They’ve got a slide show on their website right now about keeping yourself safe online, but it’s very superficial generalities. It won’t change anyone’s behavior, because people already know those things and think they only apply to other people. Brian can tell stories about real people who have been harmed. That’s more engaging reading, and it teaches more effectively.

You can shut down all the C&C servers you want, but if people keep clicking on ecards and fake password updates, there will always more botnets to take their places. If everyone who subscribes to RD knew how to look up the registration whois for a domain name to find out whether “paypal-registration.com” belongs to Paypal — or whether it only came into being two days ago using a privacy protected registration — it would drastically cut down the number of people falling victim to phishing.

Like or Dislike: 2  0

Some of the members at inboxrevenge.com have been making an effort to report any spamvertised site on the various free hosting providers. Russian hosting providers, like Pochta.ru, actually tend to be the fastest to respond to reports (despite the additional expense it must cost them to have English speaking support staff handling the complaints). Microsoft’s Spaces.Live.com, in contrast, allows the spamvertised blogs to stay alive for weeks or months, even when they are selling pirated copies of Microsoft products!

The point is that there are enlightened, clueless and criminal internet providers in every country. A ham-fisted solution like blocking an entire country doesn’t hurt the criminals much — they’ve got open proxies that can relay their spam through whatever route is necessary to get to the trojan-infected computers in the U.S. they’re going to use to mail it. But it can be devastating for honest internet users.

Like or Dislike: 2  0

We don’t want a locked down internet bereft of free exchange of ideas. It is this free exchange that gives the free world our leg up. Especially in the economy. I don’t think draconian measures are necessary. Even some mild self policing could help – financial incentives for end users would be very effective, I’d think.

It isn’t like a lot of ISPs have not been pro active, AT&T offers free anti-virus for many of its customers. The only problem is some ISPs make bad selections for the AV solutions they push. However they are better than nothing.

Like or Dislike: 0  0

The crooks may be using reputable ISP names in their web pages as a slap in the face of the very folks trying to bring them down. That actually makes sense in this way of thinking, as a motivation for the defacement and obfuscation of their where-abouts; and putting in a plug against their enemies.

Like or Dislike: 1  0

@t.w.

Quote= “…. The physical location, particularly the Kazakhstan location, has been disputed as also ‘fake detail’ by some security research. ..”

“How reliable is IP address geolocation data? Is all geolocation data still largely self-reported?”

End Quote

Much of it comes from “Regional Internet Registry” records combined with other sources, including guessing. It is reliable at the country level, and usually within regions. However if the operator is rogue and intent on masquerading, then it can be defeated. While the Troyak IP range may be assigned to Kazakhstan, the operator and C&C is based in Kiev, Ukraine. Remember that many of these “providers” are the actual cyber criminals themselves, or at best, are wholly ran as (CCAS) “Cyber Crime As a Service”

With respect to the cyber crime cesspool Troyak, and as I stated last week in this DSLR thread: http://www.dslreports.com/forum/r23933249-Zeus-botnets-suffer-mighty-blow-after-ISP-taken-offline When “Roman Starchenko” registered the matching troyak.org domain on 12/08/2009, he registered it to an address and phone number of an apartment in Kiev, Ukraine.:

Domain: TROYAK.ORG
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd.
d/b/a PublicDomainRegistry.com (R27-LROR)

Registrant ID:DI_10792377
Registrant Name:Roman Starchenko
Registrant Organization:Troyak
Registrant Street1:str. Miloslavskaya 17a, 75 ap.
Registrant Street2:
Registrant Street3:
Registrant City:Kiev
Registrant State/Province:Kiev
Registrant Postal Code:01001
Registrant Country:UA
Registrant Phone:+380.630231165
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:Staruy.rom@inbox.ru
Name Server: VETAXA.MANAGEDNS1.ESTBOXES.COM

Within a few hours of its birth the domain registration was changed to match the Troyak IP registry in Kazakhstan. Clearly an afterthought.

Also, take note that the one of the “Red Flagged” trojan criminal networks in Brian’s diagram: AS 50369 VISHCLUB is also registered to the same address in Kazakstan, and coincidentally the listed contact is using an @troyak.org email address:

Incidentally, up until mid February troyak.org was hosted on IP 195.93.184.1 which also hosted the nameserver ns.troyak.org and it served vishclub.net as well

That IP was also based in Kiev, Ukraine, also:

inetnum: 195.93.184.0 – 195.93.185.255
netname: ALYANSHIMIYA-NET
descr: Alyanshimiya LLC
country: UA
org: ORG-AL84-RIPE
admin-c: DS7111-RIPE
tech-c: IO303-RIPE
status: ASSIGNED PI
mnt-by: ALYANSHIMIYA-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: ALYANSHIMIYA-MNT
mnt-domains: ALYANSHIMIYA-MNT
source: RIPE # Filtered

organisation: ORG-AL84-RIPE
org-name: Alyanshimiya LLC
org-type: OTHER
descr: Alyanshimiya LLC
address: 15 Pecherskiy downstreet
address: Kiev, Ukraine
phone: +380 44 2511308
e-mail: info@udobreniya.com
admin-c: DS7111-RIPE
tech-c: IO303-RIPE
mnt-ref: ALYANSHIMIYA-MNT
mnt-by: ALYANSHIMIYA-MNT
source: RIPE # Filtered

IMO, from a security perspective, it is irresponsible not to block data at border routers, to or from these networks, or their peers, many do.

MGD

Well-loved. Like or Dislike: 6  0

Let’s hope not. You are talking about blocking entire countries the way Iran and China do. You are talking about creating a planet of division – a planet with no means of full communication.

This is the length you will go to. Instead of getting your operating system act together.

Hot debate. What do you think? 6  4

http://www.net-security.org/secworld.php?id=9039

This is the kind of self-policing that the Internet needs to survive without government intervention. Once the bad guys are exposed (after losses of millions by the public) it seems that nobody wants to be associated with them. Let’s hope this example stands the test of time.

Like or Dislike: 2  1

As always, thanks for your incredible threat analysis and reporting. An earlier fan mentioned vanity fair, which made me think about another avenue to share your insights; Reader’s Digest. They have articles exposing scams from time to time and have regular articles by health professionals, etc. I think timely articles from you in that media would also be well received and reach a greater audience.

Keep up the good work.

Like or Dislike: 3  2