Simply Security - News, Views, and Opinions from Trend Micro

Posted on May 16th, 2011 in Current News, Privacy & Policy, Research by Noah Gamer | Be the first to comment | Tags: data security

Earlier this year, Trend Micro managed to co-operate with Spanish? Domain name registrar CDMON to enable us to take out one of the command and control servers of an infamous information stealing botnet and harvest some key data. Sadly though, this kind of co-operation activity is all too rare in the industry.

In this newsletter we’ll be looking at why registrars play such a key role in the domain name system and what needs to be done industry wide at this level to make it more difficult for botnets and malicious sites to survive.

Why are registrars important?

A domain registrar is licensed by a generic top level domain or country code top level domain registry to sell domain names to customers. Probably the most famous registrar is GoDaddy, the US based firm which has over 40m registered domains on its books and is licensed by the likes of .com registry VeriSign.

As such, registrars have access to the thousands, tens of thousands or even millions of IP addresses of customers who have registered with them. By the law of averages, a small proportion of these addresses will be linked to web servers hosting malicious content, or indeed so-called ‘command and control’ servers which give botnet computers their instructions.

What did Trend do with CDMON?

Trend Micro researchers worked hard to discover a particular command and control server hosted on a domain which was registered by CDMON. Armed with significant amounts of data we managed to persuade the organization to replace the server’s original address with our own IP address, linked to our own analysis machine. This technique, known as sinkholing, meant that all the traffic coming from each client in the botnet came straight through to the Trend Micro machine to be analyzed.

As this was happening, of course, these machines were getting no instruction from their C&C server. We kept harvesting their traffic for a full three weeks until we felt we had enough data and then told CDMON to stop the redirection, after which time the botnet clients were permanently severed from their control server.

Although much of the information we received was encrypted and therefore impossible to interpret, Trend Micro found out some useful information about the botnet, which turned out to be one of the notorious ZeuS botnets designed to steal banking information. For example, we found that over 95 percent of the inbound requests to the C&C server came from South America, particularly from Mexico, indicating that the bot may have originated from Latin America.

Are there other ways to sinkhole a botnet?

Unfortunately the registrars do not usually co-operate with security vendors in such a amenable way. Given that their primary aim as a business is to make money, having to stop and double check every time their suspicion is raised by a security team such as Trend’s would eat into their tight margins in what is already a highly competitive domain name market.

Traditionally the only other way to get a registrar to agree to sinkholing would be by going through the courts and trying to persuade a judge to grant an order forcing them to do so. This is a difficult process given the legal hoops that need to be jumped through and the fact that most judges are woefully technology illiterate. However, according to David Sancho, senior threat researcher at Trend Micro, there is another way to facilitate sinkholing, although it is little known and requires in depth security knowledge.

If you build up the right contacts among law enforcement, and have a serious body of evidence to present about a particular domain, they can fast track the process by pushing the request through to a judge who is knowledgable about technology matters, he said. They could get a sinkholing in as little as eight hours, although this depends on the quality of the relationship forged with law enforcement.

Are things getting any better?

What the industry really needs is an ISP or registrar association which could centrally channel and filter any requests from security teams and inform the relevant registrars of sinkholing requests, however such a body is unlikely to be formed.

The UK’s serious organised crime agency (Soca) recognized last year that key to cracking organized cyber crime was to crack down on registrations. Soca senior manager Paul Hoare told delegates at the annual e-Crime Congress event in London that year that global law enforcement successes had been “in spite of” rather than “thanks to” the current landscape and around 30m domain names still exist with untraceable registrations.

Soca is working with Icann, the internet oversight body, to try and create a “minimum standard for registrations” which will filter down to all domain registries and ultimately, registrars such as CDMON. Anecdotally, both .ru (Russia) and .cn (China) have tightened up their registration policies by forcing registrants to identify themselves more fully before a domain is granted. However, criminals are always likely to move to domains where the registration policy is not so difficult, until there is agreement across the board.

We will never completely stamp out cyber crime but at the very least making it more difficult for the criminals, and therefore more expensive, to register the domains essential to their botnet-controlling activities will be a step in the right direction. In the meantime, better communication between law enforcement, security researchers and the judiciary is another important step in speeding up the sinkholing process.

These are all baby steps, but no less important in the ongoing fight against the scourge of botnets.