Users of Sedo.com and Sedo.co.uk were greeted today with a Google malware warning when accessing the popular domain name parking and aftermarket site.  The warning details are below.

DNN was able to see the warnings in some Chrome and Safari but not Firefox, and upon reloading later this morning the warning had disappeared on Safari. Other users we have spoken to are reporting similar experiences with the warnings still tehre.  See graphic below for more details of the malware.

[Update] A Sedo spokesperson has provided DNN witht he following comment:

Sedo has been made aware that visitors attempting to access the Sedo.com or Sedo.co.uk websites using either the Firefox or Chrome web browsers have been receiving security alerts preventing entry. While the Sedo website is still accessible without warning on both Internet Explorer and Safari, we immediately began investigating the root cause of these warnings to ensure there was in fact no risk to our users or visitors to the site. At this time we can report that no threats have been detected and our technical teams are currently working with Google and others to ensure these false warnings are immediately removed.

The company’s domain parking pages were accidentally blocked by an anti-virus software earlier this year

Oversee.net announced today that its domain parking unit DomainSponsor has entered into an agreement with Team Cymru, a specialized Internet security research firm and non-profit dedicated to making the Internet more secure by helping organizations identify and eradicate problems in their network. 

Given the size and scope of its DomainSponsor traffic monetization network, the company sees itself in a uniquely advantageous position to help detect and identify potentially malicious communications to share via its relationship with Team Cymru to benefit the wider Internet Security Community.

According to Oversee.net’s CEO Debra Domeyer, the company “want[s] to support their efforts to help other companies avoid network problems caused by malware and to help users have a safer online experience.”

Earlier this year in May, an author by the name of EarlGrey wrote on Syndk8.com that Oversee.net’s domain parking subsidiary DomainSponsor had been “hacked” and was “spreading malware“. The report turned out to be a false alarm, as confirmed by Oversee.net’s VP of Marketing & Communications, Aaron Kvitek, and a comment posted by the original author. The company’s domain parking pages had accidentally been blocked by an anti-virus software and Oversee.net was able to work with the vendor to remove the block.

See the full press release after the jump.

(more…)

Verisign just released an overview of their proposed “Anti-Abuse Domain Use Policy” Under ICANN’s Registry Services Evaluation Process. The program’s chief aim is to provide a takedown mechanism of malicious websites distributing malware. In itself, not a bad thing, considering some registrars are unresponsive toward abuse or network stability issues.

However, lumped in with the conditions under which Verisign can invoke their takedown capabilities are some troubling “add ons”, as quoted below:

“The new anti-abuse policy, would be implemented though a change to the .com. ,net and .name Registry Registrar Agreements and would allow the denial, cancellation or transfer of any registration or transaction or the placement of any domain name on registry lock, hold or similar status as necessary:

(a) to protect the integrity, security and stability of the DNS;

(b) to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental  agency, or any dispute resolution process;

(c) to avoid any liability, civil or criminal, on the part of Verisign, as well as its affiliates, subsidiaries, officers, directors, and employees;

(d) per the terms of the registration agreement,

(e) to respond to or protect against any form of malware (defined to include, without limitation, malicious code or software that might affect the operation of the Internet),

(f) to comply with specifications adopted by any industry group generally recognized as authoritative with respect to the Internet (e.g., RFCs),

(g) to correct mistakes made by Verisign or any Registrar in connection with a domain name registration, or

(h) for the non-payment of fees to Verisign. Verisign also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute;

The main problem here is Section (b), which let’s Verisign takedown any domain that is inimical toward a government “requirement” or at the “request” of a law enforcement or other governmental or quasi-governmental agency.

What does this mean?

It means domains can be taken down without judicial process and in the absence of any overt network abuse. I refer anybody who thinks the possibility of abuse of this policy is remote to the actions of Senate Committee on Homeland Security and Governmental Affairs Chairman Joe Lieberman,  last December regarding Wikileaks – an entity which has still never been charged with any offence in any jurisdiction and which continues to operate in a perfectly legal manner. (Lieberman called on “any company or organization that is hosting Wikileaks to immediately terminate its relationship with them.” – Which sounds like a “request” to me.)

What Wikileaks did was expose bad actions of the various governments themselves, some of those – illegal. It can be assumed that governments that are acting against the interests of their constituents or committing actual crimes have a “requirement” that everybody shuts up about it. Thus any whistleblower, journalist or egregious truth-teller using a domain under .com or .net to bringing light on issues such as these could find themselves with their domain unplugged under this policy.

In the case of Wikileaks, Lieberman’s staff telephoned various web services providers and demanded that they sever ties and cease providing services.  Next time all they would have to do is call Verisign and tell them that the government “requires” them to takedown their domain. (Of course, Wikileaks is under .org, not .com or .net, but next time it may not be Wikileaks. Maybe it’ll be Zerohedge. Maybe it’ll be easyDNS. Maybe it’ll be you.)

Under the proposed rules, it’s not just the government that could initiate takedowns but even “quasi” governmental agencies. What’s a quasi-governmental agency?  It’s a government created entity that undertakes commercial activities on behalf of the government. That would mean entities like Fannie Mae and Freddie Mac or the Federal Crop Insurance Corporation could takedown any .com or .net domain based on having a “requirement” or making a “request” to do so.

Section (c) is also troublesome: providing that Verisign can takedown any domain to avoid liability to themselves. So if other avenues of removing a troublesome domain fail, you could just simply sue, or threaten to sue Versign and they can unplug the underlying domain.

Last year the US Department of Homeland Security (Immigration and Customs Enforcement) began a series of domain takedowns intended to enforce copyright violations. In one case they seized a third-level domain provider (mooo.com) which resulted in the takedown of over 84,000 unrelated and innocent websites.

Since the ICE takedowns were arbitrary and widening in scope, there became a perceived benefit to using non-US based Registrars for domain registration, as the takedowns were being implemented via court orders to those US-based registrars.

If this policy goes into effect, there are no safer jurisdictions for any .com or .net domain anywhere in the world. They all come under US government, quasi-governmental and law enforcement agency “requirements”.

The Verisign proposal concedes that:

“ Registrants may be concerned about an improper takedown of a legitimate website.  Verisign will be offering a protest procedure to support restoring a domain name to the zone. “

Which is not very comforting. What is the “protest procedure” and how long will it take? Will a contested takedown put the domain in an online or offline state while the procedure is implemented, and how long does that take?

Proposed Modifications

If this is to move forward, our recommendations are as follows:

• Section b should be stricken, and the current model that government inspired domain takedowns be requested via the Registrar of record be retained.
• In cases of court-ordered takedowns, Verisign should only intercede in the case of a non-responsive Registrar and again, under a court order.
• Section c should be stricken. Verisign already insulates itself from liability in its Agreements with Registrars and under the various Registrant Agreements already in place. This should not be a back-door method into taking down a domain.
• If a Registrar feels a false-positive takedown has occurred, there needs to be a mechanism to bring the domain back online immediately pending the outcome of a challenge or disputed takedown.

Editorial Add-on by Frank Michlick

I completely agree with the comments by Mark, but I’d like to one step further and comment on the plan to pro-actively scan the domain registration base for malware sites as highlighted in the Domain Name Wire article on the same topic. While I am not a lawyer, I think it is very dangerous grounds for a registry operator to start actively monitoring registered domain names for their content and its compliance with laws. Once a registry does this as a pro-active service, it could imply that the registry becomes liable for sites that it misses in its scans, since it should be aware of the content of the sites for the domains registered through them. I think that a registry should act as a technology provider and facilitator the registry should not be active in developing the policy that decides what is illegal and what isn’t.

Armorize, a web security company, reported on their blog today that Network Solutions had been displaying a widget box that contains malware.  The company was notified and quickly remedied the parking pags.  Based on a yahoo search only, there are over 5 million domain names with NSI parked landers that may have been affected by this drive by malware.

According to Help Net Security, the malware is a drive-by variety that doesn’t take much to infect the users computer. Simply visiting a parking page hosted by NSI would trigger the download.

The malware then modifies the registry, monitors four of the most popular browsers, redirects users using popular search engines to other websites, pops up advertisement according to a list of search terms and duplicates and renames itself to resemble a varied assortment of legal and illegal software (mostly key generators and cracked software versions). It then “phones home” to several URLs in order to receive further instructions and download more malware.

Only 50% of the antivirus solutions included in VirusTotal’s check detected this malware a couple of days ago, and it was discovered to have the ability to block well-known by download analysis services such as Wepawet and jsunpack.

This attack definitely marks the beginning of the exploitation of hosting providers as a means to compromise a massive amount of domains and spread malware to millions of users in a short period of time. Let’s hope that hosting providers will take this occurrence seriously and rethink their defenses from top to bottom.

This is not good news for parking companies and domain owners who rely on parking revenue. As parked pages become synonymous with malware or problems, users will shift away from clicking more and more. . . Is this just another nail in the coffin for domain parking?

Anti-virus software maker McAfee released their second “Mapping the Mal Web” (PDF) report today. The McAfee report attempts to map and identify the specific domain names where malicious websites reside. This is the second year for the report. In the 2007 report, the .tk extension was reported to have the highest number of malicious websites with over . This year Hong Kong domain name extension .hk takes away the title with 19.2% , followed closely by China’s .cn with 11.8%.  Within the generic domain name extensions (gTLDs) .info ranked in with 11.7% of all sites ending in .info posing a security threat. The second rank in gTLDs went to .net with 6%. The report claims that a little under 5% of .com domain names were found to be risky. McAfee also identified the domains with the least amount of risk reside in the .gov, .jp and .au extensions.
The newest report specifically points to .hk and .cn domain names as having a substantially higher percentage of malicious websites. In the 2007 report, McAfee had not pointed to those extensions as having such high percentages.

Shane Keats, research analyst for McAfee and lead author of the report, said the increase in dangerous sites registered under the “.hk” and “.cn” domains over last year’s report was caused in part by better data collection on McAfee’s part on those domains and by apparent security lapses in some registrar companies’ processes for registering addresses.

The 2007 report claimed the .tk extension to have one of the highest percentages (10.1%). After the McAfee report was released, Dot TK, operators of the registry for Tokelau, implemented changes geared toward the reduction of these malicious sites. The .tk extension dropped considerably to #28 this year. Dot TK faced a 10% decline in registrations and a backlash from adveritsers running ads on .tk landing pages. The domain business reportedly accounts for a “double digit” percentage of the GDP of Tokelau. One could assume that the reduction in domain registrations that .tk felt will now be seen at the .hk, .cn and .info domain registries. This news should come as a wake up call to these operators.

The high percentage of malicious sites found on the .info extension may also be read as another “nail in the coffin” for the gTLD. The McAfee report follows on the heels of the news earlier last week that Google was dropping .info domains from search listings. All of this bad news can’t be sitting well for the .info registry or anyone heavily invested in .info domain names.