Latest news of the domain name industry

Recent Posts

Google blocks Go Daddy for ‘hosting malware’

(UPDATED) Google is currently blocking Go Daddy’s web site, calling it dangerous, because one of its image-hosting domains has been flagged for hosting malware.

Chrome users visiting pages on godaddy.com, including its storefront, currently see the standard Google alert page: “Warning: Visiting this site may harm your computer!”

Go Daddy’s main page seems to be affected because it uses images hosted at img5.wsimg.com, a Go Daddy domain.

A bit of a poke around reveals that the whole of wsimg.com is currently considered a malware site by Google’s toolbar on non-Chrome browsers, and also by the Google search engine.

The question is, of course, whether this is a simple false positive or whether bad guys have somehow managed to inject malware onto Go Daddy’s servers.

Go Daddy’s web site takes revenue in the six figures every hour, so if this is a false positive I can only imagine the content of the phone calls between Scottsdale and Mountain View right now.

But Go Daddy has been a target for the bad guys in recent weeks, with attacks against its hosting customers proving an irritant that the company can’t seem to shake off.

The company was also the victim of a phishing attack yesterday. I’d be surprised if the two incidents are connected.

UPDATE: Warren Adelman, Go Daddy’s chief operating officer, just called to say that this was indeed a false positive.

“Google erroneously flagged some of our image servers,” he said. “We need to go into this with Google, but there wasn’t any malware on our end.”

Adelman said Go Daddy has a pretty good idea what happened, but that it proved hard to get hold of the relevant people at Google on a Sunday morning during Memorial Day weekend.

Further details may be forthcoming later this week. For now, Google has apparently unflagged the servers in question, and Adelman expects the situation to be resolved within the hour.

China connection to Go Daddy WordPress attacks

Go Daddy’s hosting customers are under attack again, and this time it looks like it’s more serious.

Reports are surfacing that WordPress sites hosted at Go Daddy, and possibly also Joomla and plain PHP pages there, are being hacked to add drive-by malware downloads to them.

Go Daddy has acknowledged the attacks, blaming outdated WordPress installations and weak FTP passwords, and has put up a page with instructions for cleaning the infection.

Last week, I was told that the first round of attacks was very limited. Today, the attackers seem to have stepped it up a notch.

As a result, Go Daddy could find itself in a similar situation to Network Solutions, which had a couple of thousand customer sites hacked a few weeks back.

The attacks appear to be linked to a well-known crime gang with a Chinese connection.

According to Sucuri, when a Go Daddy-hosted WordPress page is hacked, JavaScript is injected that attempts to redirect surfers to a drive-by attack from the domain kdjkfjskdfjlskdjf.com (don’t go there).

This domain was registered with BizCN.com, an ICANN-accredited Chinese registrar, but its name servers appear to have been created purely for the attack.

The registrant’s email address is hilarykneber@yahoo.com. This connects the attack to the “Kneber” botnet, a successful criminal enterprise that has been operating since at least December 2009.

A Netwitness study revealed the network comprised at least 74,000 hacked computers, and that the bulk of Kneber’s command and control infrastructure is based in China.

Since Kneber is known to be operated by a financially motivated gang, and it’s by no means certain that they’re Chinese, it’s probably inaccurate to suggest there’s something political going on.

However, I will note that Go Daddy was quite vocal about its withdrawal from the .cn Chinese domain name registration market.

Network Solutions, while it was quieter, also stopped selling .cn domains around the same time as the Chinese government started enforcing strict registrant ID rules last December.

New gTLDs will cost $155 billion, honest

A report out from the Coalition Against Domain Name Abuse, which pegs the cost of first-round new gTLD defensive registrations at $746 million, has set eyes rolling this evening.

CircleID rather oddly compares it to a recent Minds + Machines study, “predicting new gTLDs will only cost $.10 per trademark worldwide.”

Apples and oranges, in my view.

But numbers are fun.

My own estimate, using data from both CADNA and M+M, puts the total cost of new gTLDs defensive registrations at $155.85 billion.

For the avoidance of doubt, you should (continue reading)

China domain name registrations plummeting

The Chinese ccTLD has lost almost four million domain name registrations since it implemented Draconian identification requirements last December.

According to CNNIC, the .cn manager, there were 9.53 million domains registered at the end of February, compared to 12.28 million in January and 13.45 million in December.

That’s a loss of 3.9 million domains since the new registration requirements were introduced mid-December.

The bulk of the loss appears to have come from pure .cn names, which dropped from 8.61 million in December to 6.14 million in February.

The .com.cn namespace lost about half a million names over the same period. The rest of the drop-off came in lesser-used second-level domains such a .org.cn.

Since December 14, CNNIC has required all Chinese registrants to provide photo ID before they register a domain.

Recently, the registry has tried to enforce retroactive enforcement of this requirement, causing registrars including Go Daddy and Network Solutions to abandon the TLD altogether.

I-Root yanks Beijing node

Kevin Murphy, March 31, 2010, Domain Tech

Autonomica, which runs i-root-servers.net, has stopped advertising its Anycast node in Beijing, after reports last week that its responses were being tampered with.

In the light of recent tensions between China and the US, people got a bit nervous after the Chilean ccTLD manager reported some “odd behaviour” to the dns-ops mailing list last week.

It seemed that DNS lookups for Facebook, Twitter and YouTube were being censored as they returned from I-Root’s node in China, which is hosted by CNNIC.

There was no suggestion that Autonomica was complicit in any censorship, and chief executive Karl Erik Lindqvist has now confirmed as much.

“Netnod/Autonomica is 100% committed to serving the root zone DNS data as published by the IANA. We have made a clear and public declaration of this, and we guarantee that the responses sent out by any i.root-servers.net instance consist of the appropriate data in the IANA root zone,” he wrote.

While Lindqvist is not explicit, the suggestion seems to be that somebody on the Chinese internet not associated with I-Root has been messing with DNS queries as they pass across the network.

This is believed to be common practice in China, whose citizens are subject to strict censorship, but any such activity outside its borders obviously represents a threat to the internet’s reliability.

The CNNIC node is offline until further notice.