Legitimate ISP a Cover-up For a Cybercrime Network

ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."

Adware

The summary is hugely incorrect. This is not a malware or cybercrime network, but "normal" adware. Yes adware is bad too, but its legal and calling adware companies cybercriminals is going to bring some lawsuits.

It's involved with malware distribution and DNS hijacking, which leads to credit card fraud.

I did find it funny that they say this; just because it's *possible* doesn't mean they'd do such. Surprisingly Comcast and other ISP's have been starting to do dns hijacking, so does it mean they are doing credit card fraud?

If you read the actual white paper you see it's just usual not-so-scary adware. It replaces ads you see with their own. Thats of course allowed and legal when the user gives consent to it.

I hate adware as much as everyone else here, but instead of going for huge headlines and dramatic stories, just tell the real facts and dont make assumptions. In this case this is a legal (adware) company with 50+ workers that follows Estonian laws. Maybe the summary writer would even like to read the actual white paper too, theres no mention of credit card fraud.

If you want to fight adware, do it properly, not with assumptions or lies.

Re:Adware

[matria]

Did you even read the whitepaper?

The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States

For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software.

The whitepaper is totally different than you tried to portray, even in the first page. Your post is obviously an attempt at a coverup, presuming most people won't read the PDF.

Re:Adware

And the summary is also totally different. It tries to make it sound like this is some credit card fraud operation or they're having huge botnets, while in fact it is a normal adware company which follows Estonian laws.

Re:Adware

[fuzzyfuzzyfungus]

It appears to be a normal adware company which follows Estonian laws and is very quick with the astroturf...

Re:Adware

[maxwell+demon]

So it is allowed by Estonian laws to install trojans on the computers of unsuspecting victims, to redirect accesses to legitimate sites through DNS redirection to unrelated sites, to claim bogus virus infection on fake versions of legitimate sites and offer expensive fake "antivirus" software as "cure"?

Re:Adware

Why do you think the 50+ people published their jobs in portfolio, are acting all open and have PR persons if it was all illegal operation? That would be just stupid. The actual news here is how antivirus companies are doing promotion for themself this way. This is just marketing at the cost of other people who work legitly. Adware is still legit business when done according to laws, even if people hate it.

Re:Adware

[interkin3tic]

Yes adware is bad too, but its legal and calling adware companies cybercriminals is going to bring some lawsuits.

Others have adressed the actual legality, but I want to adress this anyway. I don't think we should refrain from calling bad guys "bad." Whether or not some asshole skates around laws faster than Estonia can make them (or outright bribes/lobbies lawmakers to keep what he's doing legal), or whether or not a particular asshole gets litigious for calling him an asshole, they're still an asshole. In fact, they're even bigger assholes if they bend laws and sue over it.

Re:Adware

[andymadigan]

When such advertising includes blatant fraud, it is illegal in any civilized country.

Re:Adware

[Zocalo]

Give me a break! Frankly, I'm not sure why they've even bothered to obscure the identity of the company concerned since it's pretty much obvious to anyone who follows IT security news that they are talking about EstDomains and Vladimir Tsastsin. Try punching those into Google or whatever and you'll see this goes way beyond being just an "adware company".

Re:Adware

[Technician]

I find the use of a good filtered DNS service that blacklists malware URL's upon discovery goes a long way towards limiting my exposure to this.

Open DNS or Scrub IT works well. The only down side is they are often the target of DOS attacks, so their uptimes are limited. Be prepared to switch DNS settings when the "Internet" goes down. Most of my frequent sites, I keep in my local hosts file, so even if DNS goes down or DNS is hijacked, the link to my banking is still valid.

Ruining as a normal user I can't be tricked into editing my hosts file. I don't have the privileges.

Links;
Open DNS http://www.opendns.com/
ScrubIT http://www.scrubit.com/

Re:Adware

When you make a scientific test that can determine if someone is good or bad, we'll listen to you. Until then you're just moralizing bullshit however it suites you and claiming it's a fact. If you're a fish, sharks are bad. If you're a shark, fish that can swim really fast are bad.

Re:Adware

[Runaway1956]

AC was probably illegitimate so he probably can't recognize a legitimate business. It also sounds like AC might have been an investor or an officer in the company. LMAOA

Re:Adware

[Runaway1956]

It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.
_____________________________________

If you happen to be Tsastsin's wife, I can understand that you'd like to stick up for his "good name". Maybe you feel that you need to do so, for the kids.

But, the bastard is a criminal bastard. Your astroturfing won't change the fact.

Re:Adware

[Russianspi]

OpenDNS has yet to have a service outage. Their massive redundancy has prevented that from happening thus far. BTW, I'm not associated with them in any way, other than being a happy user.

Re:Adware

[interkin3tic]

Hey, look, AC just started his philosophy class!

Your argument would be better applied to a more complex case of right vs wrong, such as more legitimate online advertisers. But we're not talking about that, these people are scum. Furthermore, this is /. where the general consensus is that adware and the people who make it are scum. Adressing the morality of adware would be preaching to the choir and would be beside the point. Lastly, I did NOT claim it was fact. Was it not obvious enough this is my opinion? If you're worried that people might read that and confuse it with fact, rest assured that such people are incapable of plugging a computer into the wall, and would not be reading it.

Re:Adware

[wastedlife]

It's involved with malware distribution and DNS hijacking, which leads to credit card fraud.

I did find it funny that they say this; just because it's *possible* doesn't mean they'd do such. Surprisingly Comcast and other ISP's have been starting to do dns hijacking, so does it mean they are doing credit card fraud?

Comcast and other ISPs have been doing NX-record hijacking, not straight-up DNS hijacking. While NX-record hijacking is a bad practice because of problems it causes with other networking practices, it is not malicious. NX-record hijacking is where an address cannot be found, so they reply with a search site to help the user. DNS hijacking normally refers to hijacking requests for valid domains and pointing them to their own servers. This can lead to phishing sites that appear to be a valid domain.

Re:Adware

[ezabi]

Certainly most of the employees wouldn't know that their actual work is used to serve illegitimate activities, otherwise they wouldn't include it in their CV's, how would a web developer know that the site he's working on is promoting a fake product, if you look for more details of the activity elsewhere you would find that these peoples' ultimate goal was to drive users to a form where they would gladly submit their personal and credit card details, TrendWatch wouldn't clearly explain such activities in its white paper for obvious reasons.

Security professionals would understand the meaning behind the attack.

Re:Adware

I didn't know that- but I agree it is pointless to cover it up unless it was done for PR reasons. The content of the pages in the screen shots are unique so searching for them with Google or any other search engine will bring up the sites. It's pretty easy to find out blued names even if you don't follow IT security news.

This is new?

[R2.0]

Look up the mafia and trash collection.

Re:This is new?

[fuzzyfuzzyfungus]

Or the financial industry and the financial industry.

Re:This is new?

[swanzilla]

Or Microsoft and the Association for Competitive Technology...

DNSSEC and ubiquitous SSL.

[Timothy+Brownawell]

...and DNS hijacking .... The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies?

DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed. Then there's not really much the can do, besides just dropping all your connections.

Re:DNSSEC and ubiquitous SSL.

[Krneki]

Damn, I'm out of mod points. One question tho. If you use OpenDNS can they redirect your DNS queries?

Re:DNSSEC and ubiquitous SSL.

[fuzzyfuzzyfungus]

If the packet goes through somebody else' hardware and isn't cryptographically signed, their ability to fuck with it is constrained only by their computational capacity and knowhow. It'll be trickier if they have to rewrite packets on the fly, rather than just maliciously reconfigure their DNS server; but I'm sure Sandvine or one of their ilk could manage it.

However, while OpenDNS is unaccountably popular with many, it does a lot of DNS meddling of its own, including breaking NXdomain(it also uses false DNS data to implement its filtering; but I don't know whether that is opt-in, opt-out, or mandatory). While the fact that you have to manually opt in to use OpenDNS makes them better than the crap that ISPs try to pull, they aren't exactly on the side of angels.

Re:DNSSEC and ubiquitous SSL.

[maxwell+demon]

Since they redirect your DNS queries through a trojan, I don't see how they couldn't.

Re:DNSSEC and ubiquitous SSL.

[jroysdon]

DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

DNSSEC isn't hardly deployed either. Not even in the .GOV TLD domains, which has a mandate that all domains be signed by the end of this year.

Query Comcast's test DNSSEC resolver:
dig +adflag +dnssec gov @68.87.69.154

You get back NSEC3 keys and RRSIGs, and the "ad" flag will be set (meaning it is authenticated data). Try it again with just about any domain:
dig +adflag +dnssec whitehouse.gov @68.87.69.154
dig +adflag +dnssec fbi.gov @68.87.69.154
dig +adflag +dnssec cia.gov @68.87.69.154
dig +adflag +dnssec nsa.gov @68.87.69.154

Nah, none of them have deployed DNSSEC. Less than 3 months to go and they'll all slip past the mandate.

DNSSEC is a good step in the right direction, but it's not a magic bullet. Perhaps if there were some client apps that act as DNS resolvers and verify all DNSSEC keys and sigs (the same as resolvers do), but that's going to slow down the user experience with many queries before even requesting content. Further, how are end-user apps like this going to be kept up to date with new signatures that have to roll (yearly, I believe)? No magic bullet, that is for sure.

Re:DNSSEC and ubiquitous SSL.

[Krneki]

I know OpenDNS abuse when you mistype a domain, but I'm not interested in that. My concern is redirection of correct names and DNS blocking.

Re:DNSSEC and ubiquitous SSL.

[Krneki]

One thing is a virus changing your DNS setting, another is DNS traffic hijacking.

I know about the first and how it works, but I never saw the 2nd.

Re:DNSSEC and ubiquitous SSL.

[fuzzyfuzzyfungus]

Answer on that is, in principle, "yes". Albeit, in practice, probably less likely than if you were using their DNS servers, since they'd have to modify the packets in transit, rather than just reconfigure their DNS server(or, less subtly, drop all traffic to/from known 3rd party DNS servers, and wait for you to give up and use theirs).

Re:DNSSEC and ubiquitous SSL.

Patches exist already to make Firefox verify DNSSEC and treat verification failure the same way (ie pages from failed domains won't load, images from failed domains are replaced by the broken image graphic) as an actual DNS failure.

The same for Sendmail, SSH (just in case you don't have enough paranoia in SSH already) and so on.

Since signing .gov just means one guy needs to read a document and follow the instructions in it, and it's maybe a day's work, I don't think that "3 months to go" implies any or all of the affected domains will slip past the mandate. But even if you're right, other parts of the network are already signed, the only significant obstacle is the signing of the root.

Re:DNSSEC and ubiquitous SSL.

[tialaramex]

Also, while I'm here, it's a lot harder to MitM the link between a user and their ISP in most cases. Both addresses are inside the ISP's range, so it should and probably does have border rules that prevent such packets traversing the border. That means to attack user X at ISP A, you need to be able to mess with packets inside ISP A. Whereas today, by doing MitM on some poor .com site's DNS servers, you get every user visiting the site. So "does nothing to protect" isn't really true.

If you're going to say "What if the bad guys just reconfigure the victim's machine to use their DNS server" Well, yeah, but in that case they broke in and changed system level configuration, it's game over. They could just as easily add an OS patch that redirects all IP traffic via their servers so that DNS is irrelevant.

Re:DNSSEC and ubiquitous SSL.

[Timothy+Brownawell]

DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

No, you can demand that the ISP's resolver forward all the records you need in order to verify the signatures yourself. The first thing google comes back with is this, from 2007:

The current DNSSEC standards define a security-aware (stub) resolver that would be located at the users PC and which can indicate to a security-aware intermediate nameserver that it will perform its own DNSSEC validation by setting the Checking Disabled (CD) flag in the DNS query Header. This has the effect of inhibiting DNSSEC at the security-aware nameserver causing all necessary records to be supplied to the resolver to enable it to perform the security validation. The net result is we have achieved end-to-end security.

Re:DNSSEC and ubiquitous SSL.

[jroysdon]

Ah, very nice. Then the only problem is getting/keeping the signatures on the stubs updated. You have a bootstrapping problem that is a chicken-in-the-egg problem if you want to auto-update a host that has been offline for some time, or after a fresh install that contains old signatures.

Re:DNSSEC and ubiquitous SSL.

[Krneki]

Ok, so I'll take it as a "Not seen yet". I guess I'll worry about it when the time comes.

Don't click the Blue e!

[JRW129]

Use common sense!

Re:Don't click the Blue e!

[TimSSG]

Use common sense!

You must have never heard of "Peak common sense". The idea that there is a finite amount of common sense that can be used in any given year. And, the the amount will peak and then will decline steady to zero. Note: Second cause is common sense per individual is declining because of population growth. Tim S. PS: You think my theory is a joke? Good, then make it funny.

Comcast?

[Anonymous+Cowar]

Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...

Anywho, this is kind of scary, but not in an internet-scary kind of way, but instead in a crime can be all around you kind of way. Imagine if a restaurant was a front for a crime hub, i.e. skimming credit card and checking info, they would have access to people's financials, but in a much more limited sense. Although it would be interesting if the ISP didn't skim from it's own customers, but instead used them to poison dns stuff and the like. "Install our connection software! Welcome to our botnet, live long and prosper!"

Re:Comcast?

[stokessd]

Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...
 

Careful there! You are giving Comcast WAY too much credit. I would chalk that up to incompetence rather than malice. The latter is way harder, and the clowns at Comcast don't have the chops to do it well.

Sheldon

Re:Comcast?

[jd2112]

Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...

That's not fraud, that's sales. Otherwise every salesperson in the world would be guilty of fraud. Always assume that if someone is selling you something they are exaggerating the capabilities of their product/service.

Re:Comcast?

[porl]

not necessarily true. i have had many cases where i have purchased something from someone who has been completely open with describing any limitations etc of a product. i actually find i repeat buy off that type of salesperson far more than i would someone who has talked something up and failed to deliver. usually if you show that you know what you are talking about and you will see through any attempts at deception, and that you are not an arrogant prick then they will open up and be much more down to earth.

Solution

[girlintraining]

Man in the middle attacks have a classic solution: Encryption and non-repudiation in the authentication protocols. Encrypt everything between the client and server (as IPv6 allows for) and the amount of damage a rogue ISP can do (or any peer point) is greatly reduced.

Re:Solution

Your posts get more and more useless every day. What you describe is totally useless against trojans. These are not man-in-the-middle attacks. These are rootkits and DNS highjackers.

Re:Solution

Your posts get more and more useless every day.

This is unrelated to the topic being discussed. Not part of a good argument.

Network neutrality

[MobyDisk]

From a US perspective: without network neutrality, this is all legal.

Page 8 of the PDF shows CNN.COM with an advertisement replaced. What stops them from replacing the content of the articles? Page 10 shows how they hacked Google results. What keeps them from changing those results to filter articles on politics, religion, gender issues, laws...

Legitimate?

[The+Moof]

I though "legitimate business" and "front for crime syndicate" were mutually exclusive.

Re:Legitimate?

Funny I never could tell the two apart.

From estonian perspective...

[ZWoz_new]

First: I'm estonian and maybe not objective. But, in my opinion, this "research" are little bit inflammatory. I don't count, but if every third word is "Estonian" or "Estonia" or "Tartu", then this looks like "oww, look those foreign, maybe russian, cybercriminals!". Anyway, this is old and dead horse, what gets beaten, this infamous estdomains a.k.a Rove Digital (if anybody want proof, look Figure 1 in pdf and compare rovedigital.com). This article tries make impression, how in estonia this ISP is legal or somewhat "known and normal" business. In fact, i never heard about those guys before first scandals and court case, i afraid they don't have much business (legal or other kind) in Estonia.

Obliga...

[moro_666]

I for one welcome our new Cybercriminal Tartu Overlords ...

(Especially since they have to within a 3 mile radius from me, being in Tartu as well)

Re:Obliga...

[moro_666]

and link to the super evil company as well

http://www.rovedigital.com/

their homepage vs the homepage displayed in pdf files ... not really hidden well enough

Re:Obliga...

[Alex+Belits]

within a 3 mile radius

I see, Estonians switched from metric system to Imperial, to please their OTHER overlords.

Keeping Big Gubment out of the Free Market!

This is a perfect example of what kind of great "innovations" happen when you have Big Gubment stand aside and let the Free Market do whatever it wants.

Re:Keeping Big Gubment out of the Free Market!

Shut up idiot, you fucking slashtard. Free Markets dont exist as we know them in "Estonia" or anywhere remotely associated with the former Soviet Empire. They are a mafia under the guise of a country and all who happen to find themselves at the end of their stick ultimtaley suffer and the term Free Market is not applicable thanks to Marxist Communism Socialism which allows the thieves to not only manipulate all aspects of life and giovernance but to prosper heavily which perpetuates their reign. They view the west as a fat turkey, all stuffed with goodies and now on their table and slashtools like you make stupid negative references and inferences against free markets. You are a fucking dope

Measures

[wumpus188]

What security measures should be taken to prevent normal users from falling victim to such malicious bodies?

I think a massive DOS attack will teach these Estonian bastards! Oh wait..

The actual company

http://www.rovedigital.com/

IANA Failure

This all resolves to a complete lack of accountability. The IANA requires that site owners respond to abuse e-mails but then who checks the ISP? Or what if the ISP doesn't care because they are makign revenue of the hackers? Much less this case where the ISP is the hacker! The IANA needs a protocol for revoking the IP ranges of any ISP that allows abuse OR does not respond to abuse. Currently, there is no reasonable method an abuser if their ISP is unwilling to act and no method for forcing the ISP to act. All a malicious user has to do is stand behind a non-responsive ISP...

Very, VERY Good... apk

"I find the use of a good filtered DNS service that blacklists malware URL's upon discovery goes a long way towards limiting my exposure to this. Open DNS or Scrub IT works well. The only down side is they are often the target of DOS attacks, so their uptimes are limited. Be prepared to switch DNS settings when the "Internet" goes down. Most of my frequent sites, I keep in my local hosts file, so even if DNS goes down or DNS is hijacked, the link to my banking is still valid. Ruining as a normal user I can't be tricked into editing my hosts file. I don't have the privileges. Links; Open DNS http://www.opendns.com/ ScrubIT http://www.scrubit.com/ " - by Technician (215283) on Wednesday August 26, @01:53PM (#29204855)

See my subject-line, & this URL (especially points #'s 2 thru 5, because they cover a great deal of exactly what you state works, because, those points DO):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (&, beyond):

http://www.tcmagazine.com/forums/index.php?s=555c0485c3ad66d4020d3aa92778a1b2&showtopic=2662&st=0&start=0

----

IT WORKS...

How well? Ok, a testimonial, from -> http://www.xtremepccentral.com/forums/showthread.php?s=79253c5b286c472a012ff2ef7e7f2230&t=28430&page=3

----

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local." THRONKA, user @ xtremepccentral.com

----

That's 'how well'... For going on 2++ yrs. now for Thronka & his paying clients, & for myself? Since 1997-1998 or so, through many machines since those days, to the present today, same results here!

APK

P.S.=> AND, what is a MAJOR portion of that guide (as far as "the beyond" part, above CIS Tool Guidance)? HOSTS FILES, & OpenDNS or ScrubIT DNS... & you think just like I do, & it does work, for all that you noted, plus more - think about THIS one:

Like IPSecurity Policies (also covered in my guide, acting as "layered security")? HOSTS files can LIMIT what even an already "taken in" malware can do online - because, IF/WHEN you block KNOWN "bogus servers" or bad adbanners (or even malicious websites)??

Well, if YOU cannot get to them, guess what? NEITHER CAN THE MALWARE... sure, some of you might say "but the malware could just use a static IP address vs. using HOST names or URL's to communicate back to 'home base/the mothership'" but, they can't do that, because ISP/BSP's "take down" KNOWN bad servers fairly quickly once they're discovered... & thus, using an IP address would be, self-defeating - where using URLs or DOMAIN NAMES allows malware makers/botnet masters etc. et al the ability to QUICKLY re-register said domain name once more, albeit, on a diff. server next rou

Re:Very, VERY Good... apk

Are you being treated for some condition that we should know about?

She's more right than you think

[Burz]

Authentication protocols like PKI that use encryption would make many sources of malware unambiguous. The pretty much leaves email and discs as the only malware carriers that are hard to track.

Comcast

I totally came in here expecting this to be about Comcast. I feel like I'm being robbed every month when I pay my bill.

No, but are you a PHD in medicine, psychiatry etc?

"Are you being treated for some condition that we should know about?" - by Anonymous Coward on Wednesday August 26, @04:03PM (#29207137)

No - but, do see my subject-line, & by the way: Care to show us your PHD in Psychiatry, or Medicine, etc. et al with your name on it?

(I say that, simply because w/out it (and a license to practice, as well as performing a formal examination of myself), you rather childishly transparent & stupid "insinuations/inneundos" mean, squat...)

Get it?

(Have a nice day)

APK

P.S.=> You're OFF TOPIC as well, by the way - So, go away now, little troll... apk

Suggestion?

[SinShiva]

i run a p3 700mhz,512mb ram box with dnsmasq and a proper hosts file on said server. I have a comcast connection, but i believe comcast isn't filtering nx records in florida yet?

Re:Suggestion?

[SinShiva]

P.S. Server box uses 4.2.2.1-3 for it's own dns lookups. I believe dnsmasq is capable of fixing 'fixed' nx records with this route. at least, i believe that was talked about last time i was reading up on it.

Crypto is the wrong answer

[The+Famous+Brett+Wat]

DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed.

Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised. We don't really have a security model to deal with man-in-the-endpoint attacks, other than things like two-factor (or n-factor) authentication which work because one of the two (or n) communications channels isn't compromised by the bad guys.

Re:Crypto is the wrong answer

[Timothy+Brownawell]

Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised.

Sure, but a cursory reading of the summary/headline seemed to imply that they were using their position as ISP to cause trouble, rather than just being generic malware vendors.

Do unto others what we already did unto others

We're the USA. Why don't we just bomb Estonia?
We've bombed a lot of countries for a heck of a lot less.

Re:Do unto others what we already did unto others

[Alex+Belits]

But Estonia is the second best US sycophant in Europe!

Is this the RBN successor?

[Zappa]

For those interrested check out some info about the RBN (Russian Business Network) which was organized around an ISP in St. Petersburg, this was a really big operation.

This report lacks some detailled information about the ISP, eg which AS are involved, etc, so one can just react and put them into a DROP List or do an AS-Path finltering. If its an ISP with known AS, you (your ISP) can react.

Figure 6

[raktul]

I was just wondering in Figure 6 of the PDF where is step 5?