icann dns abusesf (3).pptx [read-only] · microsoft digital crimes unit a worldwide team of...
TRANSCRIPT
![Page 1: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/1.jpg)
DNS Abuse:The fight against digital crime
Richard Domingues Boscovich
Sr. Attorney
Microsoft Digital Crimes Unit
![Page 2: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/2.jpg)
Microsoft Digital Crimes Unit
A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make the Internet safer and more secure through strong enforcement, global partnerships, policy and technology solutions that help:
![Page 3: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/3.jpg)
Going after the criminals’ own
infrastructure&”Botnets”
![Page 4: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/4.jpg)
Going after the criminals’ own
infrastructure&”Botnets”
– Operation b49: The Waledac botnet takedown
– On October 27 2010, Microsoft secured a default order and took possession of 277 domains used as C& C’s for the Waledac botnet
– Operation b49 effectively severed between 70,000 and 90,000 computers from the botnet
– B49 was the first initiative in Microsoft’s Project MARS, a broad effort to annihilate botnets
![Page 5: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/5.jpg)
Operation b49
– The Legal Obstacle to Taking Down a BotNet– Due Process Rights: Parties have a right to receive
notice
– However, notice to botnet defendants allows them to move the botnet, destroy evidence, and avoid prosecution.
– The Solution, Ex Parte Temporary Restraining Order (“TRO”): –A very extraordinary remedy
–Temporarily restrains defendant’s conduct without notice
–Must show that “immediate irreparable” harm will occur
![Page 6: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/6.jpg)
Operation b49
Infected user computers make up the botnet.
276 .com domains
(maintained by VeriSign in
EDVA) controlling the
Botnet computers’ ability to
communicate.
The Waledac Botnet
“Command & Control Server”
(tells infected computers what to do)
• Once ex parte TRO granted, Microsoft had four days to act before giving notice to defendants
• Microsoft coordinated with VeriSign to shut down the 276 domains disseminating malicious botnet code
![Page 7: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/7.jpg)
Operation b49
Notice of the TRO and Service of the Complaint
Infected user computers make up the botnet.
276 .com domains
(maintained by VeriSign in
EDVA) controlling the
Botnet computers’ ability to
communicate.
The Waledac Botnet
“Command & Control Server”
(tells infected computers what to do)
• Once the immediate harm was stopped, Microsoft had to provide notice to domain registrants by (1) e-mail, (2) personal service, (3) fax, and (4) publication on a website.
![Page 8: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/8.jpg)
Operation b49
![Page 9: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/9.jpg)
Operation b49
45
Days
![Page 10: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/10.jpg)
Operation b49
![Page 11: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/11.jpg)
Operation b49
– Obstacles to Effecting Service and Notice
Abroad
– Almost all domains were registered through China domain registrars
– Identifying and locating registrants abroad is difficult
– Working through international treaties to effect personal service is complex and slow
– Ensuring registrant’s U.S. due process rights are preserved abroad requires creative forms of notice
![Page 12: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/12.jpg)
Domain Name Generation Algorithm/Hardcoded
40cpylphvo31hvddr.name
7kbn85rpctiiciey.me
bw93coq38x1ehnijsr.info
bymsywbqmeebd.com
ccsg4eeplc571y.com
f15wbtf5ctofd.info
i93webucmsnewqb.cn
jrjttjrotd9l.com
jtttswb7r60bg.net
lbnmbgupdriiw.net
lff0edydbjbeyr.name
nxrfiq9aaibuux.com
opqfcdjxge7cwu.me
osfhccwa5ot18bc.name
qhqbwhdmqab69jl.com
tlcbdifd9federyxh.com
![Page 13: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/13.jpg)
Domain abuse
40cpylphvo31hvddr.name
7kbn85rpctiiciey.me
bw93coq38x1ehnijsr.info
bymsywbqmeebd.com
ccsg4eeplc571y.com
f15wbtf5ctofd.info
i93webucmsnewqb.cn
jrjttjrotd9l.com
jtttswb7r60bg.net
lbnmbgupdriiw.net
lff0edydbjbeyr.name
nxrfiq9aaibuux.com
opqfcdjxge7cwu.me
osfhccwa5ot18bc.name
qhqbwhdmqab69jl.com
tlcbdifd9federyxh.com
![Page 14: ICANN DNS AbuseSF (3).pptx [Read-Only] · Microsoft Digital Crimes Unit A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission is to make](https://reader036.vdocuments.us/reader036/viewer/2022071211/60232f89c4528d189a240e2b/html5/thumbnails/14.jpg)
Follow us on
Facebook and Twitter!facebook.com/MicrosoftDCU
twitter.com/MicrosoftDCU