Botnet chasers are expert folks from the private or public sector who pore over giga- or terabytes of data – network traffic, malware, DNS, and addressing information – to identify and confirm that a domain name, or perhaps hundreds of domain names, is being abused to support a botnet infrastructure. As is the case for phishing, child abuse, spam and other (criminal) abuses of the DNS, these investigators typically want to “take down” the domain.
The botnet takedown case is interesting for several reasons: (i) botnets often provide the attack infrastructure for other attacks (including phishing, spam, and denials of service), (ii) all of the infected (“botted”) devices that comprise the botnet often must resolve these domains to establish and remain in contact with the botnet command and control systems (“C&C”), and (iii) the C&Cs serve as the only or primary way for botnet operators to distribute executable code to the botted devices.
Dismantling botnets is tricky business and often involves coordinating court orders across several jurisdictions. Affecting changes to the DNS or Whois are common elements in botnet takedowns. Getting the language right across these orders is important to ensure the outcomes you seek.
Get the Language Right
The term “takedown” is overloaded and unspecific. To some, it means “shut down the web site”. To others, it means, “shut down the DNS”. Both are correct. Maybe. In botnet cases, what you may seek isn’t a takedown at all.
When you are preparing a court order, it’s important to say precisely what action you want a registry operator or registrar to take. Usually, you’ll want the complaint to affect changes to the DNS or Whois:
DNS: Affecting Botnet Name Resolution
You want your complaint to tell the registry to change name resolution for the domain(s) identified in the complaint in one of the following ways:
Terminate name resolution. Use this language when you want domain(s) identified in the complaint to stop resolving the names you enumerate in the court order to the Internet addresses for the C&C hosts. The served party (registrar or registry operator) will delete the domain’s name server records from the registry zone file, or will place a ‘hold” status on the domain, thereby removing it from the zone file and stopping resolution. This action dismantles or disrupts the botnet activity: botted computers cannot resolve the names they’ve been instructed to use to contact their C&C. They will be unable to receive instructions from their mother ship and thus can’t engage in attacks.
Change name resolution. Use language like “change or modify the name server records in the parent zone file of the domain names listed in this order to…” when you want to sinkhole or take control over the botnet for observation and analysis. You must supply the registry(ies) or registrar(s) with name server information (hostnames, IP addresses) that you intend to have employ as the authoritative name servers for the seized domain(s). The registry will replace any existing name server records in its zone file for the domains you list with the information you provide. You must then create resource records in the zone file(s) for the seized domains that direct traffic from botted devices to your sinkhole host so that you can investigate further into the botnet’s operation. And of course, you must stand up a sinkhole host at the address(es) you specify in your zone file.