Trend Micro Report Finds Criminals Unlikely to Abuse Namecoin

shutterstock_122234125
18 July 2014

Namecoin’s domain-name system is an attractive environment for malicious users, but is not likely to gain widespread use among criminals, according to a research report from digital security firm Trend Micro.

The report, published last September and written by members of Trend Micro’s Forward-Looking Threat Research Team David Sancho and Robert McArdle, outlines the properties of the namecoin top-level domain system that leave it open to abuse by malicious users.

These include cheap and anonymous domain-name creations and a system that places domain-names out of the reach of central authorities seeking to shut down or commandeer a malicious site.

“You have anonymity, privacy and sturdiness, so you cannot take [these sites] down,” Sancho said.

The vast majority of top-level domains, such as .com or .org, are governed by the Internet Corporation for Assigned Names and Numbers (ICANN). Top-level domains outside the ICANN system are known as alternative DNS roots or ADRs. These include .geek and .micro suffixes, the Trend Micro paper noted.

Namecoin allows its users to create a type of domain that lies beyond ICANN’s purview. Namecoin transactions include DNS data, allowing users to create a new domain name with each transaction. These domain names are denoted by the .bit suffix and transactions are recorded in a public block chain.

Traces of a seized Polish botnet

The authors also investigated an instance of a botnet that exploited .bit domains. The authors analysed malware that made repeated connections to four .bit domains, including megashara.bit and opusattheend.bit. The malware is part of a grouping of malicious software known as the NECURS family. This malware typically enters user systems by being attached to malicious spam email. It then disables a system’s security services to prevent other pieces of malicious software from being detected.

According to Sancho, the malware that he investigated bears strong similarities to an earlier botnet that was operated from Poland, and that had been shut down by Polish authorities last January. That botnet was used for a “very pedestrian” form of financial fraud, Sancho said.

“We think this is the successor to the Polish botnet. It looks very much alike, although we have not 100% validated this claim. It looks like version two of this Polish botnet.”

When Polish authorities shut down the botnet last January, they were unable to apprehend its operator. But they successfully ‘sinkholed’ the offending domains, redirecting traffic to a site controlled by the polish cybersecurity agency, the NASK. But if Sancho’s theory is correct, then the new botnet run on .bit domains is now even more robust, because it is out of reach of state agencies.

“There’s no way that any government or any authority can take down a .bit,” Sancho said. “They won’t be able to do anything, and that’s the smart thing about it.”

Blockchain traceability paradox

Even as namecoin domains provide a high degree of anonymity to their owners, they also rely on the namecoin blockchain, which renders all transactions public. This feature allows security researchers unprecedented access to a domain name’s history. The Trend Micro paper notes that this high transparency makes it possible to assemble information about malicious websites that would not have been possible with an ICANN-administered top-level domain. Researchers are able to see when a domain name is created and the IP addresses to which it points.

“That’s information you normally don’t have with a normal domain name. I don’t get the history of every single IP [associated with a domain], that history doesn’t exist,” Sancho said.

In the case of the .bit botnet that the Trend Micro researchers investigated, the namecoin block chain yielded a network analysis graph of four affected domain names, showing that they were linked in the past by a number of IP addresses. These IP addresses were also associated with centrally administered domains in the past. As a result, the researchers say, the malicious .bit domains can be tied to the individual or group that registered those centrally administered domains. The paper states:

“Checking the Whois details on the non-.bit domains would uncover the criminal behind them. This is exactly the sort of mistake caused by simple human nature that can often be the undoing of an otherwise careful cybercriminal gang.”

Several other factors prevent namecoin domains from being easily exploited for nefarious uses. Because .bit domains can only be accessed with reconfigured network settings, malware-infected users should be able to detect traffic irregularities easily. Namecoin servers are also relatively few, and are maintained on a voluntary basis by enthusiasts. As a result, they are less reliable and may sometimes be offline. Trend Micro says about 106,000 .bit domains are in existence, and traffic to these domains remains relatively low.

As a result, Sancho and McArdle conclude that .bit domains are unlikely to become popular among malicious actors, although they possess some attractive features.

Anti-censorship domains

While the Trend Micro paper focuses on the use of namecoin domain anonymity by criminals, it acknowledges that a decentralised domain name system can also have legitimate uses. This is a point that Eli Dourado, a research fellow at George Mason University’s Mercatus Centre, underlines.

“Alternative DNS roots are important because they provide a check on ICANN, which would otherwise have a monopoly on DNS policy,” he said.

One example of an alternative top-level domain system used for political expression is the .ti suffix, which is used to denote a Tibetan website. A group called New Nations administers these top-level domains, along with a clutch of others, such as .te, .uu and .ke, for Tamils, Uyghurs and Kurds, respectively. New Nation’s rationale is that it wants to challenge the existing “power structure” governing the Internet by making these top-level domains available.

Another group, called OpenNIC, seeks to do something similar, by offering top-level domains like .fur, .free and .indy. Its mission, according to its charter, is to provide new domain hierarchies outside the ICANN system to promote “freedom of access” to the Internet. Anyone can join OpenNIC and decisions are made when proposals win a simple majority of votes cast by email.

Dourado said decentralised, anonymous domain names are particularly needed in situations where users have to bypass censorship by a state agency, or if a states possess sweeping powers to block certain websites, as in the case of the proposed SOPA legislation in the United States.

“It is important to remember that activities that are considered criminal in some countries are considered protected by human rights in other countries. While censorship resistance can make it harder to enforce good criminal laws as well as bad ones, on balance it is a net benefit for humanity.”

Security image via Shutterstock