August 10, 2010

McAfee just published the sixth edition of its Security Journal, which includes a lengthy piece I wrote about the pros and cons of taking down Internet service providers and botnets that facilitate cyber criminal activity. The analysis focuses on several historical examples of what I call “shuns” and “stuns,” or taking out rogue networks either by ostracizing them, or by kneecapping their infrastructure in a coordinated surprise attack, respectively.

The theme of this edition of the journal is finding ways to take security on the offense, and it includes articles from noted security researchers Joe Stewart and Felix “FX” Lindner.

Here’s the lead-in from my contribution:

The security technologies most of us rely on every day — from anti-virus software to firewalls and intrusion detection devices — are reactive. That is, they are effective usually only after a new threat has been identified and classified. The trouble is that, meanwhile, an indeterminate number of individuals and corporations become victims of these unidentified stalkers.

Until quite recently, this “bag ’em and tag ’em” approach to dealing with malicious activity online had become so ingrained in the security community that most of the thought leaders on security were content merely to catalog the Internet’s worst offenders and abide the most hostile networks. Exponential increases in the volume and sophistication of new threats unleashed during the past few years — coupled with a pervasive attitude that fighting criminal activity online is the principal job of law enforcement — have helped to reinforce this bunker mentality.

Then, in the fall of 2007, something remarkable happened that seemed to shake the security industry out of its torpor: a series of investigative stories in the mainstream and technology press about concentrations of cybercrime activity at a Web hosting conglomerate in St. Petersburg known as the Russian Business Network (RBN) caused the ISPs serving the infamous provider to pull the plug. The RBN, which had been a vortex of malicious activity for years, was forced to close up shop and, subsequently, scattered its operations.

This was the first of many examples that would demonstrate the strategic (and, arguably, cathartic) value of identifying and isolating significant, consistent sources of hostile — if not criminal — activity online. I will focus on two popular methods of taking the fight to the enemy and will offer a few thoughts on the long-term viability of these approaches.

Copies of the journal are available from this link.


22 thoughts on “Shunning and Stunning Malicious Networks

  1. Dmitriy Afermativ

    Hello!

    Krebs, please check posts in “About this blog” section. I twicely tried to send very important private information to you (I sent a links to two archives that I made especially for you — with really sensitive data, regarding internal events in fake-av and cashout industry). Have no any reaction. Possibly, you did not received them.

    1. BrianKrebs Post author

      Dmitriy — Thanks. I received them just fine, but until your comment just now did not have a way to let you know that I had: The email you used bounced when I replied to it, and you left no other way to contact you. Also, the password on the archive failed to open it when I first tried it. I have succeeded in opening it on another system since then, thanks.

      You may also send me documents encrypted with my personal encryption key:

      —–BEGIN PGP PUBLIC KEY BLOCK—–

      mQENBEs+hi8BCAC7laKEpH3QjhDjkY5zPtnjtlBO8DRwboCtIsOAsUsBkoj4gBM6
      50CGmvjS3Yl0agl9ONupqVPOb8/4UIch3cMNOuc9ibg1LapjrvZfWuFJOx3/VS4u
      glh6s7WQyIzyAq5YRwmqaBtvh1NaNdaivZb81kKyGAIuNeLtzAwGFVlPVVdaPft1
      +bqc0PXwhWSbno2MxqthIPTsFyHSydzmmJagTEZ7s1pYCw4LT7w4/btI1clJnRMy
      1AZaRiRzb9vAB8EuhR5z2bGJ7ttmVBTAy47tJ4+Z01c0KX3JTaeeHBqWUR6D2DVt
      e7tQpFq10rjBq+dY6q///YA7Ogij7ke+U1WfABEBAAG0J0JyaWFuIEtyZWJzIDxr
      cmVic29uc2VjdXJpdHlAZ21haWwuY29tPokBbQQQAQIAVwUCSz6GLzAUgAAAAAAg
      AAdwcmVmZXJyZWQtZW1haWwtZW5jb2RpbmdAcGdwLmNvbXBncG1pbWUHCwkIBwMC
      CgIZAQUbAwAAAAMWAgEFHgEAAAAEFQgJCgAKCRDgNEQDQPn2nFeYCACotftRattm
      7qM2di8XQOsIM5H2GJ7J9MLyd/ECYMkN7AmskkNhAL0yVxsdm868XvkvJedWQqLK
      Bng1qPfCj2sbKpc3V05w0S9XHV2Gqu95EuRVoTXu0fiZQg7RaJtBGEc7zuL1aeue
      BkcRDl28ruFPt+6JhfNDmPm3Q6tfu5mdSC+IFY+KRPSryUuXYUk9LgQ7RasUtb99
      KSo9GarCj5NXdFm8uWd2UjMeW2yD20HKqJOcpc235Py+nHXm8cLE+0j8/F+AdtA7
      twlJLbKlSn1jHzrquZu4c4SctDMLJ5CJU+3vqg5KLS15kXZVCHlMh081Blti57yT
      j460YebSZRKNtB9CcmlhbiBLcmVicyA8Y3JhY2tlckBnbWFpbC5jb20+iQFqBBAB
      AgBUBQJLPoYvMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3Au
      Y29tcGdwbWltZQcLCQgHAwIKBRsDAAAAAxYCAQUeAQAAAAQVCAkKAAoJEOA0RANA
      +facsg8IAJ7xwFWNO9cv+2pBnoPxdlDP2cgxiZKvMJ0NDyy8cPR+Uf6sBOLFaFZa
      b9RT6rcLMAb5SaH4Gtlp4HkrnqKDkR7p0DtbZjEfdZFtUfa29msQ57xNipwESIhl
      EeMQiXr+70PNK5F0/M7DpG3rAXCYfnltmg5RqG1abTxP+CLheIr6UfibbsvGdscg
      RUT5ynARzxVzH56obl1A26ENmA9b7vGsdJ5WQTD5eMIx7oOo3MW2QOxWlV7bmUha
      bttsDUaCONev4fdem7VBG6EMAFl3Ou4IzfrIxQJlwfJxoI5+YO7z+Qd/H5XtK5LA
      kaQpDJLohb2XR9LJGn69Wl017x8kQP20J0JyaWFuIEtyZWJzIDxicmlhbkBrcmVi
      c29uc2VjdXJpdHkuY29tPokBagQQAQIAVAUCSz6GLzAUgAAAAAAgAAdwcmVmZXJy
      ZWQtZW1haWwtZW5jb2RpbmdAcGdwLmNvbXBncG1pbWUHCwkIBwMCCgUbAwAAAAMW
      AgEFHgEAAAAEFQgJCgAKCRDgNEQDQPn2nOyoCACsKLUvpub0WjbKHVBiGgRDM95I
      EUaTkrqApiJBES9gz/yyIK3L3P35QZuQ5vTfirTB3h8XhU/Xck8lEcmSRKlmoblo
      cWvU4rQ9mqcPDH9lamVLp8ZQ+F32bnVHzRaF1wxSMGMmJZ10AHfGIthO+TarblLy
      LNRJZI09GL6ezhEDKoD47CnZIhfO39XKK8OaUQoAIxKUIQ1R1drJjniNttv2xh2O
      MNwTqVOgJuPKBF5zv+ai6o43mpTPNoNwAHIhBPx2bPRSR3HSdP4xJKRe33uK6tWt
      MqLoAguMflP/DGhPxYJir22Mybvcg7ERjc3IxJyE1zlIHzpXT/eSUKhasUCmuQEN
      BEs+hi8BCADB9rgGlrEicTkHgUqOkezTNd2t4M2tcUeOJOscsKMKBXMAQx/fbmj5
      EOqFyJnCBzMKX6GYoqMYjLMsy3P+JsUG4S7lxgiEovFkQJL3/ZpHzDc5+lq9Ow6g
      pATK87DvllzPPwguqIeJgWJX1J4c2fmyc6cvb3ZKgts0F55eHlWEoiZCUMsxRE5x
      NqEwZDhws7CIs/eS4zMHqipVSZrC5kbIYum47j2zDVYxumGEwSINYgVNalAyilHB
      k4uK31wotxd4Xjf5rwQfMFMLY/QbH47qArksyD69cbjIFLqeRpFV8yzWiUkJBhYW
      OTcOmKABdV6YdBxawzXlgXMfeFWV6cvRABEBAAGJAkEEGAECASsFAks+hjAFGwwA
      AADAXSAEGQEIAAYFAks+hi8ACgkQVcV1/C7xsJxjIggArwGgSXeHuEVXRnnBZFMo
      KMXjl7reO5g5PLsNSsjy1vDs5tUWQWR3pH8mEAdhHkBh7G1HwC/cs3ic2ZZBuYgi
      YiyskxmCiwFnuvaaOR4hH6dQKk28sBYu2nTRip+wbFjMme4pLvRX148rBQw+0jbK
      xhnpN7lgqpWSDr2pEpurjG7a7r0LoyO9reOlR0BWTVjdKwM4qo+BG533lSH3Heff
      0g9rfP0qdmrkV2JOLZh/xI9dwYXCKhKFP4S78qt1zGfZn6NmDVhF2Jyp3IKMjB9r
      QuI6XCXtnsD1UjNelbe+nHNduX3FWiBMd6JIbPDacWe4zKk5AHuwsuOP72JysNJY
      LAAKCRDgNEQDQPn2nLb5CACtjZ5vjuZcYTj1d/dYt3YEt2HPvTIMbKIvXdYNrcVP
      NVVfOk2uJMxYfb+hzyz2tG0qYxNESwUAzvXWv9I8/LVQNHQdQxHt0WedkkEvpO4p
      IT36hC8B4jwljZcOlLREbWyMFY5O/PEce1EvnGMqXQWRROJWETuTDZ44yYJ+Wa6L
      2aojDQjy9lnJgMkveNMGWaDDaGHiYKQeb5kOxpcUVsna+RXg6rkKNySPpmI1JJU4
      O3SAh1JvuluXmIiPANJG1soV4dh9gLdeQFaetl5N8vVWFChL2yR/n2BGBQXyuqh4
      sHmVqHq+posDjZjiz2/ANGvoWFOJx3PLxidN9kFdtenq
      =S7lh
      —–END PGP PUBLIC KEY BLOCK—–

      1. Alexander Izmailov

        Brian, could you confirm that you got two archives?
        report.rar and report2.rar (if some missed – please write a file name)

        Are all archives unpacked correctly on the second system?

        When I will be ready, I will send some other information.

        I cannot use email, sorry.

  2. PJ

    An unrelated question on the propasal for reputation based spam filters at the DNS level. Are they going to take into consideration spoofing?

    Never sent one piece of spam email in my life, but I have had an ongoing war with Barracuda the last few years over bounced email. Having a website online 13-14 years with email addresses on it has lead to all manner of spoofing (China Spingboard the worst).

    Am all in favor of DNS measures, but not convinved a lot of innocent webservers or co-located servers might get caught in the crossfire.

    1. AlphaCentauri

      If spammers are just spoofing your domain in the “from” field of spam, any human being deserving of keeping his/her job would know it has no relationship to who is sending the spam. Barracuda just looks for patterns, and it filters according to which patterns are common. They don’t take responsibility for whose emails are getting blocked because of the patterns spammers choose to use. But by the time that type of issue gets to an abuse desk person, anyone who can’t read headers and determine the real sender is not competent enough to be given responsibility for terminating anyone’s account.

      If spammers are putting your domain in the body of spam, as if to advertise your domain, you may have more difficulty. But generally joe jobs are pretty obvious. Spammers are spammers because they believe it brings in more money than problems, and they don’t want to help their enemies by bringing in money for them. They usually fill joe job spams with outrageous lies about your domain, in hopes recipients will react without investigating.

      But if you have your email preferences set to return spam/undeliverable mail to the sender (rather than refusing to accept it in the first place), you are in effect forwarding your spam to the innocent third parties whose domains are being spoofed in the “from” fields. They didn’t send it to you, and they don’t want your spam any more than you do. If that’s the problem, you will get reported for spamming for doing it, and you would definitely have to worry about consequences.

      1. PJ

        I think part of the problem may be spammers scraping text and photos from articles and possibly using them to generate emails, as well as the traditional spoofing. Thanks for the information on joe jobs. I have bounces disabled, but you still gave me some info I can use.

      2. Louis Leahy

        I agree taking down or blocking sections or individuals on the internet runs counter to the liaise-fare nature of the internet. It is open to abuse in its self by competing interest e.g. Governments trying to block technology they can’t snoop on, businesses trying to disrupt their competitors operations and bullies who want to shut people up for their own purposes.
        The better alternative is an opt in approach creating safe harbours on the internet for like minded people to conduct business and social contact but it is incumbent on those who operate these subnets to ensure that they properly indentify the participants. The question is will participants accept more formal identification procedures and the associated costs to allow them access. If not incumbent businesses that are already obliged to conduct themselves in this manner may ultimately dominate the internet and this may not be good for competition and free speech.

        1. Tony Smit

          Don’t know how well that will work, considering how employees within a business often are at loggerheads with each other, turf wars, and such. Some businesses might want to go dark fiber.

  3. Gannon Dick

    BK,

    You certainly get points for bravery, the Russian Mob are a mean bunch.

    With regards to the “shunning and stunning”:

    How do the Security Pro’s think the Google-Verizon vision for the Internet will affect the perception of the strategy ?
    Luciano was allowed to run the docks (as usual) in NY during WWII because of the larger issue – and he was promptly deported afterwards. Today, these National Security issues are not so clear, having morphed into “National Markets”.

    Does that vision give cover to Organized Crime ?
    Al Capone (eventually) went down on Tax Evasion. This would not work too well in a Global Economy.

  4. Mister Reiner

    Great article Brian.

    As you point out, not having a central clearing house for information is definitely an issue. This is being echoed amongst the community as well. Even if someone did step up to the plate and sponsor such a site, participation becomes the next challenge.

    With more botnet command and control servers being taken down, what’s your take on the rise of P2P botnets and do you think organizations will shift their operations in that direction?

  5. David

    I have been readinhg the report pdf. and seen this little tidbit

    My source sent me a note saying he had a
    message from some well-connected bad guys who were hugely
    inconvenienced by Atrivo’s disconnection. The message read:
    “Tell Krebs nice job on Atrivo, but if he’s thinking about going
    after McColo next, he’s pushing his luck.”

    Seems you won’t be on someone’s christmas card list this year. While I agree with one of the other posters comments about a clearinghouse, it will be a moot point without having everyone on board. The problem is tha bad guy are making too much money from there nefarious purposes and arent afraid to spread it around, until ICANN , the various goverments and the upstream providers get tough on those who are abusing the system, and a lot of them know who is doing what and where nothing will happen. ICANN needs to stop pussy fotting around and start cracking down and pulling the accreditation of registars who are too cyber crime friendly, same with the upstream providers who are fedding the smaller cybercrime ISP’s that are hosting a lot of garbage there are far too many hosts in countries we’re the police and govt officials * cough cough .ru * were they look the other way that refuse to crack down on AS’s that are so ridden with ill it isn’t even funny. ICANN’s biggest problem is they like to talk crackdown on proper registartion information and making registering domains to a certain time delay, but the folks who make it up can’t see to decide or plain dont want a hand in making it safer and harder for the crooks. Lets face the upstream providers make money supplying the little ISP’s and some make very good money, and they hate to seee any cash flow nipped but there is way too much rougue activity going on now that it’s to the point we’re bomabrded with it. If the goverments in the countries that seem to turn deaf and blind ( china and russia for instance ) start co-operating with the goverments in other countries and start to seize thes guys assets and bank accounts, you will hit them where they hurt. Look at the RBN they poperated within Russia withnwhat seemed like immunityfor years, did the goverment crack down no… it wasnt tell the up stream providers cracked down that they dispersed, and where did they go..oh I don’t know China…which is as corrupt as Russia is…look how many C&C’s are hosted there…the RBN set up shop there asasp… and I wouldnt be suprised a bit to see they spread the wealth around and started some friendly little cybercrime friendly ISP’s in other countries thats goverments are lax as well….Loook at the Koobface gang.. thos kids have their beak in everything. but till the Upstreams starts pulling these guys ISP’s, the ISP’s null their AS’s and ICANN starts kickin ass on their registering domains with the same fake e-mail addresses and fake info, nothing will change I am afraid..Mc Colo was a great point and they got hit hard, but then they just went and spread their tentacles of infrustructre further so if one went down another was still up…so it will always be a come from behind fight for the good guys cause not everyone wants to get together to hammer these guys, to many people trying to cover their own rears instead of those they seek to protect

    1. TheGeezer

      @David, re: your source’s comment

      I’m not sure how much “luck” was involved in any of Krebs’ efforts.

      However, so far, the criminal botnets have been “lucky” to be protected by the inherent inefficiency of bureaucracy in applying justice.

      I’m not sure this will last forever as the internet community becomes more aware of the cost of these botnets and loses patience, thanks in large part to Brian’s excellent reporting.

  6. JackRussell

    I have also been frustrated with the way in which many in the security community seem content with trying to develop improved AV software, and not with finding ways to put an end to this nonsense once and for all.

  7. wiredog

    A couple of points.

    “kneecapping their infrastructure in a coordinated surprise attack, ” is what the Japanese tried to do at Pearl Harbor, so I hope that you co-ordinated with the local governments when you do that. Otherwise you could find yourself extradied for terrorism. That’s what the USG would do in that situation, anyway.

    It’s “Tag ’em and bag ’em”, not the other way ’round.

  8. xAdmin

    The Internet is like the Wild West. While it is to be expected various law enforcement agencies and governments do what they can to fight crime, we as end users of the Internet need to bunker down our computers to protect ourselves!

    To use a reverse sports adage, “The best offense is a great defense!” Or “Defense wins championships!”

    The key is don’t be the low hanging fruit ripe for the picking by not properly securing your computer systems. They are fully within your control, so why not utilize that aspect to your full advantage? I refuse to be a victim! Screw the malware authors! 🙁

    1. Rick

      Internet *technology’ is like the wild west. Or actually not Internet technology but *desktop* technology. People are still running fossil systems in the 2010s. If they get hurt then at this point they deserve it.

      1. TheGeezer

        In other words Rick, in the “wild west” if you couldn’t draw your gun and shoot as fast as the gunslingers you deserved to get killed and/or have your cattle stolen.

  9. Mark Kelly

    Interesting concept you are covering. I will be intrigued to see what you propose in the taking the fight to the enemy section since the enemy often appears to be the compromised systems the true bad guys are utilizing to hide their tracks.

  10. bwteske

    wow…thought you persons would have learnt from the Bush fiasco. guessing its more profitable to create enemies and fan the flames. being part of the problem is your best? very dissappointing. enjoy the downward spiral. i’m going to search for clearer thinkers. goodbye.

  11. Andrew Pennebaker

    If you scatter hacker networks, then you can no longer collect intel on the hackers. A centralized enemy is much easier to fight. Do you really want to do that? You get a post-Cold War situation like the Middle East.

Comments are closed.