[NA-Discuss] Policy Failure Enables Mass Malware: Part II (ICANN and OnlineNIC)

Garth Bruen at KnujOn gbruen at knujon.com
Wed Sep 29 18:21:33 UTC 2010


On Wednesday September 29th at 1PM there will be a meeting in the Old
Executive Building in Washington D.C. with Registries and domain
Registrars to discuss illegal Internet sales of prescription drugs
ICANN was originally invited but declined citing “inappropriateness”
One “U.S.” Registrar who definitely will not be in attendance is
OnlineNIC. It has been known for some time that OnlineNIC’s purported
Oakland California address is false
(http://dotsnews.com/domain-name-news/184) and that they have been
caught directly involved in cyber-squatting and counterfeiting schemes
that cost them millions in out-of-court settlements
However, the core issue relates to an illicit pharmacy domain sponsored
by OnlineNIC which has been found in thousands of hacked websites
infected with a PHP redirection. KnujOn first found this malicious
redirection in July, 2010 and discovered the target domain,
SECURETABS[DOT]NET, had a false WHOIS record and we appropriately filed
a complaint with ICANN on July 18, 2010. Under the ICANN Registrar
Accreditation Agreement the domain owner has 15 days to correct WHOIS
inaccuracies and the Registrar has 45 days to investigate the complaint
(http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3). If
the registrant fails to respond their domain must be deleted. The
Registrar is required to investigate and if they fail to it could be
considered a material breach of their contract with ICANN. In this case
both deadlines have passed without correction or deletion. OnlineNIC has
yet to respond to multiple inquires about this.

The Malicious Intrusions Continue

As with our last report on Malware and Policy Failure
single illegal pharmacy shop sites that somehow evade detection and
policy enforcement impact thousands or even millions of innocent
websites. It provides motivation and opportunity to keep spreading the
malware that drives Internet users to illegal transaction sites without
their consent. This particular malicious code has been found at Earlham
College, the University of Illinois, the University of Delaware, Lord
Fairfax Community College, the University of Alaska, and Toccoa Falls
College. While public institutions are frequent targets of these attacks
because of their typically large networks, multiple access points, and
constantly changing student populations private sites are just as
vulnerable. We even found one infection on a local Fox News affiliate in
Houston. KnujOn currently estimates the number of websites infected with
some kind of illicit pharmacy-related redirect to be in the millions. 

Policy Enforcement from ICANN

While ICANN has continuously stated they have no enforcement powers,
this type of domain abuse is actually within their mandate. Because
OnlineNIC is itself a rogue Registrar they cannot be counted on to
follow policy, it is ICANN’s role to hold the Registrar responsible.
In the case of OnlineNIC it should be an easy call considering their
history, but ICANN recently renewed OnlineNIC’s contract for another
five years even though they have failed to comply with RAA 3.16
(http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3) and
may be de-accredited under RAA 5.3.2
because of a judgment against them in a suit filed by Louis Vuitton
Because OnlineNIC is allowed to exist SECURETABS[DOT]NET exists. Because
SECURETABS[DOT]NET exists the Internet is being flooded with silent
intrusions and malicious code injections.

Rejection of Registrar Complaint by ICANN

ICANN has a secondary process for filing complaints against Registrars
but in this case it failed. KnujOn followed ICANN’s instructions
(http://www.icann.org/en/compliance/faq.html) for filing a complaint
against a Registrar. On September 16, 2010 after OnlineNIC failed to
comply with the contracted obligations concerning SECURETABS[DOT]NET.
Instead of seeing SECURETABS[DOT]NET suspended and OnlineNIC admonished,
our complaint was rejected with the claim we had filed the wrong form.
It has now been 73 days since our initial complaint about
SECURETABS[DOT]NET, and the site is still active and continues to appear
in new website intrusions. 

Until ICANN fully grasps the nature of this threat and their ability to
thwart it through their normal duties, the problem will grow. In Part
III we reveal a notorious intrusion and malware download traced right to
another policy failure at another troubled Registrar.


More information:

Garth Bruen
gbruen at knujon.com
Linkedin Group: http://www.linkedin.com/groups?gid=1870205
Blog: http://www.circleid.com/members/3296/
Twitter: @Knujon

More information about the NA-Discuss mailing list