Dont judge a book by its cover and a blog by its title. The title of today’s blog-post isn’t your daily SMS lingo, it is infact about .RU domains.
Ask any security guy about .ru and they will promptly say “Which malware did you find in there?”, such is the clout of .ru domains in the world of malware, that it is considered profitable and these bad-guys often find it quite useful to register .ru domains to sell and spread their wares.
Be it Fast-Flux or BHEK EK, Sytx EK, infact be it anything malicious and you will find majority of the domains belonging to the .RU ccTLD.
One thing is for certain that : SOMETHING IS VERY VERY WRONG.
There are two different things which need to be investigated
1: Registry Terms and Conditions
When we look into the Terms and Conditions for registrations of .RU domains, it is comforting to know that the rules are certainly stringent ; at-least, that is what appears to look like when you read them. You may read the entire T&C over here.5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for:
- receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing);
- unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control);
- dissemination of materials with pornographic images of the minors.
The Coordinator shall post the list with competent organization on its official website.
So, the gist of this content is that everyone can / has the right to complain, but only to those organizations selected by the Coordinator (Registry). I presume the last sentence is pointing to this list, which includes CERT-GIB.
Way back in 2010, .RU Registry had made some path breaking changes in the Terms and Conditions governing the registration and usage of a domains, this was done so as to decrease the registration of malware domains. And at present, in the year 2013, the T&C states the following: This is a snippet, however you may read the entire “Section 9” to understand the basic requirements for registering a .ru domain9.2.6. The following information intended for identification of Administrators represented by legal entities shall be stored in the Registry:
- name in full;
- the Administrator’s name presented represented in characters of the Roman alphabet and other ASCII-7 characters;
- residence (legal address);
- the taxpayer’s identification number (for Russian corporations as well as for the foreign ones, which have it); the tax identifier or an identifier in the trade register (for foreign corporations not registered as taxpayers in the Russian Federation).
So where is the catch? Point no. 9.2.6 clearly states that documents pertaining to the proper identification of the registrant / administrator has to be provided.9.3.7. The domain name delegation shall be terminated where the Administrator fails to execute the request to submit details and documents within the specified timeline, and the Administrator’s requests relating to the domain name (including requests for extension of registration) shall not be executed until the request is executed.
And what is the time-frame ?9.3.9. The Registrar shall at least once a year dispatch a notification to the Administrator on the need for examination of information about the Administrator stored in the Registry.
And, what exactly happens when we put all these points together : We have a system which accepts the information provided by the registrant / administrator and once a year the Registrar sends an email for the need to verify the information – How very convenient.
How do we prove this statement? Look into the whois records
2: WHOIS records
Let us take into consideration two domains first one is a legit domain while the other is a malware domain.
domain: MAIL.RU state: REGISTERED, DELEGATED, VERIFIED
domain: IMANRAIODL.RU state: REGISTERED, DELEGATED, UNVERIFIED created: 2013.03.26
We are not interested in other details provided by the Registrar but the State of the record .
Registered : the domain is registered
Delegated : the domain can be resolved, when you see “NOT DELEGATED” means the domain has been suspended by the registrar for reasons known to them.
VERIFIED/UNVERIFIED : this is the field we are interested in . UNVERIFIED means the identity of the Registrant/Administrator has not been verified.
So what do we have here , a malware domain has been registered almost 24 days ago and the identity of the registrant/administrator has not yet been verified. Secondly, a quick google search will infact prove that IMANRAIODL.RU is a malicious domain.
Conclusion / Hypothesis:
The T&C have been created with a view that, by providing real verifiable information, there would be a decrease in the registration of malware domains, however the method itself is incorrect.
Let me ask you one question : For the sake of security / integrity of a country , do you feel offended by the Security Checks? So, when legit people want to register a domain then they shouldn’t mind a few hardships to get themselves verified, as in the future their verified identity can be used to register bulk domains.
However, if you are allowed to first register a domain and later-on ask the registrant/administrator to prove their Identity, I believe that the very idea/thought of creating these T&C rules have gone for a toss.
This present T&C rules not only creates the necessary loophole but also promotes the idea of “Bullet Proof” registrations.
As we all know, within 48 hours of a malware domain getting registered it is used for serving malware , so where is the pro-activeness required to block such malicious ?
Remember, for any complaints related to malicious .RU Domains, contact the organizations provided in the list .
Some well-known malware searches :
.RU:8080 –> Exploit Kit
.IN:8080 in fact you may replace the URLQuery results with any ccTLD of your choice and play around with statistics.