
Sinkholed - swiftsecurity
https://susam.in/blog/sinkholed/
======
susam
Hi, I am the author of this post. I had posted another link about this story a
few days ago when this story was still unfolding.[1][2]

This blog post summarizes the timeline and the events that occurred to resolve
the domain transfer issue. Like I have mentioned in this blog post, multiple
parties such as Namecheap Support, the Shadowsecurity Foundation, and NIXI
helped me in resolving this issue. Thanks to all of them and special thanks to
Namecheap CEO, Richard Kirkendall, for looking into this issue on priority as
soon as he became aware of it.

I wish the domain name management, in particular, and the Internet, in
general, had a higher degree or decentralization, so that it were technically
impossible for something like this to happen but I think there are many
factors at play that are currently preventing from such an Internet to become
mainstream at this time.

[1]:
[https://news.ycombinator.com/item?id=21671579](https://news.ycombinator.com/item?id=21671579)

[2]:
[https://twitter.com/susam/status/1200678538254393345](https://twitter.com/susam/status/1200678538254393345)

~~~
mirimir
This is _great_ news!

Have you consulted a lawyer?

It seems that the Shadowsecurity Foundation did act recklessly. But you'd need
to prove monetary damages.

But perhaps they'd settle to avoid the hassle.

Edit: This is an admission of guilt:

> He explained in his email that my domain name was sinkholed accidentally as
> part of their Avalanche operation.

~~~
susam
Thank you for this comment. I have not consulted a lawyer. I have not suffered
any monetary loss due to this yet. I use this domain name only to run a small
personal blog (the one linked to in this post) and an Exim4 MTA. The fact that
the MTA became unreachable via the domain name did mean that some emails sent
to it must have bounced back. The primary loss I suffered was in terms of
time.

In fact, I appreciate the efforts of the Shadowserver Foundation in depriving
Avalanche malware families of their command and control infrastructure by
sinkholing the domain names generated by the malware domain generation
algorithms. I understand false-positives like this can happen. It comes with
the territory. It just sucks that the domain name I was using happened to be a
false positive. In this case, it ended well because the Shadowserver
Foundation (along with Namecheap) acted quickly on my issue and asked NIXI to
have the domain transfer undone.

Having said that, I do believe that you make a very good point. Actions like
this should be taken with a lot more care. What if it were not a personal blog
but a small business? Depending on the nature of the business, an inadvertent
domain transfer like this could have affected the business seriously. The
Shadowsecurity Foundation did say that they are improving their processes.

I am not very concerned about this particular foundation when I talk about
this. But I am concerned about the systemic issue in the domain name
management system that allowed a mistake like this to occur. There could be
some type of peer review before a domain transfer like this is executed. I
don't think there is a general and popular solution for this problem in the
near future. I am hoping that the recent work that is going on in consensus
protocols based on cryptography might pave the way to a more decentralized
network and more decentralized name management that also become popular and
mainstream.

~~~
mirimir
Yes, I get that the Shadowserver Foundation does good work. And that they
acted quickly, after being pointed to your tweet.

However, if your tweet hadn't gotten traction, and if Namecheap hadn't been
proactive, you'd likely have never gotten the domain back. I mean, you had the
Namecheap CEO on the case! And for a business losing a domain like that, it'd
probably be fatal.

I get that many think that Americans are hugely too litigious. But there is
the argument that there ought to be compensation for damages.

You say that "[t]he primary loss I suffered was in terms of time". But
arguably your time is worth something. Such as your customary billing rate,
times three.

Edit: Or just send them an invoice. At perhaps 50% over your customary billing
rate, given that it was a rush job.

~~~
sameerds
> I get that many think that Americans are hugely too litigious. But there is
> the argument that there ought to be compensation for damages.

That point of view is rather unfortunate. Why does it have to be about
damages? GP even ends his comment on a very postitive note about things that
would help. Not every mistake needs to be punished. It was a false positive,
and it was heartening to see that all the parties acted fast enough. Why not
just move on instead of outraging over hypothetical concerns?

EDIT: I have no idea how to quote parent comments here.

~~~
stjohnswarts
I was kind heartened by how quick they reacted. However it is quite true that
Americans are very litigious; however, austria, germany, israel are worse than
us, and England isn't far behind.

~~~
Aeolun
I don’t think I hear anybody from those countries talk about sueing nearly as
much as any US citizen.

What is your source for that?

------
badrabbit
As someone that deals with sinkholed malware domains everyday, I have to day I
slightly disagree with the logic and approach behind it.

The basic premise is that unwitting hosts are compromised by malware,this
malware is talking to a domain and in order to protect the infected users and
curtail the further spreading of the malware the domain is sinkholed.

First, a random authority, regardless of legal relevance has no standing to
"protect" infected hosts without explicit consent of the owners. If the
infected host is causing harm to other internet hosts then it needs to be
taken offline by it's network owner (e.g.: isp or datacenter operator that
owns the IP AS number).

Second, in case of malware spreading (e.g.: wannacry) and DGA domains: if the
domain is not registered, instead of a sinkhole, an administrative restriction
on registering that domain should be placed. If the domain is registered, you
want the IP infrasructure to be taken down. IP blocks an reputation damage can
be very harmful. IP subnet owners are much more responsive and where that is
not the case, a null route can be blaced to "sinkhole" the IP -- null routes
are advertised using predefined BGP communities, this means it will be
unreachable only by networks that accept that community (e.g.: FBI sinkholes
an IP, american networks accept the community and block the IP while other
countries might not). You have to understand why there are so many malware
domains for C2 and why DGAs exist, it is more costly to become in control of
an IP address than it is a domain. If you block the IP as soon as C2 is
detected on it,the attacker will just change the A record to point to another
IP, but they have a much more limited set of IPs and costly IP infrastructure
so they'll be running out of them fast. You can use DGA and dynamic domains
such as noip.org (MS famously sinkholed them taking down millions of legit
hosts!) But you can't as readily come up with IP addresses. I like this
approach because the IP owner is always in a position to force remediation of
the C2 server or infected host, they can ban the user or work with them to
remediate the infection after confirming, they can request removal from the
sinkhole. Most malware operators have no more than a handful active C2 IP
addresses but from experience, I see them use dozens of domains,sometimes from
different malware campaigns pointing to the few few IP addresses in their
control.

I am sure this has challenges but it is a cleaner way of doing it and focuses
remediation on the C2. If this approach was taken, OP's IP would have been
accidentally sinkholed, her webhost would contact her about it, she would show
proof that the server has not hosted malicious content and work with them to
lift the sinkhole. Meanwhile,the site can be moved to a different host (if it
takes too long) and IP address, since the domain is not being sinkholed it
would just work. Malware researchers and law enforcement can see if infected
hosts continue to communicate with the new IP or if the new IP responds to C2
initial traffic to decide if it should continue to be sinkholed (costing OP
hosting money if it was an attacker, it might cost them money and access to
compromised hosts).

------
jschuur
Interesting. I noticed that the blog post mentions the Nymaim malware family.
I read about Susam's case when it hit Twitter the other day and might have
even followed a link to his URL. Then a few days later got an email from my
ISP Virgin Media claiming they'd detected Nymain on my home network.

I run macOS only and as far as I can tell Nymaim is Windows only. Still, I ran
an malware scan on my Macbooks and nothing popped up, so I'm pretty sure
nothing infected my devices.

Still, I wonder if I ended up hitting the sinkhole, Virgin was somehow
notified and this triggered their email? Or maybe it's just a complete
coincidence.

Edit: Sure looks like Virgin works with Shadowserver:
[https://www.ukfast.co.uk/it-security-news/virgin-media-to-
in...](https://www.ukfast.co.uk/it-security-news/virgin-media-to-inform-
customers-of-malware-infections.html)

~~~
rkangel
That is the purpose of sinkholes. That's why you don't just change the DNS
record to 127.0.0.1 (or similar) - you want to log the traffic that you're
seeing so that you know who is infected and can help them.

I'm unaware of this particular international cooperation arrangement but it's
great to see.

~~~
jschuur
Yup. Looks like the system is working pretty well. Plus I'm pretty happy that
I've got an explanation for the email I got!

------
seagreen
This kind of thing makes picking a personal email address a tricky decision.

Do I go with a @gmail.com or other corporate address? Then I risk losing my
email if my account is suspended.

Do I go with a domain I own? Then I risk losing it if something like this
happens.

Either way is serious because email is effectively a master key into all my
accounts.

I'm honestly not sure what's best.

~~~
owenmarshall
> Do I go with a domain I own?

This one, it’s this one.

Losing your domain tends to require human action: from someone forgot to pay
the renewal to someone messed up and sinkholed it because they thought it was
a C2 server.

But because humans are in the system there tend to be layers of processes that
try to prevent you from getting to this state and can get your world back to
normal if you do.

 _Gmail offers nothing like this._ When the ML algorithms decide you are too
many sigma in the “abnormal” category, you are done. And there is no one to
talk to who can fix your problem.

~~~
doublerabbit
Although if your using your own email address, be prepared for emails you send
to end up in junk.

~~~
owenmarshall
This is an unfortunate risk with running your own. Instead, pay someone - my
Fastmail subscription is absolutely worth every penny.

If it ever becomes a problem I flip my MX record elsewhere.

------
CaliforniaKarl
Looking forward to hear from Shadowserver on a few points...

• What led to the false positive.

• What actions were taken to notify the domain owner about the actions being
taken against them.

• Why there was not a comment put into the Whois entry — or in some other
obvious place — saying what had been done to the domain.

~~~
steve19
I want to know why law enforcement allows a private organization to seize
private property based on some algorithm.

I have heard bad things about shadowserver in the past. Now I wonder how much
other collateral damage they have done over the years.

~~~
yc-kraln
Domain names are not property, and this is not under the pervue of law
enforcement. The country registrar (NIXI) is working together with someone to
prevent abuse of their systems. When you purchase a DNS entry, you agree to
this sort of thing as part of the ToS.

~~~
derefr
Right; this is essentially the same as a mail server operator relying on a
DNSBL.

~~~
anon176
Exactly

------
blunte
I don't find this surprising at all.

This can happen in any scenario where a special shortcut has been added to get
around a standard process (where standard process usually involves some human
review and judgement).

I imagine that in most cases, the shortcuts were created simply to speed up a
process where some (perceived) harm is significant, and a rapid change would
alleviate this harm. This would allow some enforcement agency to rapidly take
down a child porn site, for example.

Such shortcuts can also be designed to prevent any other party from knowing
what is going on - why the change is being made. This would be the case where
some high level governmental agency (FBI, for example) wants to change
something to prevent a situation they deem as bad or to perhaps to enable
better awareness of a process/communication by inserting themselves into the
middle of it.

And finally, in this case, an automated or human error resulted in this
person's domain name being included on a "bad list", and the shortcut swept
their domain along with the trash.

This particular situation doesn't bother me as much as the "Google/Apple/FB
suddenly closed all my accounts" scenario (which is often triggered by some
opaque artificial wishful-intelligence system).

Regardless of the situation, it's not ideal that our best course of action in
recovering something wrongfully taken is by complaining on public forums. It's
a shame that we have to hope for the attention and generosity of someone with
more power to champion our case to right the wrongs.

So I say, bring the humans back into the process! :)

~~~
marcosdumay
This is not really ok. There must be a clear contact point for the affected
people (not only namecheap).

Also it was very bad on the transparency front. If they are taking down a
domain, the operation is not secret anymore, so they can tell why. No telling
you is bullshit.

That being a German operation, I would expect much better on the democratic
handling of it. And it being an international operation, India should have
complained that it was badly done too. What would happen if namecheap didn't
care?

~~~
derefr
I think there _is_ a clear point of contact, and it _is_ your registrar. This
is part of the reason a hierarchy of registrars exist, rather than each TLD
just being one organization maintaining its own registry service: so that the
people with ultimate authority (the TLD, in this case) can have personal
relationships with _representatives_ of “constituencies” of domains (the
registrars), rather than necessarily-impersonal relationships with a flat
collective of millions of individual accounts (the domain owners).

By analogy: Google has necessarily-impersonal relationships with millions of
Gmail users; but rather more personal relationships with far fewer GSuite and
Google Cloud organization owners. If you were an employee of a company that
uses either of those, and your service was breaking, you’d ask your GSuite
organization-owner (i.e. the person Google has a personal relationship with)
to contact them for you.

------
hrrypttr
It is really unbelievable that a legitimate domain can be transferred so
easily without any verification or due process. Isn't there an EPP-code-based
domain transfer process to prevent exactly things like this?

~~~
susam
As mentioned in this blog post, the domain transfer was done as part of an
international operation against the Avalanche botnet. As such, it was a legal
action as opposed to an administrative action. Further, the action was taken
at registry level as opposed to registrar level (which is one level lower than
the registry). Therefore, no EPP code was necessary and the
"clientTransferProhibited" domain transfer record was ignored.

~~~
Tepix
It seems like there should be a notification after the fact so legitimate
domain owners have a chance to reach someone who is in the know.

------
jka
Automated legal actions and takedowns like this introduce a lot of risk of
collateral damage, but I wonder what the alternatives are?

The investigators would likely argue that notifying domain holders would
reduce the chance that they can take down a botnet's infrastructure
successfully, which seems likely.

Could there be some maximum time after which the 'rule set' for the auto-
takedown code needs to be made open source / public? It must presumably be
implemented as software and/or configuration files.

That would at least allow for inspection, confirmation and disputes about how
it's implemented, and if this was 30 days or so, it shouldn't risk the
takedown effort.

While top-tier network engineers are developing takedowns like this,
presumably they'll do a good job of minimizing false positives - but as this
case shows, it's not always going to be perfect - and I worry that if it
becomes more common, we'll see sloppier implementations.

That could lead to connectivity and access issues for more users (again in an
international context). It's great that the situation was resolved in this
case but I imagine not all users would be able to raise a complaint at a
similar level of technical detail and respectful tone and for it to receive
the same amount of attention.

Maybe that's untrue - maybe injustices really do get amplified by social media
and relying on companies to notice this 'works'. It doesn't sit particularly
well with me as a remediation process though, and I'm not sure it scales.

------
nickthemagicman
How is one supposed to get this resolved if the CEO OF NAMECHEAP doesn't see
your tweet to get involved?

Is your domain just gone at that point?

Is it really that easy to lose a domain name...by someone doing an 'oopsie'?

~~~
cyborgx7
The idea would be that the support ticket with namecheap should be enough.
Though I doubt it would be, for the average person.

~~~
nickthemagicman
Doubt is an understatement. lol

------
CydeWeys
> I also wondered if a domain name under a country code top-level domain
> (ccTLD) like .in is more susceptible to this kind of sinkholing than a
> domain name under a generic top-level domain (gTLD) like .com. I asked
> Benedict if it is worth migrating my website from .in to .com. He replied
> that in his personal opinion, NIXI runs an excellent, clean registry, and
> are very responsive in resolving issues when they arise.

I'm not sure that's the correct conclusion to come to from this experience.
Yes, the registrant happened to get lucky in this case, in that they had
significant enough reach on Twitter and HN to get the right people to pay
attention and get eyes on resolving the issue. But that easily could not have
been the case (and might still be the case in the future), and with a ccTLD,
you have no recourse.

I think the correct lesson here is to go with a gTLD, because if worse comes
to worst you will always have recourse through ICANN if necessary (since the
gTLD operator is contracted with them). On a ccTLD it's not always gonna work
out. Heck, the registrant was already ignored by the ccTLD operator in this
case anyway; it's frankly kind of lucky that they had the CEO of their well-
known registrar go to bat for them. That's not the kind of intervention you
should be regularly relying on to keep and maintain your domain name!

~~~
shawndev
Would the experience be any better in gTLD? The registry of .com gTLD is
VeriSign Global Registry Services. Would ICANN handle a domain-related dispute
themselves or would they redirect us to Verisign? Is Verisign any better than
NIXI?

------
monkeynotes
Someone less technical would likely have no idea what happened to their
domain. An individual relying on their web presence for income could be
massively impacted by something like this. There really does not seem to be a
clear way for someone to a) know what the problem is, and b) get it resolved
quickly.

~~~
gowld
Every domain has a technical contact, it's part of the WHOIS schema. A non-
technical website owner hires someone to handle technicalities, just as a non-
mechanical car owner hires someone to handle their cars mechanics.

Sure, if you don't pay attention to the care of your domain, it can break in
incomprehensible ways, just as if you don't pay attention to the care of your
car, it can break in incomprehensible ways.

~~~
perspective1
In theory, sure. But according to most of my domain WHOIS records, the
technical contact is somebody named asdflkj_34890f@privacyprotection.com.

------
wodenokoto
> My website was missing. In fact, the domain name resolved to an IPv4 address
> I was unfamiliar with.

Do you guys know this stuff? If my domain started resolving to a new IP
address, that would be just as unfamiliar to me, as the current address.

Should I ping my domain and write the results down?

~~~
aasasd
Normally, if you did any setup before pointing the domain to the host, or if
you connect via ssh, then you at least have seen the ip and probably have it
recorded in files like ~/.ssh/known_hosts.

But generally, the better your setup is documented, the better you can detect
or diagnose when something goes awry.

------
vld
As a small business owner, this terrifies me. Since the TTL for NS records is
48 hours, a domain takeover like this could easily bankrupt a lot of SaaS
companies.

What options are there to prevent this? Would a registrar such as MarkMonitor
provide at least some notice or protection?

------
asah
Namecheap rocks, been using them for years.

Really wish they'd pick another name: it's really hard to convince clients to
take them seriously and let me choose them. If I had a dollar for every time
someone insisted on GoDaddy... :-(

~~~
r-w
Ah, GoDaddy: a name that is _much_ easier to take seriously.

------
DanielBMarkham
What I find interesting here is the interplay and mix between private, public,
and governmental concerns.

In the physical space, in the states you're free to walk out into the public
park, put on a hat saying something atrocious like "I hate cats!" and
peacefully petition your fellow citizens to destroy all cats or something
silly.

When we moved to printed distribution, there was still a clear bit of
guidance; as long as you weren't directing people towards violence, you were
good. Most newspapers were locally owned and would even be happy to print your
letter to the editor about cats.

But now? We've got a foundation doing something like a regex match on domain
names, we've got a criminal element hijacking computers, we've got various
government-condoned organizations for managing tlds, we've got registrars. All
of these are different types of organizations working in different countries
and established for vastly different reasons.

I am reminded of two things. First, Thomas Paine made the point that it was
better to live under a dictator than a complex system that hurt you. Under a
dictator, you had a guy to point to when things went wrong. It was them! They
are responsible for this awful thing! Under a complex system? There's nobody.
Bad things just happen, and when you try to ask about it, each party can
explain to you that they were working for good reasons to the best of their
ability. There was a problem, but no reasonable way to discuss, diagnose, or
propose fixes to it.

The second thing was a story from the 80s about a U.S. official, Raymond
Donovan. He served fairly well in public office but was accused of some
serious crimes. He was destroyed in the media. Then they found out he was
innocent. He asked a famous question "Which office do I go to to get my
reputation back?"

I'm extremely happy this was resolved, but good grief, if I didn't know
anything about the net, and my domain had just been set up instead of being in
my control for 12 years, which office would I go to to get my domain back?

Either we own things or we don't. If every bit of our participation online is
owned by somebody else, this should be a lot bigger deal than it is currently.

~~~
gowld
Blaming the dictator doesn't solve the problem. Sure, you could try to
overthrow a dictator, but you can also try to fix a system, by talking to any
of the people involved in it (or if there are no people involved, try to
modify the system yourself, since there's no one to stop you).

~~~
derefr
This is the Fallacy of Gray. Just because neither option is perfect, doesn’t
mean that one option isn’t better. It’s clearly _easier_ for a bloc of
concerned citizens to solve problems in dictator-land than in bureaucracy-
land: in dictator-land, you just have to remove one (probably very unpopular)
guy, while in bureaucracy-land, you have to... um...

~~~
JoshuaDavid
In dictator-land, you _first_ have to remove the dictator. You still have to
actually solve the problem after removing the dictator.

It's easy to say "the dictator is bad" but historically getting rid of
dictators without a specific and concrete plan for what to do afterwards has
not turned out so well.

~~~
DanielBMarkham
In doctor-land, you are trying to solve a particular problem with a particular
patient, the assumption being that once that problem is solved, the patient
will remain self-regulating.

In political-theory-land, you assume all actors are bad, are at least will
become bad at some point in the future. The question then becomes *how can we
organize our political structures so that if we can't prevent dying, can we at
least provide guidance to the next government that follows?"

It naturally follows that the real goal is not solving problems: it is
providing problems and solutions that people can accept. If nothing else,
providing problems and solutions in terms that future generations can reason
about.

------
tptacek
Don't worry. It's still _definitely_ a good idea to centralize all Internet
trust in a DNS-based PKI.

------
fortran77
Wow! "Accidentally?" That's inexcusable. He should be compensated, and the
people who made this mistake should not be doing this sort of work anymore.

> He explained in his email that my domain name was sinkholed accidentally as
> part of their Avalanche operation.

Would it hurt the people doing domain takeovers to at least try sending an
email to the registrant with contact info and a case number?

------
r3trohack3r
I feel there is an important point between the lines here: a central authority
is well positioned to stop bad actors by working outside the definition of
“expected behavior” of the system.

P2P systems do not get this by design. For load bearing infrastructure like
DNS, escape hatches to stop bad actors putting humanity’s hive mind at risk is
a handy tool that has been used effectively.

There are the philosophical questions of “how do we define a bad actor” and
“who gets to decide what’s acting in bad faith?” But many botnets don’t suffer
from that ambiguity, a well deployed/utilized botnet can take down load
bearing internet infrastructure.

Being able to stop future threats without requiring migrating a P2P network
_seems_ like a feature, and reminds me a bit of common law. In law, we know
there will be cases we can’t anticipate upfront and leave the courts room to
interpret. P2P seems to still be in a state where we have to identify and
protect against every form of “bad actor” upfront in our game theory in order
for our network to be stable moving forward.

------
dylanpyle
A couple of years ago we lost our domain [1] due to a registrar (that we were
not a customer of) erroneously issuing a suspension. The amount of honor
system involved in the whole process, particularly in ccTLDs without as much
oversight, was really surprising.

[1]: [https://medium.com/thisiscala/the-duct-tape-holding-the-
inte...](https://medium.com/thisiscala/the-duct-tape-holding-the-internet-
together-12118be60ff1)

~~~
dredmorbius
That's worth resubmitting to HN.

~~~
susam
Done.
[https://news.ycombinator.com/item?id=21705976](https://news.ycombinator.com/item?id=21705976).

------
toasted_flakes
This is so bad. This process needs transparency and notifications! It
shouldn't be possible to sinkhole a website without the owner being aware.

------
anilakar
So, did a court just order a domain to be taken down based on erroneous
information from a private entity?

~~~
icebraining
I don't see any mention of a court; the TLD manager (NIXI) probably took the
initiative based on said erroneous information.

~~~
sandGorgon
NIXI is subject to the jusrisdiction of CERT-IN (Indian Computer Emergency
Response Team - [https://cert-in.org.in/](https://cert-in.org.in/)), which in
turn was one of the participants of the Avalanche takedown program.

A legal request originating from Germany would have been approved by CERT-IN
and NIXI would have had to comply.

[https://www.cyberswachhtakendra.gov.in/alerts/avalanche.html](https://www.cyberswachhtakendra.gov.in/alerts/avalanche.html)

~~~
nerdponx
Who said it was a _legal_ request? I got the sense that Shadowserver has some
monitoring software running, which triggered a warning for NIXI who sinkholed
the domain.

~~~
sandGorgon
most likely interagency request. NIXI as an Indian govt operator is subject to
RTI queries (Right to Information) and court action.

However NIXI is subject to CERT-IN authority which is clearly part of the
anti-botnet collective.

------
yosefzeev
With all the domain buying out and weirdness, it is my fervent hope people
seriously begin reconsidering what it means to have a domain name and to
implement other structures to serve out names as opposed to the now, obviously
bought and sold, DNS.

------
sumitjami
The server is down it seems

[https://github.com/susam/susam.in/commit/91405150ff3f44fd094...](https://github.com/susam/susam.in/commit/91405150ff3f44fd094e4e8d7671be12bc574922)

~~~
susam
The server is up. However, it is possible that at your end "susam.in" is still
resolving to a sinkhole address. I have created a mirror of the blog on GitHub
Pages for you. Visit
[https://susam.github.io/blog/sinkholed/](https://susam.github.io/blog/sinkholed/)
to read the mirrored blog post.

------
commandlinefan
> for some perceived violation

This is the fundamental problem with this sort of crowdsourced censorship -
there's no accountability on the reporters and no repercussions for bad faith.

------
triangleman
I still don't get it, what exactly was flagged that caused the domain to get
noticed by... Who exactly? Did it have anything to do with the owner logging
into his server? What is the sequence of events in bullet point format? I know
the author tried to be clear but I'm confused as to what actually happened.

~~~
akersten
A particular malware contacted its command and control servers via
procedurally generated domain names (to make it difficult to shut down just a
single domain that controlled it).

Malware researchers reversed a sample of the malware and started blackholing
domains that matched the pattern to get ahead of the malware by preventing it
from communicating with the domain du jour.

It just so happens that the authors domain pattern-matched domains that would
be contacted by the malware.

~~~
triangleman
Thank you. So it was just a coincidence that this person logged into his
server at the same time as the domain was taken down? It was simply a
suspicious looking domain name?

------
HenriNext
tldr; Collateral damage from law enforcement taking down a botnet, resolved
reasonably fast.

~~~
AshwinDurairaj
It wasn't law enforcement taking the domain name, it also was only solved fast
because of intervention from the Namecheap CEO.

~~~
HenriNext
I didn't say it was law enforcement directly taking down the domain name, I
said that it was collateral damage from law enforcement operation against
botnet.

As the original operation was run by interpol, europol etc i think this was a
fairly accurate description, especially in context of a tldr; which gives some
constitutional rights to simplify things :)

------
ossworkerrights
Wow, so a German entity can just go around and confiscate internet domain
names, without a warrant? That's really dangerous.

------
skunkpocalypse
This is horrifying.

