Verisign drag their heels at removing malware sites

A security researcher is accusing Verisign of not acting fast enough to take down several dozen sites that he says are known to be spewing malware.

The sites are all in the .com and .net domains and were registered by domain name registrars in Russia and Turkey said Andrew Fried, CEO of security consultancy Deteque and a former senior special agent with the US Department of the Treasury.

The sites first surfaced on 1 February, and have been pushing out a new Russian exploit kit called JustExploit that takes advantage of Java bugs to infect computers, Fried said.

The domain name registrars in Russia and Turkey, which registered the sites, have done nothing to deregister them though they have been notified about the problem by security researchers who monitor malicious activity on the Internet, Fried said.

Verisign, which is the Registry service that manages the .com and .net domains has similarly been notified about the problem but also appears to have done nothing so far, Fried said. More than 24 hours after Verisign was notified of the problem, the malicious domains are "live, resolving and still serving malware," he said.

Fried earlier this week presented at the BlackHat security conference in Washington DC where he said Internet authorities in countries such as China and Russia of doing "squat" to help deal with cyber security threats.

The apparent fact that a US-based entity is displaying a similar lack of co-operation is "appalling", Fried said.

Verisign did not have an immediate response to a request for comment.

Fried said the malicious domains are being hosted on a so-called fast flux network which makes it extremely difficult to track down the actual servers on which the sites are being hosted he said.

Fast flux hosting is a technique in which infected nodes on a botnet are used as proxies for the server that is actually hosting the malware. The nodes keep constantly changing, making it all but impossible for anyone to track down the actual malicious server. As a result, the best way to mitigate such threats is to simply deregister the domain names entirely, Fried said.

In this instance, with the foreign registrars dragging their feet, Versign as the registry for the .com and .net domains should have stepped in and un-registered the malicious sites, Fried said.

The incident highlights the challenges being posed by the trend by online criminals to use fast flux networks to hide the servers serving up malware and spam sites. Because the servers hosting malware have become almost impossible to find, the effort increasingly has been to identify malicious sites and deregister them as quickly as possible.

"The burden of dealing with these issues has shifted from the ISPs to the registrars," he said.

Many registrars have developed good policies for identifying malicious domains, responding to complaints from security researchers and for deregistering domains as needed, Fried said. But many others have not, he said.

"A vast majority of these issues are being resolved through the registrars," Fried said. But in some cases complaints need to be escalated to the domain registry service, he said.

In such cases, the onus falls on the registry service to take action, he said. He pointed to a recent incident where the registry for the .us domain responded quickly to unregister malicious domains after the registrars failed to move quickly enough.

Comments