Update: Verisign fails to take action against malicious sites, researcher says

Verisign notified of problem but domains still 'live ... and still serving malware'

A security researcher is accusing Verisign Inc. of not acting fast enough to take down several dozen sites that he says are known to be spewing malware.

The sites are all in the .com and .net domains and were registered by domain name registrars in Russia and Turkey said Andrew Fried, CEO of security consultancy Deteque and a former senior special agent with the U.S Department of the Treasury.

The sites first surfaced Monday, and have been pushing out a new Russian exploit kit called JustExploit that takes advantage of Java bugs to infect computers, Fried said.

The domain name registrars in Russia and Turkey, which registered the sites, have so long done nothing to deregister them though they have been notified about the problem by security researchers who monitor malicious activity on the Internet, Fried said.

Verisign, which is the registry service that manages the .com and .net domains, has similarly been notified about the problem but also appears to have done nothing so far, Fried said. More than 24 hours after Verisign was notified of the problem, the malicious domains are "live, resolving and still serving malware," he said.

Fried gave a presentation at the BlackHat security conference earlier this week in Washington, where he said Internet authorities in countries such as China and Russia were doing "squat" to help deal with cybersecurity threats.

That a U.S.-based entity is displaying a similar lack of cooperation is "appalling," Fried said in a conversation with Computerworld today.

In an e-mailed comment, a Verisign spokeswoman said Thursday that the company had learned about the malicious domains on Tuesday. It "immediately contacted the appropriate registrars and is working closely with them to validate" the information, she said.

"Verisign is taking all appropriate actions based on the current information available," she said.

Fried said the malicious domains are being hosted on a so-called fast flux network which makes it extremely difficult to track down the servers on which the sites are being hosted, he said.

Fast flux hosting is a technique in which infected nodes on a botnet are used as proxies for the server that is hosting the malware. The nodes keep constantly changing, making it all but impossible for anyone to track down the malicious server. As a result, the best way to mitigate such threats is to simply deregister the domain names entirely, Fried said.

In this instance, with the foreign registrars dragging their feet, Verisign as the registry for the .com and .net domains should have stepped in and unregistered the malicious sites, Fried said.

The incident highlights the challenges posed by online criminals who use fast flux networks to hide the servers serving up malware and spam sites. Because the servers hosting malware have become almost impossible to find, the effort increasingly has been to identify malicious sites and deregister them as quickly as possible.

"The burden of dealing with these issues has shifted from the ISPs to the registrars," he said.

Many registrars have developed good policies for identifying malicious domains, responding to complaints from security researchers and for deregistering domains as needed, Fried said. But many others have not, he said.

"A vast majority of these issues are being resolved through the registrars," Fried said. But in some cases complaints need to be escalated to the domain registry service, he said.

In such cases, the onus falls on the registry service to take action, he said. He pointed to a recent incident where the registry for the .us domain responded quickly to unregister malicious domains after the registrars failed to move quickly enough.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon