McAfee just published the sixth edition of its Security Journal, which includes a lengthy piece I wrote about the pros and cons of taking down Internet service providers and botnets that facilitate cyber criminal activity. The analysis focuses on several historical examples of what I call “shuns” and “stuns,” or taking out rogue networks either by ostracizing them, or by kneecapping their infrastructure in a coordinated surprise attack, respectively.
The theme of this edition of the journal is finding ways to take security on the offense, and it includes articles from noted security researchers Joe Stewart and Felix “FX” Lindner.
Here’s the lead-in from my contribution:
The security technologies most of us rely on every day — from anti-virus software to firewalls and intrusion detection devices — are reactive. That is, they are effective usually only after a new threat has been identified and classified. The trouble is that, meanwhile, an indeterminate number of individuals and corporations become victims of these unidentified stalkers.
Until quite recently, this “bag ’em and tag ’em” approach to dealing with malicious activity online had become so ingrained in the security community that most of the thought leaders on security were content merely to catalog the Internet’s worst offenders and abide the most hostile networks. Exponential increases in the volume and sophistication of new threats unleashed during the past few years — coupled with a pervasive attitude that fighting criminal activity online is the principal job of law enforcement — have helped to reinforce this bunker mentality.
Then, in the fall of 2007, something remarkable happened that seemed to shake the security industry out of its torpor: a series of investigative stories in the mainstream and technology press about concentrations of cybercrime activity at a Web hosting conglomerate in St. Petersburg known as the Russian Business Network (RBN) caused the ISPs serving the infamous provider to pull the plug. The RBN, which had been a vortex of malicious activity for years, was forced to close up shop and, subsequently, scattered its operations.
This was the first of many examples that would demonstrate the strategic (and, arguably, cathartic) value of identifying and isolating significant, consistent sources of hostile — if not criminal — activity online. I will focus on two popular methods of taking the fight to the enemy and will offer a few thoughts on the long-term viability of these approaches.
Copies of the journal are available from this link.
Krebs, please check posts in “About this blog” section. I twicely tried to send very important private information to you (I sent a links to two archives that I made especially for you — with really sensitive data, regarding internal events in fake-av and cashout industry). Have no any reaction. Possibly, you did not received them.
Dmitriy — Thanks. I received them just fine, but until your comment just now did not have a way to let you know that I had: The email you used bounced when I replied to it, and you left no other way to contact you. Also, the password on the archive failed to open it when I first tried it. I have succeeded in opening it on another system since then, thanks.
You may also send me documents encrypted with my personal encryption key:
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–
Brian, could you confirm that you got two archives?
report.rar and report2.rar (if some missed – please write a file name)
Are all archives unpacked correctly on the second system?
When I will be ready, I will send some other information.
I cannot use email, sorry.
An unrelated question on the propasal for reputation based spam filters at the DNS level. Are they going to take into consideration spoofing?
Never sent one piece of spam email in my life, but I have had an ongoing war with Barracuda the last few years over bounced email. Having a website online 13-14 years with email addresses on it has lead to all manner of spoofing (China Spingboard the worst).
Am all in favor of DNS measures, but not convinved a lot of innocent webservers or co-located servers might get caught in the crossfire.
If spammers are just spoofing your domain in the “from” field of spam, any human being deserving of keeping his/her job would know it has no relationship to who is sending the spam. Barracuda just looks for patterns, and it filters according to which patterns are common. They don’t take responsibility for whose emails are getting blocked because of the patterns spammers choose to use. But by the time that type of issue gets to an abuse desk person, anyone who can’t read headers and determine the real sender is not competent enough to be given responsibility for terminating anyone’s account.
If spammers are putting your domain in the body of spam, as if to advertise your domain, you may have more difficulty. But generally joe jobs are pretty obvious. Spammers are spammers because they believe it brings in more money than problems, and they don’t want to help their enemies by bringing in money for them. They usually fill joe job spams with outrageous lies about your domain, in hopes recipients will react without investigating.
But if you have your email preferences set to return spam/undeliverable mail to the sender (rather than refusing to accept it in the first place), you are in effect forwarding your spam to the innocent third parties whose domains are being spoofed in the “from” fields. They didn’t send it to you, and they don’t want your spam any more than you do. If that’s the problem, you will get reported for spamming for doing it, and you would definitely have to worry about consequences.
I think part of the problem may be spammers scraping text and photos from articles and possibly using them to generate emails, as well as the traditional spoofing. Thanks for the information on joe jobs. I have bounces disabled, but you still gave me some info I can use.
I agree taking down or blocking sections or individuals on the internet runs counter to the liaise-fare nature of the internet. It is open to abuse in its self by competing interest e.g. Governments trying to block technology they can’t snoop on, businesses trying to disrupt their competitors operations and bullies who want to shut people up for their own purposes.
The better alternative is an opt in approach creating safe harbours on the internet for like minded people to conduct business and social contact but it is incumbent on those who operate these subnets to ensure that they properly indentify the participants. The question is will participants accept more formal identification procedures and the associated costs to allow them access. If not incumbent businesses that are already obliged to conduct themselves in this manner may ultimately dominate the internet and this may not be good for competition and free speech.
Don’t know how well that will work, considering how employees within a business often are at loggerheads with each other, turf wars, and such. Some businesses might want to go dark fiber.
That would be laissez-faire
You certainly get points for bravery, the Russian Mob are a mean bunch.
With regards to the “shunning and stunning”:
How do the Security Pro’s think the Google-Verizon vision for the Internet will affect the perception of the strategy ?
Luciano was allowed to run the docks (as usual) in NY during WWII because of the larger issue – and he was promptly deported afterwards. Today, these National Security issues are not so clear, having morphed into “National Markets”.
Does that vision give cover to Organized Crime ?
Al Capone (eventually) went down on Tax Evasion. This would not work too well in a Global Economy.
Great article Brian.
As you point out, not having a central clearing house for information is definitely an issue. This is being echoed amongst the community as well. Even if someone did step up to the plate and sponsor such a site, participation becomes the next challenge.
With more botnet command and control servers being taken down, what’s your take on the rise of P2P botnets and do you think organizations will shift their operations in that direction?
I have been readinhg the report pdf. and seen this little tidbit
My source sent me a note saying he had a
message from some well-connected bad guys who were hugely
inconvenienced by Atrivo’s disconnection. The message read:
“Tell Krebs nice job on Atrivo, but if he’s thinking about going
after McColo next, he’s pushing his luck.”
Seems you won’t be on someone’s christmas card list this year. While I agree with one of the other posters comments about a clearinghouse, it will be a moot point without having everyone on board. The problem is tha bad guy are making too much money from there nefarious purposes and arent afraid to spread it around, until ICANN , the various goverments and the upstream providers get tough on those who are abusing the system, and a lot of them know who is doing what and where nothing will happen. ICANN needs to stop pussy fotting around and start cracking down and pulling the accreditation of registars who are too cyber crime friendly, same with the upstream providers who are fedding the smaller cybercrime ISP’s that are hosting a lot of garbage there are far too many hosts in countries we’re the police and govt officials * cough cough .ru * were they look the other way that refuse to crack down on AS’s that are so ridden with ill it isn’t even funny. ICANN’s biggest problem is they like to talk crackdown on proper registartion information and making registering domains to a certain time delay, but the folks who make it up can’t see to decide or plain dont want a hand in making it safer and harder for the crooks. Lets face the upstream providers make money supplying the little ISP’s and some make very good money, and they hate to seee any cash flow nipped but there is way too much rougue activity going on now that it’s to the point we’re bomabrded with it. If the goverments in the countries that seem to turn deaf and blind ( china and russia for instance ) start co-operating with the goverments in other countries and start to seize thes guys assets and bank accounts, you will hit them where they hurt. Look at the RBN they poperated within Russia withnwhat seemed like immunityfor years, did the goverment crack down no… it wasnt tell the up stream providers cracked down that they dispersed, and where did they go..oh I don’t know China…which is as corrupt as Russia is…look how many C&C’s are hosted there…the RBN set up shop there asasp… and I wouldnt be suprised a bit to see they spread the wealth around and started some friendly little cybercrime friendly ISP’s in other countries thats goverments are lax as well….Loook at the Koobface gang.. thos kids have their beak in everything. but till the Upstreams starts pulling these guys ISP’s, the ISP’s null their AS’s and ICANN starts kickin ass on their registering domains with the same fake e-mail addresses and fake info, nothing will change I am afraid..Mc Colo was a great point and they got hit hard, but then they just went and spread their tentacles of infrustructre further so if one went down another was still up…so it will always be a come from behind fight for the good guys cause not everyone wants to get together to hammer these guys, to many people trying to cover their own rears instead of those they seek to protect
@David, re: your source’s comment
I’m not sure how much “luck” was involved in any of Krebs’ efforts.
However, so far, the criminal botnets have been “lucky” to be protected by the inherent inefficiency of bureaucracy in applying justice.
I’m not sure this will last forever as the internet community becomes more aware of the cost of these botnets and loses patience, thanks in large part to Brian’s excellent reporting.
I have also been frustrated with the way in which many in the security community seem content with trying to develop improved AV software, and not with finding ways to put an end to this nonsense once and for all.
A couple of points.
“kneecapping their infrastructure in a coordinated surprise attack, ” is what the Japanese tried to do at Pearl Harbor, so I hope that you co-ordinated with the local governments when you do that. Otherwise you could find yourself extradied for terrorism. That’s what the USG would do in that situation, anyway.
It’s “Tag ’em and bag ’em”, not the other way ’round.
Where did Brian say that he did it?
The Internet is like the Wild West. While it is to be expected various law enforcement agencies and governments do what they can to fight crime, we as end users of the Internet need to bunker down our computers to protect ourselves!
To use a reverse sports adage, “The best offense is a great defense!” Or “Defense wins championships!”
The key is don’t be the low hanging fruit ripe for the picking by not properly securing your computer systems. They are fully within your control, so why not utilize that aspect to your full advantage? I refuse to be a victim! Screw the malware authors! 🙁
Internet *technology’ is like the wild west. Or actually not Internet technology but *desktop* technology. People are still running fossil systems in the 2010s. If they get hurt then at this point they deserve it.
In other words Rick, in the “wild west” if you couldn’t draw your gun and shoot as fast as the gunslingers you deserved to get killed and/or have your cattle stolen.
Interesting concept you are covering. I will be intrigued to see what you propose in the taking the fight to the enemy section since the enemy often appears to be the compromised systems the true bad guys are utilizing to hide their tracks.
wow…thought you persons would have learnt from the Bush fiasco. guessing its more profitable to create enemies and fan the flames. being part of the problem is your best? very dissappointing. enjoy the downward spiral. i’m going to search for clearer thinkers. goodbye.
If you scatter hacker networks, then you can no longer collect intel on the hackers. A centralized enemy is much easier to fight. Do you really want to do that? You get a post-Cold War situation like the Middle East.