« How Much Are Your Personal Data Worth? | Main | Security Awareness »

Monday, 31 August 2015

Dismantling botnets: Dealing with DNS and Whois

Image by Matthew https://www.flickr.com/photos/purplemattfish/
Botnet chasers are expert folks from the private or public sector who pore over giga- or terabytes of data – network traffic, malware, DNS, and addressing information – to identify and confirm that a domain name, or perhaps hundreds of domain names, is being abused to support a botnet infrastructure.  As is the case for phishing, child abuse, spam and other (criminal) abuses of the DNS, these investigators typically want to “take down” the domain.

The botnet takedown case is interesting for several reasons: (i) botnets often provide the attack infrastructure for other attacks (including phishing, spam, and denials of service), (ii) all of the infected (“botted”) devices that comprise the botnet often must resolve these domains to establish and remain in contact with the botnet command and control systems (“C&C”), and (iii) the C&Cs serve as the only or primary way for botnet operators to distribute executable code to the botted devices.

Dismantling botnets is tricky business and often involves coordinating court orders across several jurisdictions. Affecting changes to the DNS or Whois are common elements in botnet takedowns. Getting the language right across these orders is important to ensure the outcomes you seek.

Get the Language Right

The term “takedown” is overloaded and unspecific. To some, it means “shut down the web site”. To others, it means, “shut down the DNS”. Both are correct. Maybe. In botnet cases, what you may seek isn’t a takedown at all. 

When you are preparing a court order, it’s important to say precisely what action you want a registry operator or registrar to take. Usually, you’ll want the complaint to affect changes to the DNS or Whois:

DNS: Affecting Botnet Name Resolution

You want your complaint to tell the registry to change name resolution for the domain(s) identified in the complaint in one of the following ways:

Terminate name resolution. Use this language when you want domain(s) identified in the complaint to stop resolving the names you enumerate in the court order to the Internet addresses for the C&C hosts. The served party (registrar or registry operator) will delete the domain’s name server records from the registry zone file, or will place a ‘hold” status on the domain, thereby removing it from the zone file and stopping resolution. This action dismantles or disrupts the botnet activity: botted computers cannot resolve the names they’ve been instructed to use to contact their C&C. They will be unable to receive instructions from their mother ship and thus can’t engage in attacks.

Change name resolution. Use language like “change or modify the name server records in the parent zone file of the domain names listed in this order to…” when you want to sinkhole or take control over the botnet for observation and analysis. You must supply the registry(ies) or registrar(s) with name server information (hostnames, IP addresses) that you intend to have employ as the authoritative name servers for the seized domain(s). The registry will replace any existing name server records in its zone file for the domains you list with the information you provide. You must then create resource records in the zone file(s) for the seized domains that direct traffic from botted devices to your sinkhole host so that you can investigate further into the botnet’s operation. And of course, you must stand up a sinkhole host at the address(es) you specify in your zone file.

Whois: Affecting Domain Registration

You want to transfer the domain registration away from the registrant to a party named in your complaint. How you prepare this part of the complaint effects domain registration data (Whois). Your court order should specify:

a)    The registrar that you will use to manage your domains (the “gaining registrar”). The current registrar should be instructed to provide the “AuthInfo” code that will allow you to transfer the domain to your registrar of choice, who must place the domain in an account that you control.  A registry can also force a registrar-to-registrar transfer, but you will then still need your registrar of choice to place the domain in an account that you control. 

b)   The points of contact information for you or the party whom you wish to be identified as the registrant, the administrative contact, and the technical contact.

c)    Domain status, which should be set to { clientTransferProhibited, clientDeleteProhibited }.

d)   The name server information for the domains (if you are sinkholing).

A registry that manages the entire set of domain registration data (“thick” Whois) can modify the entire registration data set to reflect the information you provide in the order. A registry that manages a partial set of registration data (“thin Whois” ”, such as .COM and .NET) will modify the registration data illustrated below.  

Domain Name: <should be specified in court order>
Registry Domain ID: <set by registry>
Registrar Whois Server: <set by registry to gaining registrar>
Registrar URL: <set by registry to gaining registrar>
Update Date: <set by registry>
Creation Date: <set by registry>
Registrar Registration Expiration Date: <set by registry>
Registrar: <should be specified in court order>
Registrar IANA ID: <set by registry>
Registrar Abuse Contact Email: <set by registry>
Registrar Abuse Contact Phone: <set by registry>
Domain Status: <should be specified in court order>

And the gaining registrar identified in the complaint will modify the points of contact information you provide in the order. Once the Registrar URL is set, any point of contact information that the losing registrar managed is overtaken by events: all Whois queries will be process by the thin registry and then the gaining registrar.

Why the right language matters…

When your court orders are unspecific regarding the disposition of registration data, you leave the registry or the gaining registrar to determine the contents of the registration data or the term of registration. In such cases, the DNS or Whois may be altered in any of several ways, with unintended consequences:

  1. The registrar might release the domain to the available pool. In this state a DNS query on this domain name will return a name error (NXDOMAIN) and a Whois query will return “No match”. The name is available for registration or (worse), re-registration by the botnet operator. This is clearly undesirable in many cases, as botted devices may be persistently querying the DNS to find their C&C. When this scenario concludes, the criminal actor can often resume malicious activity associated with the domain; for example, the actor can re-register the domain, resurrect command and control for a botnet, and restore communications with computers that are still infected with the malicious code associated with a botnet.

  2.  The registrar places the domain name is in a clientHold state (typically until the term of registration expires). In this state, the registrant cannot alter registration data, including name server information. This may be a partial success in cases where the botnet relies on changing name server addresses but it is not the same as terminating name resolution or sinkholing. Most importantly, if the registrar takes no action to modify the name server record, botted computers can still contact C&Cs.

  3. The registrar may set the registrant in the Whois record to a holding account, a special purpose registrant that the operator uses when suspending a registration. In such cases, you do not have administrative control over the domain(s). In this scenario, you might not be able to stand up a sinkhole unless you served a subsequent order.
     
  4. In cases where the domain was part of a fraudulent activity, the registrar may also choose to park the domain, i.e.,  to set up a web landing page with advertising or some other means to recover costs.

  5. The registry may set the registrant in the Whois record to a holding account, a special purpose registrant I.D., that the registry uses when preemptively blocking a registration (See 3).

  6. The registry may set the domain status to clientHold or serverHold for the remaining term of registration, it may set additional status to prohibit domain transfer or deletion, or it may update name server delegation. The latter act may cause a disruption to any sinkholing activity established prior to the court order.


If you’re not the registrant, you lose the ability to modify name server information and most importantly, you can’t renew the domain. Eradicating infections from botted devices has proven problematic so it’s important for you to retain control over domains you seize for a time period that is likely indeterminable when you issue a court order.

Forewarned…

Botnet dismantling operations exhaust hundreds of man hours and often span months or years. If you exercise care and use language that will result in exactly the outcome you seek when you prepare your court order, you’ll give your operation the best chances for success.

Note: While I use a botnet example in this post, much of what I describe as getting the language right applies to fraud or other abuse interventions, and may apply equally well when you request a registrar or registry to suspend a domain that is in violation of that operator’s AUP or Terms of Service agreement as they do for a served court order.  

 

Posted at 09:03 AM in Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories