Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware and Botnet Operators Going ISP

Posted by ScuttleMonkey on from the spam-is-big-business dept.

Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"

17 of 131 comments (clear)

  1. Filtering easier? by Anonymous Coward · · Score: 5, Insightful

    If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.

    1. Re:Filtering easier? by JWSmythe · · Score: 5, Interesting

          The article (and story here) are a bit deceiving.

          The LIR is usually the ISP. So, they're filling out the IP justification form to ask for a block of IP's, just like anyone with their own rack or cabinet would. Big deal. I once had over a dozen /24's, but it was for legitimate purposes, and I properly (and honestly) justified them.

          I watched spammers do that in the past. They'd get multiple T1's (at their location) or ethernet handoffs (in datacenters). They'd be able to do a spam run for about 3 days on a block of IP's. When they got the complaint, they'd simply switch to another line. Say they have 7 of these circuits. It would take 21 days before they rotated back around to the original provider. If one should (oh my gosh) cut them off for the illegal activity, they'd simply bring in new circuits under new names.

          By combining providers in a single rack, that saved them the money of needing more servers. They'd frequently have a few cabinets, in a few different datacenters. So, 4 racks, 7 circuits each, would give them 28 unique identities. At 3 days before the line is burnt, that would give 84 days before they'd rotate back around to the original line.

          They would let a line sit idle for 84 days. That would just be stupid. They'd run multiple campaigns at the same time, so they'd rotate through them. It was an art, playing providers and the spam traps. They'd send a nice apology to the provider when they got the notice to stop, saying some machine was compromised, and the complaints would stop after just a couple days, and no one would care.

          Of course, some legitimate traffic would be hosted on these lines also, just to make things look good. In a 40u rack, they may have 30u's populated with spam servers, and a couple u's with web servers and what looked like paying customers on them.

          It's just like a black market operation run by the mob. Sure, you can buy merchandise in the store front. You'd never see the mobsters counting out suitcases full of cash, or shelves full of stolen merchandise bound for other places. No one questions what you're doing, because your store front *looks* legitimate.

          All they're indicating is that the spammer crowd has realized that there is no money in spam any more, and they've migrated to malware.

          All in all, it's not hard to get a cabinet, nor a circuit or three, in a datacenter. You don't even need a legitimate company. You just need to *appear* that you have a legitimate company. $100 and a few minutes of your time will incorporate a company to use. Corporate address? A PO box somewhere. Company phone? A "magicjack" or throw away cell phone. The only things that would tie anything to anything would be who's signing the contracts, which can be anyone. For minimum wage, you can have an employee of your illicit corp sign off on papers as "CEO".

          At one job, I wasn't listed as an "officer" in the company, so I couldn't sign anything. I got annoyed with trying to deal with the provider, so the next time I called to do something, I was "Vice President of Information Technology", and suddenly I was allowed to make changes. It was with the CEO's blessing, so I wasn't doing anything wrong. It was just to get through the providers annoying "protective" measures. The CEO never even got a phone call asking if I was allowed to make the changes. He just saw it reflected on the next bill.

      --
      Serious? Seriousness is well above my pay grade.
  2. Easier to block? by phil+reed · · Score: 4, Insightful

    Maybe I'm not being smart today, but doesn't that actually make it easier to block the bad guys, once their address space is identified?

    --

    ...phil
    "For a list of the ways which technology has failed to improve our quality of life, press 3."
    1. Re:Easier to block? by CannonballHead · · Score: 4, Interesting

      Out of curiosity... does that make that IP space sort of permanently black-listed? e.g., if the "bad guys" go out of business and "good guys" buy the IP space... how do the new owners clear the IP space of its bad name?

      Seems like a shame to start throwing IP space away because there's no way to make it clean again.

    2. Re:Easier to block? by Demonantis · · Score: 4, Informative

      In TFA it mentions that it starts to become spaghetti. As ISP get smart and start blocking that address block the criminal moves on to other things. The lease expires on the block and it is issued to a legit company and then problems happen because the blacklists are not updated by the ISPs. IPv4 also is a very limited size so you can't just rotate around the blocks you issue every 100 or so years (conservatively) and avoid this issue.

    3. Re:Easier to block? by Zerth · · Score: 5, Informative

      That's why your lists should have a time component.

      If you do something naughty, you're blacklisted for an amount of time, then greylisted for the next step up. If you do something naughty while greylisted, you get blacklisted for the remainder and greylisted the next step up again.

      Mine goes 15 minutes/1 day/2 weeks/3 months/1 year. I've yet to blacklist anyone for a year.

    4. Re:Easier to block? by gknoy · · Score: 4, Interesting

      Do you have any helpful links to guides that would explain how to do that? I'm sure I am not the only network-care neophyte who would like to have a safe and spam-free system at home, so I'm sure it would get you modded informative.

    5. Re:Easier to block? by xous · · Score: 4, Interesting

      No, it doesn't.

      We had a "customer" that had 15+ dedicated servers with us. This customer received tons of SPAM complaints. Each time they had a different excuse.

      After I disabled the servers and refused to turn them back on without examining them. The "employee" said he wasn't supposed to give me the root passwords but after I said that they would stay down until I got them he reluctantly gave them to me. Upon cursory examination the systems seems clean as a whistle until I realized there were no services actually running. No mail, etc.

      Where was the email coming from?

      I then found that the customer had GRE tunnels configured. This allowed servers in other data-centers to generate and send the spam through our network without having anything of actual value hosted with us.

      The "employee" that was our customer was so convincing that I could have believed that at least he thought his company was legitimate. He even tried to tell me that it was because they couldn't get IP addresses from their current provider they bought dedicated servers from us ($1500/mo) for IP space.

      Obviously the customer was terminated as soon as I found the tunnels.

    6. Re:Easier to block? by nacturation · · Score: 5, Informative

      Run spamd on OpenBSD or other OS that supports it. Works beautifully.

      http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8
      http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8
      http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5
      http://www.linux.com/archive/feature/61103

      By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

      Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

      It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  3. I thought... by Darkness404 · · Score: 4, Interesting

    I thought the entire reason why botnets were so hard to stop is because they could be on a huge range of IP addresses. With this isn't it trivial to see that Evilnet ISP is a botnet and has the IP addresses xxx.xxx.x.xxx- xxx.xxx.x.yyy and just block those? I mean, yeah, if they had enough bandwidth they could still flood you with requests that slow down the servers because they all need to be blocked, but shouldn't it make blocking them easier?

    --
    Taxation is legalized theft, no more, no less.
  4. DNA samples/Chips in fingertips? by e2d2 · · Score: 4, Insightful

    No further investigation is done

    And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

    Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

  5. Hyperbole by uassholes · · Score: 5, Insightful

    Having a block of IP addresses does not make one an ISP.

  6. Isn't this cool? by DNS-and-BIND · · Score: 5, Interesting

    Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

    Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    1. Re:Isn't this cool? by JohnyDog · · Score: 5, Interesting

      Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?
      Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

      In those cyberpunk visions the world, political and judicals systems are tightly controlled by corrupt mega-corporations and the net is anything but open. The very act of accessing the network or tampering with it may land you in prison, criticizing the rulers means you're dead and so on. Every piece of hardware is registered, so if you want to get any hacking done you have to turn in to black market (for stuff) and criminals (to get money for stuff), out of pure necessity. (it's the classical tale of occupied country's resistance movement working together with organized crime, right?)

      Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably. Anonymity is just one unsecured wifi hotspot away on every corner (so you don't need to pay a hacker to get you online), and any attempts at uncovering corruption and truth are met with public support. So the traditional heroes of cyberpunk stories can operate publicly or semi-publicly (think wikileaks), the worst that can happen to them is someone pulling the DMCA on the copied/leaked documents, which rarely results even in fines, much less prison time. The hackers are working on cool engineering projects instead of breaking into companies networks, and the criminals are, well, criminals - since they are no longer needed for the goals of the freedom fighters, all they do is disrupt the free information exchange (ddosing sites for greed, decreasing signal-to-noise ratio by spamming the hell out of everyone etc.), and so are frowned upon even by the neo-anarchists.

      --
      People who like this sort of sig will find this the sort of sig they like.
  7. Is the address space for something else? by damn_registrars · · Score: 4, Insightful

    Sure, we know a lot of the botnet activities that we care about - distributed spamming, distributed hacking, etc... But I suspect that isn't what they want the dedicated IP space for. People already pointed out that if the lion's share of your spam or hacking attempts came from a single IP block, it would be trivial to block it.

    Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com. Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.

    The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US. So by owning IP space, they can actually keep more of their own money for their operations, thus increasing their profit margins. They can offer hosting, DNS, and registration services for anyone who wants to sell anything, and then sell them spamming services as well.

    It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  8. Re:Old news by Zocalo · · Score: 4, Insightful

    No it's not, several of the larger spam/malware gangs including the infamous Russian Business Network have been doing this for several years now. That's partly what prompted Spamhaus to create their solution to the problem: DROP. All it takes is a for the majority of the Tier 1 carriers to adopt the DROP list and it's pretty much game over for this this technique.

    --
    UNIX? They're not even circumcised! Savages!
  9. youtubers beware by cl191 · · Score: 4, Funny

    "You own your own IP space and you're your own ISP at that point." I believe this sentence was designed to make youtube commenters' heads to explode......your you're you what?