

Wednesday’s court-sanctioned takedown of the Coreflood botnet by the Department of Justice and the FBI has made big headlines in badware news. This is the second high-profile takedown to make it through the U.S. court system in as many months; Microsoft persuaded a court to allow them to take down the Rustock botnet only a month ago. But there are some key differences in the legal posture and tactics used in Coreflood that should inform future efforts to take down botnets — and invite further questions.

  1. Government in the driver’s seat. The biggest procedural departure in the Coreflood action is the party bringing it: a government attorney, not a private corporation, is asking the court system for relief. When Microsoft filed suit in a federal court in Washington to shut down the Rustock botnet, it was not enough simply to present the court with strong evidence that illegal activity was taking place and that its proposed takedown tactics would stop it — it had to carry the burden of showing how Microsoft itself was harmed by the botnet’s activities. It took Microsoft an entire month to obtain the restraining order it required. The U.S. Attorney in the Coreflood action, by contrast, benefited from the legal presumption that the government has standing to act to stop Coreflood’s illegal activity (wire fraud, bank fraud, and illegal wiretapping): within two days of filing its complaint, the necessary restraining order was issued.
  2. Disabling the botnet, not just its heads. When Microsoft took down the Rustock botnet, it did so by seizing the U.S.-based command and control servers it had identified and disabling the domain names and DNS records Rustock used to route bot traffic to the servers. This left the Rustock botmasters unable to issue further orders to the compromised computers and eliminated the immediate threat Rustock posed; however, it left no obvious path for identifying and targeting individual bots for cleaning. In the Coreflood action, the court’s restraining order directed registrars and DNS providers to point the seized domains to two specially designed servers set up at the Internet Systems Consortium. The servers transmit a ‘kill’ signal to botnet members and log their IP addresses for followup. This approach transfers, rather than destroys, control of the botnet to law enforcement, and in so doing preserves the ability to identify botnet members as they ‘check in’ with the new command and control servers.
  3. Working with partners to clean affected computers. In addition to partnering with the Internet Systems Consortium, the government also coordinated the Coreflood shutdown with Microsoft. In a security bulletin released yesterday, Microsoft provided full disclosure of the workings of the Coreflood badware and updated its free Malicious Software Removal tool to allow affected users to clean their computers. According to Wired's Threat Level blog, the government intends to provide lists of affected U.S. IP addresses (which the government claims make up 1.8 million of the 2.3 million Coreflood botnet members) to ISPs so that users with compromised computers can be notified.

At this point, the Coreflood takedown seems like a valuable re-imagining of the legal and logistical processes used in past takedowns. While some, including the EFF, have expressed concerns about the government issuing commands to U.S. computers via a specialized command and control server, the question begs: is there a more appropriate party to request relief when U.S. law is violated? The takedown order and planned government response bear many of the hallmarks of the sort of collaboration StopBadware believes is critical to fighting badware. The government has enlisted registrars, registries, and DNS providers to wrest control of a botnet; Microsoft, to provide a freely available cure for infected computers; and is about to enlist ISPs to encourage users to rid themselves of badware.

It’s an object lesson in the need to coordinate among stakeholders in the Internet ecosystem, and it acknowledges that infected users and computers are important participants in that ecosystem. While the criminal activity enabled by botnets like Coreflood is the most obvious target for remediation, every member of a botnet is, by definition, a computer with unpatched and exploitable software vulnerabilities that can enable future badware infection.

Will ISPs succeed in notifying their users about Coreflood infections? Will users be able to clean their computers effectively? The success — or failure — of this initiative should reveal a lot about the effectiveness of holistic approaches like this one.