How Much Are Your Personal Data Worth?
Security Awareness

Dismantling botnets: Dealing with DNS and Whois

Image by Matthew https://www.flickr.com/photos/purplemattfish/
Botnet chasers are expert folks from the private or public sector who pore over giga- or terabytes of data – network traffic, malware, DNS, and addressing information – to identify and confirm that a domain name, or perhaps hundreds of domain names, is being abused to support a botnet infrastructure.  As is the case for phishing, child abuse, spam and other (criminal) abuses of the DNS, these investigators typically want to “take down” the domain.

The botnet takedown case is interesting for several reasons: (i) botnets often provide the attack infrastructure for other attacks (including phishing, spam, and denials of service), (ii) all of the infected (“botted”) devices that comprise the botnet often must resolve these domains to establish and remain in contact with the botnet command and control systems (“C&C”), and (iii) the C&Cs serve as the only or primary way for botnet operators to distribute executable code to the botted devices.

Dismantling botnets is tricky business and often involves coordinating court orders across several jurisdictions. Affecting changes to the DNS or Whois are common elements in botnet takedowns. Getting the language right across these orders is important to ensure the outcomes you seek.

Get the Language Right

The term “takedown” is overloaded and unspecific. To some, it means “shut down the web site”. To others, it means, “shut down the DNS”. Both are correct. Maybe. In botnet cases, what you may seek isn’t a takedown at all. 

When you are preparing a court order, it’s important to say precisely what action you want a registry operator or registrar to take. Usually, you’ll want the complaint to affect changes to the DNS or Whois:

DNS: Affecting Botnet Name Resolution

You want your complaint to tell the registry to change name resolution for the domain(s) identified in the complaint in one of the following ways:

Terminate name resolution. Use this language when you want domain(s) identified in the complaint to stop resolving the names you enumerate in the court order to the Internet addresses for the C&C hosts. The served party (registrar or registry operator) will delete the domain’s name server records from the registry zone file, or will place a ‘hold” status on the domain, thereby removing it from the zone file and stopping resolution. This action dismantles or disrupts the botnet activity: botted computers cannot resolve the names they’ve been instructed to use to contact their C&C. They will be unable to receive instructions from their mother ship and thus can’t engage in attacks.

Change name resolution. Use language like “change or modify the name server records in the parent zone file of the domain names listed in this order to…” when you want to sinkhole or take control over the botnet for observation and analysis. You must supply the registry(ies) or registrar(s) with name server information (hostnames, IP addresses) that you intend to have employ as the authoritative name servers for the seized domain(s). The registry will replace any existing name server records in its zone file for the domains you list with the information you provide. You must then create resource records in the zone file(s) for the seized domains that direct traffic from botted devices to your sinkhole host so that you can investigate further into the botnet’s operation. And of course, you must stand up a sinkhole host at the address(es) you specify in your zone file.

Whois: Affecting Domain Registration

You want to transfer the domain registration away from the registrant to a party named in your complaint. How you prepare this part of the complaint effects domain registration data (Whois). Your court order should specify:

a)    The registrar that you will use to manage your domains (the “gaining registrar”). The current registrar should be instructed to provide the “AuthInfo” code that will allow you to transfer the domain to your registrar of choice, who must place the domain in an account that you control.  A registry can also force a registrar-to-registrar transfer, but you will then still need your registrar of choice to place the domain in an account that you control. 

b)   The points of contact information for you or the party whom you wish to be identified as the registrant, the administrative contact, and the technical contact.

c)    Domain status, which should be set to { clientTransferProhibited, clientDeleteProhibited }.

d)   The name server information for the domains (if you are sinkholing).

A registry that manages the entire set of domain registration data (“thick” Whois) can modify the entire registration data set to reflect the information you provide in the order. A registry that manages a partial set of registration data (“thin Whois” ”, such as .COM and .NET) will modify the registration data illustrated below.  

Domain Name: <should be specified in court order>
Registry Domain ID: <set by registry>
Registrar Whois Server: <set by registry to gaining registrar>
Registrar URL: <set by registry to gaining registrar>
Update Date: <set by registry>
Creation Date: <set by registry>
Registrar Registration Expiration Date: <set by registry>
Registrar: <should be specified in court order>
Registrar IANA ID: <set by registry>
Registrar Abuse Contact Email: <set by registry>
Registrar Abuse Contact Phone: <set by registry>
Domain Status: <should be specified in court order>

And the gaining registrar identified in the complaint will modify the points of contact information you provide in the order. Once the Registrar URL is set, any point of contact information that the losing registrar managed is overtaken by events: all Whois queries will be process by the thin registry and then the gaining registrar.

Why the right language matters…

When your court orders are unspecific regarding the disposition of registration data, you leave the registry or the gaining registrar to determine the contents of the registration data or the term of registration. In such cases, the DNS or Whois may be altered in any of several ways, with unintended consequences:

  1. The registrar might release the domain to the available pool. In this state a DNS query on this domain name will return a name error (NXDOMAIN) and a Whois query will return “No match”. The name is available for registration or (worse), re-registration by the botnet operator. This is clearly undesirable in many cases, as botted devices may be persistently querying the DNS to find their C&C. When this scenario concludes, the criminal actor can often resume malicious activity associated with the domain; for example, the actor can re-register the domain, resurrect command and control for a botnet, and restore communications with computers that are still infected with the malicious code associated with a botnet.

  2.  The registrar places the domain name is in a clientHold state (typically until the term of registration expires). In this state, the registrant cannot alter registration data, including name server information. This may be a partial success in cases where the botnet relies on changing name server addresses but it is not the same as terminating name resolution or sinkholing. Most importantly, if the registrar takes no action to modify the name server record, botted computers can still contact C&Cs.

  3. The registrar may set the registrant in the Whois record to a holding account, a special purpose registrant that the operator uses when suspending a registration. In such cases, you do not have administrative control over the domain(s). In this scenario, you might not be able to stand up a sinkhole unless you served a subsequent order.
     
  4. In cases where the domain was part of a fraudulent activity, the registrar may also choose to park the domain, i.e.,  to set up a web landing page with advertising or some other means to recover costs.

  5. The registry may set the registrant in the Whois record to a holding account, a special purpose registrant I.D., that the registry uses when preemptively blocking a registration (See 3).

  6. The registry may set the domain status to clientHold or serverHold for the remaining term of registration, it may set additional status to prohibit domain transfer or deletion, or it may update name server delegation. The latter act may cause a disruption to any sinkholing activity established prior to the court order.


If you’re not the registrant, you lose the ability to modify name server information and most importantly, you can’t renew the domain. Eradicating infections from botted devices has proven problematic so it’s important for you to retain control over domains you seize for a time period that is likely indeterminable when you issue a court order.

Forewarned…

Botnet dismantling operations exhaust hundreds of man hours and often span months or years. If you exercise care and use language that will result in exactly the outcome you seek when you prepare your court order, you’ll give your operation the best chances for success.

Note: While I use a botnet example in this post, much of what I describe as getting the language right applies to fraud or other abuse interventions, and may apply equally well when you request a registrar or registry to suspend a domain that is in violation of that operator’s AUP or Terms of Service agreement as they do for a served court order.  

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)