Tag Archives: DNS

Ruby Derailed

Visitors to the website of the hugely popular software development tool, Ruby on Rails may be be a little surprised to be greeted by a striking blonde offering them a selection of sponsored links and other advertising rather than the web site they were expecting.

Current view of RubyonRails.org

Initially puzzled by this change in content I was looking for evidence that the site had been compromised, but sometimes the simplest explanations are the right ones.
A quick look at the domain registration information reveals an update date of today, 20th April 2010 hinting that it may no longer be under the control of its former owners. It seems that either someone forgot their renewal date or some other snafu occurred at the registrar.
David Heinemeier Hansson tweeted

“Getting f**ked over on the Rails domain again this year by buydomains.dk. But shame is on me for not moving it last year :(“

The former owner of the domain name also says that he is in the process of reclaiming his digital property.
Failing to renew a domain name can be a costly mistake, as of course it disrupts all traffic to that domain, not least e-mail, as organisations such as the Washington Post and retailer Hamleys have previously discovered.

British police remove drop from ocean.

British law enforcement today completed a project dubbed Operation Papworth, aimed at reducing the exposure of the British online shopping public to fraudulent websites in the run up to Christmas. The Metropolitan Police Central e-Crime Unit have been widely reported in the media as “shutting down” or “taking down” more than 1200 websites peddling fraudulent designer goods such as Ugg boots, ghd hair straighteners and Tiffany jewellery at temptingly low prices. I’m sure in many cases you’ve seen the “tempting” spam for yourselves.


The sites were registered with .co.uk domain names so as to appear more credible and attractive to UK based buyers, even though in many cases both the sites and the domain registrations themselves were outside the UK. Obviously people tempted into buying from these shops risked not only receiving sub-standard goods with no chance of recompense, but also having their financial details or identities stolen, abused and/or traded on the underground economy. So before I go on, let me make it clear that despite my reservations about its effectiveness, I applaud and support this initiative by UK law enforcement (I’m sure they’ll be relieved to hear that).


But (and you knew there was going to be a “but”) this represents at best a stopgap measure and at worst a simple waste of time. The root cause remains unaddressed and I fully expect these same sites to reappear under different names in the very near future. The sites themselves have not been “taken down” at all as far as I can tell. What has happened is that Nominet, the body responsible for the .uk top-level domain has simply broken the link between the domain name and the server the site is based on. What does that mean? It means when you type www.globalugg.co.uk into your browser it doesn’t go anywhere anymore.


If it was your criminal operation, what would you do? You’d register another domain name of course!


Here are the current details for a dodgy looking site, notice the Registration status is SUSPENDED, perhaps this was one of those 1200 sites.

WHOIS query for globalugg.co.uk

WHOIS query for globalugg.co.uk



There are a few other interesting bits to this registration though, look at the Registrant’s address, how can they be a “UK individual”? Notice too that the domain was not even registered in the UK, the Registrar is eNom Inc. a (totally legitimate) US-based registrar. The Name servers responsible for this domain belong to US Web Hosting, another totally above board US provider. So we have a scammer with a Chinese address, registering a .co.uk domain with an American registrar and hosting their server with another US outfit.


To bring my whole scam back to life all I have to do is register a new domain and point it to the same server as before, maybe just for variety’s sake this time with a Ukrainian registrar, just like this:

Domain availability through Ukranian Registrar Imena

Domain availability through Ukranian Registrar Imena



And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet:

We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

   1. 4.4.1 .co.uk; or

   2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters


Until regulation is tightened and international cooperation is improved then well-intentioned initiatives like Operation Papworth will be um, micturating in the tempest.

Apple anti-malware? Snow joke!

It looks, on one hand, as it Apple are now alive to the danger that malicious code represents to their users. Reports from beta testers indicate that in the newest version of MacOS Snow Leopard, due for release tomorrow, Apple have included anti-malware technology (although someone needs to tell their marketing department who as previously blogged, are still touting Mac OS as being unaffected by malware new ad called “Surprise“).

Picture courtesy of Intego

Picture courtesy of Intego


In the new version of MacOS, when a user downloads a file that is detected as containing malicious code, the user is notified that the file “could damage your computer” and prompted to delete the offending file.


This recognition of the threat of malware is a new, important and very encouraging step made by the folks over at Infinity Loop.


Although I welcome any attempt by Apple to keep their growing user community safe and secure, the malware detection released with Snow Leopard can only be described as rudimentary at best, files are only scanned at time of download, and even then, only when downloaded by certain applications (such as Safari, iChat or Mail). Malware is detected by way of a static pattern matching file, the file that ships with Snow Leopard contains definitions for only two pieces of malware, OSX_RSPLUG and OSX_KROWI. The update mechanism that is being proposed for these virus patterns is the standard Apple Software Update technology so updates may well be irregular. Rather than the real-time updates necessary to combat today’s sophisticated threats. There appears to be no real-time scan (files are not scanned as they are executed), no central management or reporting.


The RSPlug Trojan (Oct 2007), drops the DNSChanger malware, and Krowi is the piece of malware responsible for the creation of the first OSX botnet and was found hidden in various illegally shared copies of popular Mac applications. No mention then of the Jahlav family of malware so prevalent at the moment. In fact the most recent discovery of a new variant of this was made just this week by Trend Micro’s own Feike Hacquebord and was hiding in supposed pirated copies of Snow Leopard itself.


RSPlug and Jahlav have both been known to pose as video codec installers, a tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.


These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.