This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN’s vulnerability via influence, commercial sponsorship and registrar development.
- Firstly, RBN’s normal chaos creation, shown within the important and recent security research paper “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority” by David Dagon, Niels Provos, et. al.; “291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, we urge the security community to consider the corruption of the (DNS) resolution path as an important problem.” [ref 1]
- Connect this to the newer RBN technique to now ‘auto-generate’ 1,000’s of new malware and rogue domain registrations via duped or controlled registrars, e.g. Tucows (Ca), EstDomains, and shielded by PrivacyProtect - which now can outrun most security bloggers, security companies, black listing or rogue domain listings. [ref 2]
The facts – who?
LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for guests at the 31st ICANN Meet in Delhi, India - “The elite list of attendees included the likes of Enom and Tucows head honchos, Paul Stahura and Eliott Noss respectively. Trey Harvin - CEO dotMobi, Jonathan Nevett - Network Solutions, Alexa Raad CEO PIR, Tim Cole - Chief Registrar Liaison at ICANN, Craig Schwartz - Chief gTLD Registry Liaison at ICANN, Tina Dam - Director, IDN Program ICANN, Dave Wodelet, Wendy Seltzer, Thomas Narten – ICANN Board members” [ref 4]
Directi, LogicBoxes and Skenzo - controls / manages / owns ‘PrivacyProtect’ – a domain privacy service which shields cybercrime, and does so by design. It currently shields 759,172 domains. [fig 2]
“LogicBoxes currently powers the infrastructure and software of over 50 ICANN Accredited Domain Registrars including EST Domains” [ref 5] LogicBoxes online corporate profile – EstDomains, which is associated with Atrivo aka Intercage. It is estimated Estdomains provide Atrivo with 40% to 60% of its revenue.
Directi, LogicBoxes and Skenzo associated with – Everyones Internet (US) and The Planet (US), rack space etc., for opticaljungle / orderbox-dns. Coincidentally both are within the top 10 of hosts in the world with infected web sites = 6,000 . [ref 6]
Bhavin Turakhia - CEO and Chairman of The Directi Group “Directi to continue growing at triple digit growth rates year after year, technical advisor to the local CyberCrime Investigation Cell, Bhavin was also former chairman for the Global ICANN Accredited Registrars Constituency for two consecutive terms. He has been the youngest elected chair for this post in the history of ICANN” - [ref 7] [ref 8]
The facts (just a few notable examples) – what?
Historical Aug 07 - Bank of India iFrame hack - X-TRAFFIC.BIZ – RBN, ICANN Registrar: ESTDOMAINS [ref 9]
Ongoing – RBN retail - Loads.cc - ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref 10] [ref 11] [ref 12]
Ongoing - RBN retail payment systems isoftpay – Current; ICANN Registrar: ESTDOMAINS Registrant: PrivacyProtect.org [ref 13]
Current - Robotraff: A Hacker's Go-To For Clicks – Brian Krebs Washington Post - robotraff.com; ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref14]
Newer rogue / fake sample – malwarebell; The filename MALWAREBELL.EXE was first seen on Apr 14 2008 in CANADA, BELGIUM on Apr 15 2008, SPAIN on Apr 23 2008, GERMANY on Apr 23 2008; ICANN Registrar = Estdomains; Registrant = PrivacyProtect.org [ref 15]
Brand New - Mass File Injection Attack from Russia with Zlob - “If you do a Google search for these URLs, you get about 400,000 sites" - The key domain = xprmn4u.info ("HaCKeD By BeLa & BodyguarD" = 90,000 hits on Google); ICANN registrar for = Estdomains; Registrant = PrivacyProtect.org [ref 16]
Fig 2 - PrivacyProtect - map
The background research and this summary article has been around four months in the making within the community. It should be emphasized there is considerably more ‘who’ and ‘what’ which will be presented in full later.
We feel even the most casual reader will be concerned, as this affects every user of the internet. We as a group want to further stress we are believers of an open and unrestricted internet however, if this trend of a parallel DNS system being developed with an unofficial DNS architecture that will fake all records, this will be a real mess, resulting in a groundswell of Internet users who rightly request governmental action in some form to assume some form of control.
We hope many readers as a minimum many will contact ICANN [ref 18] to at least determine what they are going to do about Estdomains, PrivacyProtect and anonymous domain registrants – right now! This also begs the question of the commercial approach of ICANN apparently supporting unfettered registrar development and who it allows in sponsorship or election. If ICANN does not rapidly clean up its own act to encourage the view that the DNS is safe in their hands, realistically several Internets will evolve, “Good, Bad, and the Ugly”
As for Directi and co., there will undoubtedly be arguments of; we are unaware, not responsible, we only manage, or a very small minority……. From their logged and monitored action we do not believe them. Even so, with their claimed expertise and if they were unaware of the role of EstDomains or PrivacyProtect, thus RBN, then should they be trusted within or in any form of association with ICANN?
Special thanks, to name but a few:
Jim McQuaid, Debbie Rosman, David Bizeul, EmergingThreats.net malwaredomains.com, open source security community, Robtex, CyberDefCon, et.al.
[ref 1] Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
[ref 2] Top 25 Exploit Hosts
[ref 3] ICANN for Beginners
[ref 4] LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for ICANN
[ref 5] LogicBoxes online corporate profile
[ref 6] The Planet and Everyones Internet
[ref 7] Directi CEO
[ref 8] CyberCell Mumbai India
[ref 9] Bank of India Hack Aug 07
[ref 10] RBN Retail
[ref 11] Loads cc
[ref 12] One-Stop Shopping for Hackers
[ref 13] RBN payment systems
[ref 14] Robotraff – Brian Krebs
[ref 15] Rogue - Malwarebell
[ref 16] Mass File Injection Attack from Russia with Zlob – ISC.sans
[ref 17] Alistair Croll '10 Ways the Internet (As We Know It) Will Die'
[ref 18] Contact ICANN
Coming soon - RBN - Automated Mass Malware Domain Registration