Fighting Back, Business Continuity, Government Actions

Retaliatory hacking, where you try to give them a taste of their own medicine, is not a sensible approach. Don’t try to challenge black hats at their own game. It is still hacking, it is still illegal and you’ve turned an incident or battle into an “us versus them” confrontation. You have better things to do.

Shun them. Go all Amish on them and give them a good shunning. Blacklist them. These are measures you can take to protect yourself.

There are also measures that others take on your behalf. Measures that don’t get enough praise.

August 2008: HostExploit.com publishes Atrivo - CyberCrime USA. This white paper identifies the interrelationship of California-based Atrivo with Inhoster, UkrTeleGroup, Cernel, and Hostfresh. Examples of malware hosted on servers and spam sent by servers in address ranges managed by Atrivo are included.

September 2008: Inhoster’s domains were suspended due to criminal activity. The prefixes withdrawn from AS27595 (Inhoster) reflect many of the IP ranges I had blacklisted.

64.28.176.0/20
67.210.0.0/21
67.210.8.0/22
67.210.14.0/23
69.22.162.0/23
69.22.168.0/21
69.22.184.0/22
69.31.64.0/20
69.50.160.0/19
85.255.113.0/24
85.255.114.0/23
85.255.116.0/22
85.255.120.0/23
85.255.122.0/24
216.255.176.0/20
216.255.176.0/22
216.255.180.0/22
216.255.184.0/22
216.255.188.0/22

Today, AS27595 (Intercage AKA Atrivo) and AS44060 (UkrTele) have no upstream providers. They are cut off from the rest of the world. AS36445 (Cernel AKA Internet Path, Inc.) can still be reached.

October 2008: ICANN de-accredits EstDomains, eight months after the EstDomains CEO is convicted of credit card fraud, money laundering and document forgery. EstDomains was the preferred registrar for the Russian Business Network (RBN).

November 11, 2008: Upstream Internet Service Providers (ISPs) Global Crossing and Hurricane Electric stop routing the address space managed by the ISP McColo Corp (208.66.192.0/22). This made the address space managed by McColo unreachable. McColo had allowed servers to remain online regardless of complaints. This made McColo an attractive haven for the master servers (command and control servers) of botnets such as Mega-D, Pushdo, Rustock, Srizbi and Warezov. The master servers of the botnets were used to instruct compromised machines (bots) to send SPAM. McColo also provided network access for the Russian Business Network (RBN).

June 2009: Upstream ISPs cease forwarding the traffic the servers of web hosting provider Triple Fiber Network (3FN.net). In the article FTC shutters rogue ISP for hosting malicious content, botnets 3FN.net is

alleged to have hosted botnet command and control servers that run massive spam campaigns and denial of service attacks, and also websites that serve up malware, child pornography and other explicit content.

In a related article (FTC Sues, Shuts Down N. Calif. Web Hosting Firm)

The FTC chairman confirmed that this was the first time the agency had sought and been granted an order to shut down an Internet service provider.

Further reading: FTC News Release, track the case status.

You might ask why does not happen more often. Removing the ISPs willing to host criminal activity is a slow process for upstream ISPs and even slower for Law Enforcement (LE). In a NANOG post, Chris points out the difficulties upstreams ISPs face.

I hate to re-start the atrivo/intercage/mccolo thread(s) but, often what happens is there just aren’t any real/usable complaints sent along to the upstream providers.

The webhost (aps/3fn in this case) may have avoided most/many of the complaints, over the years, being sent to their upstream(s) or they may have successfully shuffled their links faster than outages could be arranged. If address blocks or customers are shuffled fast enough, or timely enough, it looks like the problem is resolved to an upstream. One trick I’ve seen used is to re-announce address blocks out differing interfaces such that providers catalog the complaints not against the direct customer but against peers or other customers ‘innocents’ (possibly).

If the upstream providers don’t get quality complaints in a format they can use and catalog… nothing is going to change. If the upstreams see no abuse record there is no reason to term a paying customer.

With the more criminally minded ‘customers’, the problem is a lot harder to bring to resolution if you are stuck inside the contracts/laws of your jurisdiction. It behooves the community at large to properly catalog and properly complain about these sorts of things. Saying: “dirty-webhost-X is never going to deal with my complaints so, I stopped sending them there X months|years ago.” is not going to resolve the issue(s). Email to abuse@ is ‘free’ for the sender, almost all complaint generation systems can be automated, almost all complaint acceptance systems can be as well if the complaints come in well formed and with the right information included.

August, 2009 The Trend Micro Whitepaper “A Cybercrime Hub” would indicate that the Russian Business Network is back in business, using a more resilient architecture.

Corporations and individuals are not as encumbered as ISPs and LE are. Review who your customers are, review the malicious destinations you see and make an informed decision. You will frequently find clear examples of IP ranges you want to avoid. In this way you can be out in front of (at least some of) the not-yet-discovered vulnerabilities and the not-yet-detected exploits.

This is not simply theoretical. In this fashion, the major sources of malware exploiting the Abode Acrobat Reader vulnerability had been blacklisted before the malicious PDF files were available. In this fashion, new malware variants developed by the Russian Business Network (RBN) and sold to their customers did not appear in my environment. Those are high profile examples that I could confirm from SANS and anti-virus vendor information; there should be other examples of threats avoided with less media coverage.

Note that you do not want to see your network neighbors, other IP addresses in the range managed by your ISP, appear on a list of IP addresses known to host malware. The implication is that your ISP does not respond to abuse complaints. Any ISP that does not respond to abuse complaints risks being blacklisted.

If that includes your ISP, clients and customers will not be able to reach you until you switch ISPs. Recognize this possibility. Network administrators, in an attempt to protect themselves from malicious traffic, can choose to drop traffic to large IP address ranges. If you find IP addresses that your ISP manages are on a “known malware distributors list”, then encourage the ISP to address the situation. Recognize your need for business continuity.

This not simply a theoretical issue. Free Software Magazine had a web presence through 3FN. Fortunately, they had backup servers through another ISP. Read How Free Software Magazine overcame the 3FN disaster and switched to CariNet to learn how they restored service.

Know who your ISP is, and know who its upstream providers are. Use robtex.com to learn about your domain name and how it reaches the Internet.

Use hpHosts to learn if neighboring IP addresses (or even your own) has been reported as malicious. Perhaps there are other sites on your host. For example, if your IP address is with 69.89.31.246, use the following URL to see if there are malicious hosts in your neighborhood:

http://hosts-file.net/?s=69.89.31.246&view=matches

Other resources to keep you informed about your web site:

Note that the private sector should share information with the public sector. Report incidents. The private sector does not need to wait for public sector involvement. Don’t wait for a judge to rule. Law enforcement takes time; see the U.S. Justice Department’s cybercrime.gov web site for recent cases.  The private sector can take matters into its own hands and shun ‘em.

LE should be aware of Infragard, CyberCop and the non-profit organization High Tech Crime Consortium (hightechcrimecops.org).

August 3, 2009: Malwarebytes Anti Malware version 1.40 appears to have implemented this “shunning” approach. Bluehost is among the ISPs blocked for supporting malware.

August 28, 2009: Federal jury finds for Louis Vuitton Malletier S.A in its lawsuit against ISPs Akanoc Solutions Inc. and Managed Solutions Group Inc. (both in Fremont, CA; both owned by Steven Chen). Vuitton alleged that the ISPs knowingly provided service to eCommerce sites offering counterfeit Vuitton merchandise. The jury agreed, awarding $32 million to Vuitton. Louis Vuitton Malletier, S.A. v. Akanoc Solutions, Inc., C 07-03952 JW (N.D. Cal. Dec. 23, 2008)

The significant difference between this case and Tiffany v. eBay was “specific knowledge”. The Steven Chen ISPs had specific knowledge of the web sites selling counterfeit goods. eBay, on the other hand, agreed that counterfeit products were being sold through their service, and could remove merchants who misrepresented products, but had no specific knowledge of further counterfeit goods.

Nonetheless, ISPs should take notice and abuse complaints seriously, since they can be shown to provide specific knowledge.

September 18, 2009: Microsoft files five civil lawsuits against “Soft Solutions,” “Direct Ad,” “qiweroqw.com,” “ITmeter INC.” and “ote2008.info” for distributing malicious software posing as advertising (“malvertising” and “scareware”). Web sites generate revenue by selling advertising space to online advertising services; the online advertising services get their revenue from advertisers. The ads the advertisers create may link to malware, making otherwise trustworthy web sites into purveyors of malware because they generate revenue through advertising.

February 26, 2010: Microsoft takes legal action [pdf] to shut down the Waledac botnet. Internal codename: “Operation b49″. To take legal action, harm was documented (specifically SPAM to Hotmail accounts). Microsoft sought to suspend the 273 known domain registrations which the Waledac command and control servers use, leaving the bots running but uncontrolled. This prevents the bots from downloading code updates as well. This leaves the current clients in a stable state, which enables Microsoft’s Malicious Software Removal Tool and antivirus vendors to clean up the residue. Note that Waledac does not rely upon software vulnerabilities to install bots; “social engineering” or Trojan horse mechanisms work as well.

April 2010: ICANN issues breach notices to Turkish registrar Alantron and Brazilian registrar Internet Group do Brazil for failure to provide access to its WHOIS database via port 43. See Who Is Blocking WHOIS? and Knujon’s report about registrars. The WHOIS database is filled with untrustworthy information, but ICANN requires that the database be available.

November 29, 2010: List of domains seized by US Immigrations and Customs Enforcement (ICE) [pdf]

December 29, 2010: Affidavit Details FBI “Operation Payback” Probe describes FBI efforts to contain DDoS attacks against PayPal, Visa, Mastercard, Moneybookers.com, Sarah Palin’s website and the Swedish Prosecutor’s website.

March 17, 2011: Rustock spamming botnet goes offline. Service at various ISPs is interrupted as a coordinated effort takes command and control servers off the network.

April 17, 2011: The US Department of Justice and FBI said today they had filed a civil complaint, executed criminal warrants, and a temporary restraining order as part of what they called the most comprehensive enforcement action ever taken by US authorities to disable an international botnet (Coreflood).

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications.  In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names.  Finally, the government obtained a temporary restraining order, authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.

October 12, 2011: Verisign, the operator for all .com, .net, and .name top-level domain, has submitted a request [pdf] to ICANN asking for the power of taking down “abusive” domains following requests from law enforcement agencies and without a court order.

April 11, 2012: White House cyber czar launching war on botnets

April 26, 2012: 36 credit card fraud websites taken down

September 13, 2012: Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

See also: CyberCrime & Doing Time, A blog about Cyber Crime and related Justice issues

2 Responses to Fighting Back, Business Continuity, Government Actions

  1. [...] Malware Domain List for a long list of network locations known to host malware. Also see Fighting Back and Business Continuity for examples showing how ISPs and government agencies take down some of the most blatantly [...]

  2. [...] and improve your own defenses. Government agencies are slow to respond to detected threats (see Fighting Back and Business Continuity). You are not  subject to their encumbrances. You can shun suspicious activity. You need not wait [...]

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: