Microsoft has added another notch in its botnet gun belt, taking action against subdomain registry operator, cz.cc. What distinguishes Operation b79 from Rustock is that Microsoft has named defendants - Dominique Alexander Piatti and the dotFREE Group SRO - along with nearly two dozen John Does in its ex parte temporary restraining order. The complaint alleges that the Defendants ran command and control operations for a fast flux botnet named "Kelihos" via domain names assigned from cz.cc: specifically names such ascyvgtbxa.cz.cc were created for the purpose of hosting malware, running scareware or spamming campaigns. |
Photo by Willie Lunchmeat |
Microsoft claims that through these actions, the Defendants knowingly caused harm to Microsoft, its customers, and the public.
Claims for Relief
The claims for relief against the Defendants range from violations of the Computer Fraud & Abuse Act Title 18 (1030), CAN SPAM Title 15 (7704) Act, and Electronic Communication Privacy Act Title 18 (2701) to common law trespass, unjust enrichment, and negligence. The complaint demands for a jury trial.
The article at Microsoft's TechNet Blog explains that "Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate. Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers..."
Subdomain Registrations Play Prominent Role
In this same blog post, you'll read "...this case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way."
Rod Rasmussen and I warned that subdomain registrations would become a problem in 2008 in an APWG white paper,Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries. In that article, we explained that subdomain registries are appealing to phishers for several reasons:
"1. Many hosting accounts are free, easy to set up, and simple to remotely administer. In some cases, a subdomain registration only requires a first name and email address for registration.
"2. With a small investment of time, phishers can find hosting services where registration is virtually anonymous. Within minutes, a phisher can upload a scam site immediately upon completion of a registration.
"3. Subdomain registries do not collect complete and accurate contact information. This exacerbates the already challenging process of deleting or “taking down” a phishing subdomain.
"4. Many subdomain registration services have no obvious or formal dispute resolution mechanism.
and
"5. Hosting service providers who fear reputational or other harm to their businesses may be reluctant to suspend a customer account without further investigation, subpoena, or court order."
These characteristics make subdomain registrations appealing for scareware and other scams as well. Kudos to Microsoft for taking aggressive action, exposing these issues, and hopefully setting precedent for others to take like action.
The Kelihos complaint targets subdomain registries, but some of the language Richard Domingues Boscovich (Senior Attorney, Microsoft Digital Crimes Unit) uses to describe the subdomain problem - "no requirements necessitating domain hosts to know anything", "easy for domain owners to look the other way" - are similar to objections that law enforcement, security professionals, and IP&T attorneys make regarding WHOIS and domain name registration policies and requirements. Microsoft has consistently pushed the envelope in its offensives against botnets and malware. Who's going to get caught in Microsoft's crosshairs next?