March 26, 2012

Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

Microsoft, U.S. Marshals pay a surprise visit to a Scranton, Pa. hosting facility.

In a consolidated legal filing, Microsoft received court approval to seize several servers in Scranton, Penn. and Lombard, Ill. used to control dozens of ZeuS and SpyEye botnets. The company also was granted permission to take control of 800 domains that were used by the crime machines.The company published a video showing a portion of the seizures, conducted late last week with the help of U.S. Marshals.

This is the latest in a string of botnet takedowns executed by Microsoft’s legal team, but it appears to be the first one in which the company invoked the Racketeer Influenced and Corrupt Organizations (RICO) Act.

“The RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets,” wrote Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. “By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the “organization” were not necessarily part of the core enterprise.”

It’s too soon to say how much of an impact this effort will have, or whether it will last long. Previous takedowns by Microsoft — such as its targeting of the Kelihos botnet last fall — have produced mixed results. There also are indications that this takedown may have impacted legitimate — albeit hacked — sites that crooks were using in their botnet operations. According to data recorded by Abuse.ch, a Swiss security site that tracks ZeuS and SpyEye control servers, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure. Among them is a site in Italy that sells iPhone cases, a Thai social networking forum, and a site in San Diego that teaches dance lessons.

The effort also shines a spotlight on an elusive group of cyber thieves operating out of Ukraine who have been tagged as the brains behind a great deal of the ebanking losses over the past five years, including the authors of ZeuS (Slavik/Monstr) and SpyEye (Harderman/Gribodemon), both identities that were outed on this blog more than 18 months ago. Over the past few years, KrebsOnSecurity has amassed a virtual treasure trove of data about these and other individuals named in the complaint. Look for a follow-up piece with more details on these actors.

A breakdown of the court documents related to this case is available at zeuslegalnotice.com.


52 thoughts on “Microsoft Takes Down Dozens of Zeus, SpyEye Botnets

  1. ScotM

    Who made M$ the Internet Sheriff?
    They should stick to fixing the flaws that
    make that type of crime possible.

    1. Security Admin

      Kind of difficult for Microsoft to ‘fix’ the ned user that doesn’t properly secure their system in the first place.

  2. NotScotM

    Java is by far the most successful entrance for malware via drive-by exploits nowadays. Last I checked Microsoft didn’t develop Java.

  3. NB

    Brian, Are the server companies hosting for the crooks held accountable in these cases?

    1. JCitizen

      You could say shutting them down was a form of punishment/accountability – any farther than that is probably a grey area so far.

      1. NB

        I just wonder whether it was “seizing several servers” from a server farm, which seems like a slap on the wrist, or something more substantial to dissuade business from hosting these services.

        1. Silemess

          A thing to keep in mind is that these hosting companies could be (not necessarily are) but could be ignorant of what was sitting on those websites.

          If the C&C was hidden behind or within a legitimate site for someone else, or was out in the open but with a good cover? The only thing that the server hosts would be able to notice is that they have a large number of hits from the same IPs at approximately the same times of day. Factor in that maybe the IP addresses shift for the bots and that they might not be compelled to check in at preset times but instead varying intervals and voila, server can’t prove much without examining the site directly.

          It’s an entirely different story if they were warned/asked to remove hosting from the site and refused to do so. That’s when they switch from being an unwitting dupe into more of an accomplice status. It’s fair to try to protect their customers, but I’d expect that if an allegation is made they could at least take a look at it to confirm it themselves before making a move or denial.

    2. Andrei

      I bet the Scranton servers are property of our dear friend Shawn Matthew Arcus from BurstNET Technologies, Inc.™ aka Burst.net who holds NOCSTER™ aka Nocster.net aka “Network Operations Center, Inc.” aka Hostnoc.net, a “bullet proof hosting” company known for many years as a safe harbour for the organized cybercriminals and for ignoring abuse complaints probably because of the money share they get from criminals. Whoever took down ISPs like 3FN, Atrivo or McColo, should think about doing this with Nocster, if, is not too late.
      Google says all about this ilegitimate company:
      https://www.google.com/search?&q=hostnoc
      …mostly results related with badness…

      1. thegreyfoxx

        ‘somebody’ and BURSTNET just confirmed your comment. BURSTNET exhibits NO ethical standard; an amoral attitude. In a way analogous to the ‘fence’ who trades in stolen property.
        it all about the money, isn’t it.
        BURSTNET could, if it wanted to, increase its pricing and the effect would be to eliminate malware laden spam profligation…
        to a major degree, a much cleaner ‘net’ would result… “But, nooooooo …. ”
        said Bluto Blutarski (John Belushi)

        1. BrianKrebs Post author

          Perhaps a better solution is for this blog and others to be more diligent in pointing out what the underground thinks of various hosting providers.

          Plenty of carding/phishing/malware/hacking forums have discussion threads about the safest places to host stuff. I think it’s probably time to do a series about the reputation that various hosting/colocation firms have on the Underweb.

          Thoughts?

          1. CW

            Yeah, I think that would be an interesting article. And based on recent events, we know that your articles pull a lot of weight (I’m thinking of the Avast/iYogi pieces.)

          2. Silemess

            Yes, insight from those who intend to abuse the services would be great. They’ll celebrate the providers who either don’t care or actively welcome such activities while talking about who tries to frustrate their work.

            Hearing it straight from the horse’s mouth, as it were. It’s easy for providers to say that they’re working to discourage misuse of their systems. But not so easy for the rest of us to hear back about what the other side of the coin thinks about it.

    3. BURSTNET

      Not if the were unaware or uninvolved in the criminal activities. There are laws that protect us from hosting content we are not aware of. Just as if a landlord/property owner has a tenant that does something illegal, so to are we not responsible for the actions of our client base. If we are made aware of the illegal content, or stumble across it, we need to take action, but we cannot be expected, nor held liable, for something we know nothing about. These types of issue are on a daily basis with web hosting providers of our size, and the public is just aware of it this time because it made headlines. We are constantly assist the authorities with such investigations, and removing such content from our network. This occurrence just happened to be more in the public eye, as Microsoft obviously wanted to make a public display of it…

      BURSTNET

  4. thegreyfoxx

    Good for Msoft!! Msoft has the resources and the brainpower to ferret the Botmasters in the civilian arena.
    Does ScotM want to just standby and let the Zues Botmasters run rampant plundering the USA victims??
    I am very glad Msoft is giving this support for the tedious effort to discover & kill the C&C bots on the civilian side of the RICOH STATUTE.. the smart way to take down the criminal enterprises.!
    ScotM should be supportive, unless of course he is somehow damaged, which in that case he would be a botnet beneficiary… just sayin…
    Bravo Msoft…
    Bravo BKrebs on this report….

    1. Kevin

      The issue I have with it is that there are MANY people involved in taking down the bad guys and we don’t go out trying to make news stories about it. This stunt has pushed certain criminal farther underground and has now helped. Microsoft didn’t even talk to anyone in the security about doing this except for F-Secure before it was done. This is a sad day when everyone loses trust and working relationships.

      1. Kevin

        That should read

        “This stunt has pushed certain criminals farther underground and has not helped.”

        Typing and upset is not a good mix.

  5. JCitizen

    It is a sad state of affairs that Microsoft has to be the one that ramrods these kind of actions. We need a DOJ equivalent – but expecting O’Bama to provide that is expecting too much leadership – I suppose.

    Mean while, KUDOS to Microsoft!!

  6. Rob

    The Zeus front end sites I’ve examined are “innocent” hacked websites. A large list of sites, all over the world. These sites redirect down to a few common backend sites. The domain names for the backend sites only stay up a few days. The backend sites are using Blackhole, they check for missing Java, Flash, Reader, and MS patches among others.

    Zeus2 victim search for 1000 random domain names a day, and establish a p2p network among themselves. They seem designed to resist a normal takedown. Hopefully MS got a little deeper and found something critical under the covers to take out. Or maybe they are following a money trail? Their blog says they were trying to “disrupt operations” and preserve evidence, so we can hope.

  7. SteveW

    Sorry Brian, I posted this on the wrong blog post, this is where I wanted it posted:

    Quite honestly, can we actually say that Microsoft was not to blame in this incident and they can therefore be completely absolved of this?

    Best practices for any computer user should be just that, best practiced. Updates, by default, install themselves (to my chagrin thanks IE 9), and Norton bloatware is installed on every single new PC, so absolved??? I guess not entirely, but who is to blame… Users!

    How is MS supposed to protect users that don’t know how to use their software? Does Kitchenaid offer assistance to individuals who have electrocuted themselves by inserting a butter knife into one of their toasters?

  8. somebody

    According to the complaint at zeuslegalnotice, the servers seized in Scranton were hosted by burst.net. And wasn’t burst.net aka hostnoc.net one of the locations were they seized servers during the Rustock takedown? Yes, it was. And today hostnoc is at #2 on the Spamhaus list of the ten worst spam sources. (Though they might not be there tomorrow, they’re always within hailing distance of the top ten.)

    Isn’t it time to give hostnoc/burstnet the McColo treatment?

  9. BURSTNET

    It is not our job to police the Internet. If we are notified of a violation of our AUP/TOS we take action. We cannot be expected to know otherwise what content is being hosted on our network, as we host thousands and thousands of server, 20,000+ virtual private servers, and millions upon millions of websites. The reason such garbage is common on our network is because of the ridiculously low prices we offer, which means we focus on sales volume (not a handful of larger clientele), which as a side effect leads to alot of undesirable, beginner, spammer clients signing up for our services. We don’t want them on our network as much as the public doesn’t, but we are not mind readers, and can only take action when notified of such. There are laws protecting us as the web hosting provider just for this reason, as we cannot be held legally responsible for content that we do not knowingly host. That is like trying to hold a property owner responsible because his tenants are doing something illegal in their apartments. Those with common sense understand this, and that is why we are not the target of the investigations ourselves, only the user doing the illegal actions. We are actually on the good side of law enforcement, assisting them with investigations, not hindering them.

    BURSTNET

    1. thegreyfoxx

      excuses, excuses…
      you could install filters, you could cleanup your neigborhood, you, as landlord could insist on ethical behavior, and not be an ‘enabler’…
      so instead you enable the trashing of the net neighborhood…
      for a few pennies, you say, “because of the ridiculously low prices we offer”
      the smell is bad, really bad…

      1. BURSTNET

        Yo obviously are just spouting off, and have no first-hand experience on the subject matter you are talking about. Sling all the mud you want, we have done nothing wrong, and are actually the good guys here, co-operating and assisting to bring down these scum.

        BURSTNET

        1. uzzi

          Is that icon you have a photograph of your abuse staff? Empty chair is empty… (scnr) ;-P

    2. AlphaCentauri

      You are undercutting the price of hosting by underfunding your AUP enforcement. More responsible companies lose business to you because they can’t meet your prices — and they can’t meet your prices because they more adequately fund their abuse departments and because they are more willing to say no to new accounts that look shady.

      To be willing to accept lower quality control in your handling of abuse reports, when you know it will predictably result in more criminal activity on your networks, is an ethical issue.

    3. Nic

      “We cannot be expected to know otherwise what content is being hosted on our network”

      I’m going to respond but not to you — Instead I’ll respond to the readers of this blog. Krebs on Security readers, observe the falseness of the above quote. See for yourself how hostnoc has multiple means to identify badness on its network:

      https://zeustracker.abuse.ch/monitor.php?as=21788

      http://www.spamhaus.org/sbl/listings/hostnoc.net

      http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

      http://www.team-cymru.org/Services/TCConsole/

      Oh, looks like it’s time to block hostnoc. (Verify these prefixes yourself if you choose block as well, and reverify from time to time.)

      64.120.128.0/18
      64.191.0.0/17
      66.96.192.0/18
      66.197.128.0/17
      96.9.128.0/18
      173.212.192.0/18
      184.22.0.0/20
      184.82.0.0/18

  10. Terry

    Hi,

    I run a few Joomla websites in Australia and I had never heard of Scraton or Burstnet until a few months ago I noticed some of my sites were getting SQL Injection attempts and tracing back the various IP ranges being used I ended up at Burstnet. I contacted them and got a auto responder and never heard from them again but their email or website did warn that would probably happen. The attacks did diminish after awhile but came back again a few weeks later from the same IP’s so I really can’t say one way or the other whether Burstnet did take any action. I found other people on Joomla Forums and sites where you can report naughty IP address with similar attacks for the same IP’s.

    Besides the SQL injection, my logs were showing scripts testing for the existence various Joomla extensions with known holes in them which fortunately I didn’t use. In the end I just blocked ranges of IP’s coming out of Burstnet that were causing me issues.

    The relative ease of creating a website and proliferation of CMS’s like Joomla, WordPress, Drupal, etc. with add-on applications that have the welcome mat out for the Crackers, they are landmines waiting to happen for unsuspecting visitors and in my experience there are a lot of them out there.

    So as well as the comments about Users taking responsibility for their own protection and Burstnet or the ISP’s being more active so too should be the Website owners in actively keeping their sites protected.

    Terry

  11. somebody

    Dear Mr. BURSTNET,

    you have one SBL listing that’s two and a half years old, another that’s almost two years old, and more than a dozen that date from last year. You are, obviously, knowingly hosting that content at this point. Why are all those sites still up, and more being added daily? More than 50(!) added just this month. If you were making *any* attempt to keep the spammers and scammers out, you wouldn’t have that kind of listing history.

    With your long history of hosting spammers, and your record of hosting Rustock and Zeus etc., why shouldn’t you be given the McColo treatement?

    1. BURSTNET

      Apparently you do not know how SpamHaus works fully. Just because there is a listing does not mean the abusive user has not been terminated. Many listing we have have had the users/services terminated, but SpamHaus does not remove the listing, as they want to force you to do what they want, even if there is no proof provided to us that a user is doing anything wrong.

      BURSTNET

    2. BURSTNET

      Also, we are at a high point right now in our listings.
      typically we hover in the 40-50 range, with about 20-30 constantly added/removed every week. The 80 is a high point for us, and just means our next batch of removal requests is in process, as we investigate/suspend/terminate, then request removal of the listings. It is an ongoing process.

      Also, it is important to note that 75%+ of our business is wholesale to other web hosting companies. What that means is we do not even have control over the end-users being put on our services, no way to stop known spammers from getting service, etc…

      BURSTNET

      1. You missed a bit

        How marvellously convenient

        … (for the bad guys.)

        1. uzzi

          “our next batch of removal requests is in process”, that’s a good one, laughed so hard colleagues came to join in, singin’ “Blame it on the rain that was falling, blame it on the stars that didn’t shine…”

          …you know other carriers mange to do their homework in time, don’t you. :-]

  12. AlphaCentauri

    I can attest that no registrar was more responsive to spam complaints than EST Domains. Their staff was a pleasure to work with. They shut down spammed domains within hours. But they continued to sell new domains to spammers, and their officers have since been officially accused of being deeply involved in criminal activity themselves.

    Being responsive to complaints isn’t sufficient. It’s necessary to have a strategy to detect criminal activity without waiting for an aggrieved party to complain, and it’s necessary to have a strategy to identify potential clients with well-known histories of abusive activities before allowing them on your network.

  13. AngusM

    Until recently, I had a dedicated server at BurstNet. A few months back, mail from my server started being blocked, first by Hotmail/Live, then by AT&T. BurstNet support confirmed that the spam that triggered the block wasn’t originating from my server, but from the IP block it was in.

    I tried vainly to get them to do something about it, asking to be assigned a new IP in a non-spamming block. They simply stone-walled me, saying repeatedly that the problem was “with the abuse department”, and would be dealt with shortly. It was clear that they had no intention of cutting off their spamming customers, but they were also apparently uninterested in doing even the minimum necessary to fix things for a paying non-spamming customer.

    I no longer host any domains at BurstNet.

  14. Dima

    Most of comments seems come from diletants or (perhaps) competitors. Too many guys, really, try fight Burst.net here (and not only here) and as usual without any real evidence just with links to Spamhaus.
    Who here and even in Spamhaus could say with evidence that Burst.net or it’s employers involved into any illegal activity? Burst.net claim his position very clean – if anyone send complain with evidence offended user services will be suspended or terminated (depend on case of course).
    Someone here offer solution to help decrease abuse cases inside network but believe me it is not so easy as you think about may be. Spammers and malware distributors use advanced technology to hide their illegal activity.
    Burst.net and any other host in the world is not NSA and just could not check each byte in whole their traffics due to techinically and LAW limitation. Such traffic sniffing is against privacy and human rights as only Secret Service and Law Enforcment could perlustrate traffic if someone here do not know this yet. Moreover in most case this is just useless because in most case malicious traffic is crypted and may be even tunneled.
    Therefore, when you, guys, relate to Spamhaus listing you must understand – they are not court, they are not internet police, they are just one of the member of the internet community. And when they claim something this is could be true or false. They do good work in many cases but some of their claims is completely false and sometimes they are too rude and far away from any form of cooperation. That is explain why some network still listed for years even that it is against their own SBL policy.
    I believe that most host in the world include of course Burst.net will be happy decrease abusive cases in their network but this very depend from customer base and market niche. If you deal as VPN host – you must be ready for lot of incoming abuses. If you deal as budget host – you must be ready for lot of incoming abuses. If you allow payment using with less indeminity – you must be ready for lot of incoming abuses.
    Hope that action realized by Microsoft will help reduce illegal activity in the network but again: seizing some quipment on host absolutely does not mean that host was involved into something illegal. We could see same issue under many well known host in the wold.
    That’s just my 2cents to help readers understand what is happen and how it is happen.

    Regards

    1. uzzi

      Sorry, don’t know where you get your insights from, but most folks here are long time followers of this blog with deep insights. Calling them ‘diletants’ or to assume they are ‘competitors’ is way too much:

      Not responding to complaints in time is dilettantish, not knowing standards and ignoring best current practices is amateurish as putting lipstick on the pig. And to question Spamhaus.org is the best way to interconnection disaster.

      But okay, let’s have a look at CBL and compare to CISCO’s SenderBase.org:

      64.120.128.0/18: 40 x CBL, 231 x Poor@Senderbase
      64.191.0.0/17: 184 x CBL, 1.121 x Poor@Senderbase
      66.96.192.0/18: 16 x CBL, 231 x Poor@Senderbase
      66.197.128.0/17: 66 x CBL, 768 x Poor@Senderbase
      96.9.128.0/18: 49 x CBL, 764 x Poor@Senderbase
      173.212.192.0/18: 45 x CBL, 80 x Poor@Senderbase
      184.22.0.0/20: 1 x CBL, none Poor@Senderbase
      184.82.0.0/18: 57 x CBL, 68 x Poor@Senderbase

      … that’s simply horrible, except of 184.22.0.0/20.

      And at least it’s not our fault if they have no suitable terms and conditions or AUP to terminate abuse. But… what a fortunate coincidence, THEY HAVE:

      “This Acceptable Use Policy (AUP) applies to all individuals, businesses, organizations, resellers, and end-clients (collectively, “users”) employing any BurstNET® services, hardware, property or other products.”
      :
      “BurstNET® may monitor its network and audit systems for any data or activity indicating potential policy violations.”
      :
      In addition to activities governed by law, BurstNET® strictly prohibits:
      – IRC and associated applications (including bouncers, “bots”, etc.)
      – malware (malicious software) and/or botnets
      – automation tools, auto typers, macros and bots used to circumvent restrictions on games or other applications (e.g. RuneScape bots)
      – network and systems abuse scripts
      – circumvention of and/or provision of instructions to circumvent security measures
      – unnecessary port scans
      – threatening, harassing, or obscene content
      – anonymizers/proxies without password protection and sufficient logging (including open mail proxies, anonymous web surfing proxies)
      – proxy detection scripts
      – unsolicited and/or mass advertising via forums, blogs, comment forms, and newsgroups
      – mail bombing, email address harvesting, and/or unsolicited email (including bulk mail sent to unconfirmed recipients […]
      :
      http://www.burst.net/policy/terms.shtml

      “Burst.net […] is not NSA and just could not check each byte in whole their traffics due to techinically and LAW limitation.” LOL? …terms say THEY ARE and THEY COULD! Comments and facts suggest they may be just too sissy.

      I hear Yoda’s voice: “There just start you must and the guts to enforce your AUP you have or burst in hell like McColo you will… Death is a natural part of life. Mourn them do not. Miss them do not. Attachment leads to jealously. The shadow of greed, that is.” 😛

  15. Dima

    Well, i guess , professionals here knew all the facts and could understand how any host work. AUP/TOS is the declaration – it does not mean that Burst.net employers could login to any client dedicated or virtual server without permission of client and even perlustrate traffic. They could do required action when they have “suspicion” about some client or his services to protect their own network from malicious activity. And i guess they do.
    I do not think that we are only their reseller, Burst have a lot, and i do not think that we have any “special” preference over other reseller. When Burst.net abuse department receive complaints they forward it to us and we continue investigation with client. Depend from case we as reseller decide what we can do with client and report final decision to Burst.net . In 99% case we could find understanding and help from Burst.net abuse department and abuse case resolved. Timeframe for resolving issue set as usual 24 hours – this is common standard in hosting industry. And i coud not recall any case which was “unanswered” or leaved as is without any action from us or Burst.net. I say about this because here you wrote “Not responding to complaints in time is dilettantish, not knowing standards and ignoring best current practices is amateurish as putting lipstick on the pig” which i believe do not based on any facts. At least i could claim this based on our history with Burst.net (from 2002 or 2003 year).
    Somewhere here someone told about frequency of abuse issue inside Burst.net network. That fact is very clean for understanding. As budget host Burst.net (and many other host in same market niche) work like “wash machine”. Bad guys due to low prices could order servers at Burst.net directly or indirectly (trought resellers and subresellers) over and over. Believe me – they have lot of money and could do that without any financial problem for their “business”. So, from 3rd party point of view (like Spamhaus for example) this could look as perpetuum source of problem even that same ip address used by different reseller or client in each case. Unfortunately, it is problem for any budget provider – their client base “rotation frequency” is big enough in compare middle and high budget hosts.
    Back to above 1 %. That is for special case – 100% related to Spamhaus listing. And it is cases when Spamhaus list someone as “cyber crime host” or “spam support host” and use power of abuse to suppress affected person/company internet activity using carpet-bombing method which include but not limited listing domains, and ip’s which has no relation with anything illegal. But it is long story and to explain how this work and are it is work i will be need wrote article here and i doubt i could do that with my English experience (BTW. Sorry for my English).
    How Burst.net could decrease amount of cases. No, i do not think that termination of client just because he receive abuse is good practice. And Burst AUP/TOS already strict enough. May be one of the good solution will be enabling SMTP relay for all services by default. That could decrease CBL and Senderbase issue for lot. But again i must say that this could not stop professional spam senders because they use advanced techinique to sent spam and to find and cease their servers inside network you must be professional cyber sleuth and moreover you need have legal permission to do that. I could not say about US law but EC and Russian law required from host save client privacy and forward most of investigation to Law Enforcment.

    1. somebody

      Yeah, we’re all just dilettantes and competitors, and you’re just a burstnet employee who’s being paid to come and defend your employer, right?

      A few facts to consider: if it’s so hard for burst to keep their network clean, why is it that so many other providers can do it? Rackspace, for instance; they’re bigger than burst, and don’t have a sterling reputation. How many SBL listings do they have? Four. A tenth of what burst admits is their “normal” number. And really, Spamhaus is just one of many services one can use to keep an eye on their network, one can also use Senderbase as noted above, or Project Honeypot, or Botscout, or stopforumspam, just to name a few. And if you use any of these, you’ll find that burstnet/hostnoc has lots of problems, more than almost any other provider out there. Why? Because they don’t care. And the net would be a better place without ’em.

  16. Dima

    1) I am working for Russian host and not for Burst.net
    2) When you compare anything you should compare apple with apple. Your example far away from this.
    Rackspace well known as definately not cheap host. They are concetrated on managed dedicated hosting when Burst deal with unmanaged. Rackspace server cost more Burst offer in about 2-10 times. When i told about money spammers have in their pockets i don’t say that they ready just fire their dollars. Of course spammers try find more budget solution for their “business”.
    3) I am always try protect our client and partner when they receive false positive complain or blame by anyone include Spamhaus (Spamhaus is only “orgranisation” which use their power of abuse. Never has problem with others spam fighters.) I belive that any host must protect their customer as they pay to him and trust to him. Of course, if host receive properly prepared complain with evidence and customer is gulty host could and must take action to fight illegal activity. But this does not mean that host must do “face control” for each new customer who signup for services and segregate them by their “history”.
    4) We try use as many spam and illegal activity fighters as we could. Today we just found one of ip adress which we manage in malwaredomainlist.com listing and after quick investigation suspend server because what we found on customer server look as just clear evidence of listing. Customer distribute malware using complex system of proxies and those proxy ip address still under investigation. What i always against is claiming and blaming host provider for their customer activity. It is highly unprofessional.

  17. Dima

    And about apples: try compare Burst issue with ovh.net issue. You will see many similar case as well as amount. Why? That’s easy – because OVH well known budget provider in Europe.

  18. Observer

    COME ON GUYS – Burst and other legitimate hosts are not the problem… Leave ’em alone please. They cannot control what the bad guys do – and please be civil. It’s just too easy in this environment. We should keep our focus squarely on the fact that there are real malevolent people out there taking ridiculously sophisticated steps to injure people and avoid identification. Reverting to blaming infrastructure providers in general is like throwing your hands up that the real problem can’t be solved. While there is certainly room for debate about how proactive infrastructure providers should be, that debate should be fair and objective – and not a finger-pointing exercise. I’ll bet the bad guys love that type of thing…. keeps the focus off of them. Thanks

    1. AngusM

      There’s an old saying that “If you’re not part of the solution, you’re part of the problem”. This is particularly true where abuse is concerned.

      An infrastructure provider is in a position of special responsibility not to enable the bad guys. Some providers accept that responsibility: they are proactive in spanking bad guys off their network. Some do not: they sit back and let the bad guys get a free ride, either because time and energy spent on anti-abuse activity is not seen as profitable or because they are actively making money from the bad guys.

      Calling out a provider who doesn’t do enough isn’t ‘losing focus’ or ‘throwing up your hands’. It’s addressing a very real part of the problem. Bad providers make abuse possible.

      If BurstNet is being singled out for criticism, it’s not an accident. It’s because a lot of people who have to deal with abuse issues have concluded that BurstNet have never had much interest in curbing abusive use of their infrastructure.

      You can argue that this perception is wrong (although you might find that the evidence is against you). I don’t think you can argue that naming and shaming abuse-friendly providers isn’t part of the process of dealing with abuse.

      1. Neej

        TBH if Spamhaus and other maintainers of lists of hosting that are home to criminal activity are any guide it seems pretty stupid to be singling out Burstnet.

        How about OVH and Leaseweb who have a much larger number of customers carrying out criminal activities than this smaller provider?

        I think the landlord argument brought up previously should apply here – how can a property manager be held responsible for something their tenant does? And this isn’t actually a fair example in any case – if hosts are too nosy and proactively try and find out what their customers are doing the barriers to innocent customers leaving for another provider are far lower than housing.

  19. Dima

    Speculation and voluntarism and nothing more. Using mobile phone (i.e. phone + number from mobile operator) to make call to run explosion somewhere does not mean that phone vendor or mobile operaror is responsible for terrrorist activity. Same about ISP who offer optic line to bad guys to make something illegal in the internet.
    Sure, if volume of suspicious case is exceed some “standard” value then it is time for provider think about what is wrong in his business process or other procedure like idemnification of end user or more strong attention to separate reseller or affiliate activity. Anyway that did not allow to anyone call the Burst.net as abuse-friendly provider.
    And, in resume – what is your target – do you want get the Burst.net from the internet and you hope that all bad guys will disappears when Burst.net network disappear? That is just stupid hope. Even after McColo crash (where thouthand of servers used to sent spam and it was professional spam senders only) spam activity get down for 1-2 day may be for 3 and then volume of spam just was restored. McColo spam client just continue with other povider in the world and i would not to be surpsised too much if they continue at softlayer or rackspace network space.
    Therefore to really fight illegal activity in the internet we all always need good coordination beetween host, cyber sleuth and law enforcment to get good and complete result. Blaiming and complaining will not work to get main target – supressing illegal activity as much as possible.
    Hope your heard about Leo Kuvaew case – this spammer have been captured here in Russia and i hope his activity finally will stopped at least for 10-20 years. He was big headache for all host and who know how many money host lost with listing in antispam blocks, abuse incident and so on so on due to his activity.

  20. Notarios Barcelona

    Unquestionably believe that which you stated. Your favorite justification seemed to be on the net the simplest thing
    to be aware of. I say to you, I definitely get irked while people think about worries that they
    just do not know about. You managed to hit the nail upon the
    top as well as defined out the whole thing without having side effect ,
    people can take a signal. Will likely be back to get more.
    Thanks

  21. JOe

    Recently, I uncovered dozens of phishing websites hosted at BURSTNET.

    After sending 3 abuse e-mails over a month, the phishing website(s) are still online.

    Personally, I would never want to be hosted at such a cyber-criminal friendly datacenter.

  22. uzzi

    So we’ve learned Burstnet didn’t change for about 10 years:

    30 Jul. 2003, 11:03

    “Call for Internet Death Penalty: Burstnet/Hostnoc

    The charges:

    Burstnet have deliberately facilitated abuse of the Internet.

    Burstnet have been given every opportunity to remove their spammers, and have failed to take advantage of those opportunities.

    Burstnet have repeatedly lied to the Internet about their spammers.

    Burstnet have aided and abetted their spammers by listwashing and have thus further abused innocent members of the Internet by handing the addresses of complainers over to spammers.

    Burstnet have threatened members of the Internet who requested that Burstnet conform to minimal acceptable standards of behaviour.

    Burstnet claim not to be able to control their own network.

    Burstnet have continued to profit from the abuse of the Internet, to this very day. (This includes continuing to host the well-known, block-on-sight spammers of Azoogle.)”
    :

    Source:
    http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/892e13ad0df6d83f

Comments are closed.