Domain seized

[boker]

Looks like one of my domains was used in some kind of cyber attacks or something like that. The domain oreux in king, was a hand reg from a year ago and I wanted to transfer it to another registrar. The transfer failed because the domain was locked. I've double checked with my registrar, and everything showed fine in the control panel, domain unlocked and the nameservers where ns1.undeveloped.com, but when I did a whois check, the domain was transfer prohibited and the nameservers were something like:
SC-C.SINKHOLE.SHADOWSERVER.ORG
Looks like the domain was used in some kind of cyber attack and they have seized around 800.000 domains. Nobody has told me anything about it and I still have access to everything in the control panel, the only issue is that control panel doesn't have control over everything. Couple of months ago everything was fine, so looks like they have changed the nameservers in the last months. So be aware, you could own some of the 800.000 domains seized. I have found a link here about it: https://www.europol.europa.eu/newsr...k-dismantled-in-international-cyber-operation
I will wait and see if I can do something about this transfer to epik.

 

[jmcc]

This is the hosting history for OREUX.COM:

Old hoster - New hoster - Month - Zone Date - Transaction

UNDEVELOPED.COM SHADOWSERVER.ORG November 2018 2018-12-01 Transfer
REGISTER.IT UNDEVELOPED.COM July 2018 2018-08-01 Transfer
N/A REGISTER.IT January 2018 2018-02-01 New
DOMAINCONTROL.COM N/A November 2014 2014-12-01 Deleted
N/A DOMAINCONTROL.COM October 2012 2012-11-01 New
PARKINGWAY.NET N/A March 2007 2007-04-01 Deleted
N/A PARKINGWAY.NET February 2007 2007-03-01 New
INTERIMNAMESERVER.COM N/A October 2005 2005-11-01 Deleted
ACZL.COM INTERIMNAMESERVER.COM September 2005 2005-10-01 Transfer
N/A ACZL.COM September 2004 2004-10-01 New
EASYPOST.COM N/A June 2004 2004-07-01 Deleted
N/A EASYPOST.COM May 2003 2003-06-01 New

The odd thing is that the domain name was out of the zonefile since the December 2014 zonefile. If the Add Grace Period/AGP was being used to register and then drop these domain names within the five day AGP, it might not have been seen in the monthly checks.

The number of inbound transfers as of the 01 December 2018 zonefile with respect to the 01 November 2018 zonefiles were:
COM: 358
NET: 34
ORG: 0
BIZ: 2
INFO: 0
MOBI:
NGT: 1

In .COM and .NET, most of the transfers were 5Ls. With .COM, Chinese hosters/registrars dominated the transfers.

Just looking at the counts and it seems that some auction sites and PPC parkers are caught up in this. UNDEVELOPED.COM lost 6. ZTOMY.COM lost 6. BUYDOMAINS.COM lost 3. BRANDBUCKET.COM lost 3. THIS-DOMAIN-FOR-SALE.COM lost 3. PARKLOGIC.COM lost 3. INTERNETTRAFFIC.COM lost 3. AFTERNIC.COM lost 2. ABOVE.COM lost 1.

The .NET transfers also show a significant Chinese hoster/registrar share.

There are some odd inclusions in that domain names appear to have been deleted and then reregistered. The new buyer may have been unaware of the history of the domain names.

This is the .COM domain length (excluding '.COM') for the domain names on SHADOWSERVER.ORG:
Length - Count
| 5 | 1288 |
| 6 | 762 |
| 7 | 733 |
| 8 | 796 |
| 9 | 902 |
| 10 | 906 |
| 11 | 837 |
| 12 | 2225 |
| 13 | 1271 |
| 14 | 2009 |
| 15 | 1276 |
| 16 | 1140 |
| 17 | 4547 |
| 18 | 695 |
| 19 | 404 |
| 20 | 251 |
| 21 | 168 |
| 22 | 106 |
| 23 | 58 |
| 24 | 27 |
| 25 | 4 |
| 26 | 5 |
| 27 | 3 |
| 28 | 2 |
| 30 | 1 |

There's a combination of natural language domain names and also algorithmically generated domain names. The 5, 6, 12, 14, 17, 18 length domain names seem to be botnet associated ones. The 5 length domain names are all alphabetical. Suppose that ICANN had a lucky escape.

Regards...jmcc

 

[Bob Hawkes]

Wow what a wealth of information @jmcc! Thank you!

So it appears the domain in the thread was indeed not in use from Nov 2014 until hand registered in January.

So the ones sinkholed were from various places with 6 at Undeveloped and 3 at Brandbucket. These and some others (like the 2 Afternic) were obviously for sale, it would seem without owner or potental buyers suspecting. Interesting none parked at Sedo.

I had not thought about length. I suspect your noticing the alphabetical is the key to their statement about sinkholing names that might in future be used in malware.

If the purpose of a domain is a kill switch as in the WannaCry case it seems risky that they use as short as 5 length com as any combination that short in com is likely to get registered anyway.

Thanks again for your superb contribution to what we know.

Bob

 

[jmcc]

Wow what a wealth of information @jmcc! Thank you!

So it appears the domain in the thread was indeed not in use from Nov 2014 until hand registered in January.

So the ones sinkholed were from various places with 6 at Undeveloped and 3 at Brandbucket. These and some others (like the 2 Afternic) were obviously for sale, it would seem without owner or potental buyers suspecting. Interesting none parked at Sedo.

I think that there was at least one on Sedo. It looks like a bit of a mess in that domain names were allowed to delete and then were reregistered.

I had not thought about length. I suspect your noticing the alphabetical is the key to their statement about sinkholing names that might in future be used in malware.

The problem with some in the legal profession is that they don't seem to realise that the people writing malware may realise that a particular type of domain name had been used in the past as a killswitch and they may not use that kind of domain name again. The length of the domain name could be a function of domain name generation algorithms.

A lot depends on the kind of domain name generation algorithm in use. If the algorithm was just going to use short alphabetical domain names, then it is a limited number of possibilities. If numbers and hyphens are added then the number of possible domain names increases. Some of the alpha-numerical domain names seem to be algorithmically generated domain names for botnets and other malware.

The big danger with an open ended "future use" sinkholing is that it has no precision. Valid domain names/words could easily be caught up in this kind of action. If that reasoning was applied to some of the NGTs then some of the market leaders would easily lose domain names because some of the registrars facilitated randomly generated domain name registration in the heavily discounted NGTs. Another important issue is that the world does not speak English. A domain name that does not make sense in an English speaking market might make perfect sense, for example, in the Chinese market.

If the purpose of a domain is a kill switch as in the WannaCry case it seems risky that they use as short as 5 length com as any combination that short in com is likely to get registered anyway.

It depends on whether they decide to incorporate a killswitch. I suppose that the battle between malware writers and AV people is not unlike codebreaking. In codebreaking, if something allows a code to be broken, it has to be treated carefully so as not to alter the opponent. The publicity surrounding the WannaCry killswitch neutralised that approach being used to stop a future malware attack because any malware writer will probably take care not to repeat that kind of error.

Regards...jmcc

 

[NamesMax]

So who are the "consumer(s)" that seizes the reported domains? ICANN? Registries?

Source:
https://www.shadowserver.org/wiki/pmwiki.php/Involve/BlacklistsAndBlocking

This link seems to no longer be resolving.

 

[creataweb]

Honest question, what if this happened to a large entity like Google just for example. Someone just gonna take that?

 

[Rob Monster]

Just left another voicemail with the DOJ contact for this case, Colin Callahan. I am documenting here the ongoing good faith effort to whitelist a domain that was wrongly sinkholed, and the non-responsive handling by the DOJ to address request for timely cure for this particular domain. There is a larger issue of Due Process for takedowns generally but for this immediate case of collateral damage of an innocent domain, it would appear that the agency responsible for compiling the sinkhole list is unresponsive.

 

[Internet.Domains]

Just left another voicemail with the DOJ contact for this case, Colin Callahan. I am documenting here the ongoing good faith effort to whitelist a domain that was wrongly sinkholed, and the non-responsive handling by the DOJ to address request for timely cure for this particular domain. There is a larger issue of Due Process for takedowns generally but for this immediate case of collateral damage of an innocent domain, it would appear that the agency responsible for compiling the sinkhole list is unresponsive.

Thanks Rob!

Also important would be the protocol for the blacklisting. To be able to whitelist, we should be able to understand the blacklist process, start to finish.

 

[GeorgeK]

Does anyone here have a list of all the domains that were seized by ICE? i.e. presumably this seizure was just part of the operation discussed at:

https://www.ice.gov/news/releases/over-million-websites-seized-global-operation

https://www.techdirt.com/articles/2...-that-copyright-trademark-are-different.shtml

It might be useful for the ICANN RPM PDP working group (if it was really "TM infringing" domains, as opposed to simply copyright violations in the content of non-TM infringing domains), where we're studying things like the UDRP, URS, etc

If it's in a court file, etc., please tell me the case number, etc.

 

[boker]

Does anyone here have a list of all the domains that were seized by ICE? i.e. presumably this seizure was just part of the operation discussed at:

https://www.ice.gov/news/releases/over-million-websites-seized-global-operation

https://www.techdirt.com/articles/2...-that-copyright-trademark-are-different.shtml

It might be useful for the ICANN RPM PDP working group (if it was really "TM infringing" domains, as opposed to simply copyright violations in the content of non-TM infringing domains), where we're studying things like the UDRP, URS, etc

If it's in a court file, etc., please tell me the case number, etc.

I'm not sure, but my guess is that the 1 million websites are different from the 800k domains seized. The latest one's were seized first in 2016 and released when they have expired and the court order was renewed in november 2018 sio that they are seized again. I could be wrong, but that's what I see, so the total will be close to 2 million domains names if you count both operations.

 

[jmcc]

Does anyone here have a list of all the domains that were seized by ICE?

I see some of them regularly in the web usage surveys. I think that some of them used to be moved to a particular set of nameservers. The TLDs aren't mentioned but it would not be surprising if some of them were new gTLDs and particular ccTLDs. The domain name used in the press release was shifted to SEIZEDSERVERS.COM but that only hosts 1370 C/N/O/B/I domains as of 01/Jan/2019. Some of the domain names seized through civil actions are generally pointed to the brand owner's sites or a kind of trophy page.

It might be useful for the ICANN RPM PDP working group (if it was really "TM infringing" domains, as opposed to simply copyright violations in the content of non-TM infringing domains), where we're studying things like the UDRP, URS, etc

There's a combination of things that make these targeted domain names stand out. Some of them use TMs in the domain names but many would have websites selling counterfeit goods. The heavily discounted NGTs really do facilitate this type of abuse. Some of them are promoted in search engine results using link injections on compromised Wordpress sites.

Regards...jmcc

 

[Internet.Domains]

Just to stay on track.

1. The domain in the OP was one of the 800,000 that was sinkholed by DOJ/Homeland Security. These are sinkholed @ ShadowServer. These domains are linked to a malware outbreak, both in the past and expected in the future. This thread is mainly about this seizure.

2. The newly mentioned seizure was conducted by ICE for copyright violations. Those domains are stored separately and have no affiliation with the malware domains that were seized.

I suppose this thread could be joined discussing both seizures, but the circumstances are much different. The 800,000 malware seized domains seem to be a complete mystery, with many questions and little answers. The latter ICE seizure is well documented.

 

[jmcc]

Just to stay on track.

1. The domain in the OP was one of the 800,000 that was sinkholed by DOJ/Homeland Security. These are sinkholed @ ShadowServer.

The problem is that Shadowserver is only hosting 60,221 CNOBI domain names as of 01/January/2019. There was one domain name that had moved out to BODIS.COM so it might have been an accidental sinkholing of a rereg. It is possible to knock a domain name out of the zonefiles by removing its nameserver entries. That, rather than moving to a shinkhole may be more efficient and can be done at a registry or registrar level.

This is the NGT breakdown (9,538) by gTLD for Shadowserver:

| XYZ | 5806 |
| SPACE | 2316 |
| ONLINE | 433 |
| SITE | 215 |
| TECH | 205 |
| BID | 202 |
| TOP | 107 |
| WEBSITE | 106 |
| RENT | 100 |
| WIN | 23 |
| CLICK | 7 |
| CLUB | 7 |
| TRADE | 2 |
| LAND | 1 |
| BIKE | 1 |
| EMAIL | 1 |
| TODAY | 1 |
| SUPPORT | 1 |
| HOST | 1 |
| PRESS | 1 |
| WORK | 1 |
| DOWNLOAD | 1 |


Regards...jmcc

 

[jmcc]

These seems to be the paragraphs that are creating the ICE confusion:
"WASHINGTON – More than 1 million copyright-infringing website domain names selling counterfeit automotive parts, electrical components, personal care items and other fake goods were criminally and civilly seized in the past year through the combined efforts of law-enforcement agencies across the world, high-profile industry representatives and anti-counterfeiting associations."

The 1.21 million domain names seems to be over the period of a year rather than in one single operation.

"Roughly 33,600 website domain names were criminally seized in a collaborative effort between ICE’s Homeland Security Investigations (HSI), Europol, Interpol and police agencies from 26 different countries. Industry partners participating in the operation were fully responsible for civilly seizing 1.21 million domain names and shutting down 2.2 million erroneous ecommerce links featured on social media platforms and third-party marketplaces."

The number of sites seized in a joint operation is much lower (33K6). It is, as Internet.Domains pointed out above, separate from the malware sinkholing.

Regards...jmcc

 

[Rob Monster]

Just had a lovely call with the US DOJ contact in Pittsburgh. They are fast-tracking their review of Oreux.com and hopefully the domain can be released to Epik per the registrant's intentions.

During the call we also discussed the appeal process. The DOJ contact was also familiar with Epik's role in recovering Gab.com from a separate deplatforming action that was presumably not DOJ-led.

Next week I am scheduled to have a call with Benedict Addis of the Registrar of Last Resort. These guys all know each other and have worked together for some time.

Hopefully the DOJ will confirm what I believe and that is that the domain Oreux.com was not being used for nefarious purposes and was wrongfully included in the bulk takedown. The 2018 registrant had the domain parked at Undeveloped which can be verified here:

https://web.archive.org/web/20180801000000*/oreux.com

Going forward, the DOJ contact did authorize me to contact him directly in the event of future cases of wrongful takedown by ShadowServer. I call that progress as rapid takedown also needs rapid remediation in the case of wrongful seizure as I am 99% sure was the case here.

 

[boker]

Just had a lovely call with the US DOJ contact in Pittsburgh. They are fast-tracking their review of Oreux.com and hopefully the domain can be released to Epik per the registrant's intentions.

During the call we also discussed the appeal process. The DOJ contact was also familiar with Epik's role in recovering Gab.com from a separate deplatforming action that was presumably not DOJ-led.

Next week I am scheduled to have a call with Benedict Addis of the Registrar of Last Resort. These guys all know each other and have worked together for some time.

Hopefully the DOJ will confirm what I believe and that is that the domain Oreux.com was not being used for nefarious purposes and was wrongfully included in the bulk takedown. The 2018 registrant had the domain parked at Undeveloped which can be verified here:

https://web.archive.org/web/20180801000000*/oreux.com

Going forward, the DOJ contact did authorize me to contact him directly in the event of future cases of wrongful takedown by ShadowServer. I call that progress as rapid takedown also needs rapid remediation in the case of wrongful seizure as I am 99% sure was the case here.

Thanks to @Rob Monster looks like there is a chance to recover the domain, if they will unlocked by 11 january, when is due to expire. It's not about the value, it's about the idea that there are still some chances to recover a domain, even if was forceful taken down.

 

[Rob Monster]

Thanks to @Rob Monster looks like there is a chance to recover the domain, if they will unlocked by 11 january, when is due to expire. It's not about the value, it's about the idea that there are still some chances to recover a domain, even if was forceful taken down.

I talked to the DOJ again just now. The domain is apparently part of the Avalanche network and programmed to do whatever it does between now and November 2019. They intend to keep the domain sinkholed until then. The domain is basically unusable in the meantime and there is no compensation.

Of note, he also said they are not expecting to do more of these bulk takedown operations. I thought was an interesting thing to say without being prompted. My guess is that the Registrar of Last Resort is going to be doing that dirty-work going forward but he did not say thats specifically. Will talk to RoLR CEO next week.

 

[GeorgeK]

I talked to the DOJ again just now. The domain is apparently part of the Avalanche network and programmed to do whatever it does between now and November 2019. They intend to keep the domain sinkholed until then. The domain is basically unusable in the meantime and there is no compensation.

This is nonsensical. Suppose another botnet is created, which programs domains like Google.com, Sex.com, Music.com, Amazon.com, Games.com, X.com, AA.com, AB.com, AC.com, etc. into the "network" --- are they going to seize and sinkhole those too?

 

[Internet.Domains]

This is nonsensical. Suppose another botnet is created, which programs domains like Google.com, Sex.com, Music.com, Amazon.com, Games.com, X.com, AA.com, AB.com, AC.com, etc. into the "network" --- are they going to seize and sinkhole those too?

That's the concern. The Avalanche network has malware currently laying dormant and is expected to launch sometime in the future. Where? Nobody knows. This according to cybersecurity and hacker blogs.

That's why it's important to understand everything possible about the protocols and procedures for everything pertaining.