Registrars Take Heed of Researchers
Never underestimate the power of one good security research report, as it appears that the ripple effect touched off by KnujOn's phantom domain paper from a couple of weeks back is still shaking things up.
Here's the latest domino to fall: EstDomains, a domain registrar that was recently identified in the report as a shady operator supporting illegal online pharmacies, spammers and badware distribution sites, has made an about face and issued a public promise to "continue its struggle against malicious software distribution and is giving its best to work out even more efficient solutions for detecting malware sources."
This strident stepping out against online ill-doers comes roughly a week after Directi, a massive registrar service operating out of India, said it was cutting ties with EstDomains after KnujOn and another anti-badware site, Hostexploit.com, criticized the business relationship between the two firms and blamed the companies for allowing pharmacies and malware-spewing URLs to abuse their services.
Much as some adware companies have long been criticized for failing to properly vet their affiliate networks of partners, leading to seemingly legitimate ads ending up being passed along to end users in illegitimate ways, it would appear that the work of researchers trying to take the covers off a similar network effect in the registrar world is pushing some companies to change their stripes, or at least pledge to.
In its promise to fight the scourge of online misbehavior, EstDomains says some interesting things, especially within the context of the KnujOn report and the actions of Directi, which initially called the paper inaccurate, before changing its own course and distancing itself from EstDomains and the providers' PrivacyProtect service, which researchers called out as a front for allowing badware brokers to do business online undetected.
"EstDomains management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the Web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains specialists only last week."
Coincidental timing? I think not!
Funny how people start shaping up once the threat of losing business and money is hovering over their heads.
But Garth Bruen, the mind behind KnujOn, remains unconvinced that EstDomains is completely sincere in its promise, mostly because the registrar continues to identify itself as a "U.S.-based" company, despite the fact that everyone knows that the Est in EstDomains stands for Estonia and that the company is incorporated in Delaware in name and paperwork only.
Re-read the last EstDomains quote to yourself again in a thick Russian accent and draw your own conclusions.
"The entire premise of this release is flawed since they are still claiming to be located in the United States when everyone knows they are not," Bruen writes. "If they want us to believe them, they should start by completely coming out of the shadows and tell everyone where they really are. Until we know the first level of truth, every other claim is suspect."
Up until this point, Bruen's observations and predictions have all been pretty much right on the mark.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.