Slashdot Mirror
Uncooperative Russian ISP Prevents Cisco From Shutting Down Cybercriminal Gang
An anonymous reader writes: Cisco's Talos research team has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.
the sages foretell a fragmented internet for the future
I'm pretty sure I would never even notice, and the internet would be a safer place.
"This particular group used a series of security vulnerabilities, but most of the time, it was using the CVE-2015-5119 flaw in Flash, which allowed the group to compromise computers and later infect them with spambots. Cisco reports that, in most cases, the main payload was the Tofsee spambot variant, which infected Windows machines via Internet Explorer."
That would make the ISP responsible for investigating Cisco's claim (which may be false), which means they'd have to hire techs and so on. If they shut the site down, and Cisco are wrong, they would face liability.
Cisco would be better suing the ISP for the sites details, and then suing the site owners in the court.
*However*, this is a flash exploit and an Internet Explorer exploit, and the fix is for Adobe and Microsoft to fix their shit, because even if the ISP does shut this down, it will be like playing wack-a-mole. As long as the vulnerability exists, it will be exploited, not just by spammers but by malicious governments like UK and US, China, Russia the lot.
cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it. this seems to be pure vigilantism at best , and no different from actions of a criminal gang at worst.
let legitimate law enforcement do their job following due process. if they are behind the times that a function of freedom and speed of progress.
should any one trust cisco? same that allows and cooperates with the illegal surveillance by nsa etc?
Remember this when I leave your website or refuse to turn off my ad blockers.
Anything good come out of that region? Forget principle when you are dealing w/ the unprincipled.
Or, at least that's what we did 25 years ago when I last managed my employer's Internet connection.
Some private company wants to shut down private customers of a private company in another country, and the second company refuses to do so? What's bad about that? Nothing, that's right.
Eurobyte is known as a bulletproof host, or at least as a host who is happy to host pretty dubious content. A lack of cooperation with foreign companies shouldn't be surprising to anyone!
You won't find any Russian business that would respond to inquiries this week (with the exception of employees working from home even though they shouldn't). Reason: all Russians have official holidays that started on January 1 and will end on January 11.
I tell everyone I know to use them.
Advertisers either fix your shit or loose out? If you can't regulate yourselves in regards to 3rd party networks and ethical ads then you will be out of business.
Fact of the matter is it is too dangerous to run without one. That should go right up there with browsing the net as administrator or root and using IE 6 these days.
Also for those who say they are safe as long as they don't click or run anything, all I can say is told you so! Open a page with flash and your 0wned. Simple
http://saveie6.com/
If we do not get cooperation from the ISP in shutting down the source we will have to assume the ISP is cooperating with the cybercriminals and will have to block all packets to/from the ISP at the network edges in order to protect our own network and users.
Why should they?
Do they have an obligation to spend time and money and effort on a competitor company? Perhaps if the company PAID them for a SERVICE to ACT, then maybe?
Given how it works in Russia, chances are that somebody from those criminals has a protection from the administration or is a kid of somebody important. The the ISP basically has no choice.
Russia needs the money. Even the president can't afford a shirt.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
It is pretty simple.
Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are, and they interpret Cisco's communications as nothing more than a request to shut down a well paying customer.
This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?
The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.
The same thing here. Presuming that this is a bone-fide provider, and not a sock puppet for the malware peddlers, the appropriate step of action is to escalate to their upstream, and attempt to get their cooperation, and have them agree to terminate the circuit to their rogue downstream provider, unless they get rid of the spamware peddlers. And keep escalating upstream, as far as necessary. Now, we're talking Cisco here, right? Well, it shouldn't take long before Cisco ends up talking to someone that uses their hardware in their core business. At this point, it's now going to be up to Cisco to put up and shut up, and inform their customer that unless this is dealt with, they will respectfully decline to renew their own customer's support contracts.
Could this sequence of events actually come to fruition? Extremely unlikely, but this is the only way to effectively deal with network abuse.
There is a saying in Russia, which says that Russians do not give away Russians.
This is a cliche statement, which reflects the mentality of how some of the Russians are taught and trained themselves to believe of anyting non Russian related. Here is the caricature of Russian mentality which summarizes how they want to view you: https://www.facebook.com/photo...
Jokes aside, in United States if somebody would want some law enforcement to give away their informers, we would say: screw you.
What did Canada do to end up on that list?
The only thing I can see in common in those three is that they consistently whoop the US's ass in ice hockey.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Just push a mod to the BGP tables. Problem goes away.
Have gnu, will travel.
Notice the "etc". Odds are every country is on the list as they all act like assholes in the online advertising world.
You believe everything you read that comes out of the mouths of corporations and governments? How do you know this isn't a lie designed to incite more distrust for anything Russian?
who didn't bother answering critical emails
I don't answer critical emails either. However, if you send me nice ones, or polite ones I might even read them.
You'd think that if this was something SERIOUS for Cisco, they'd at least bother to pick up the phone - maybe even go to the effort of finding someone who spoke russian. As it is, this outfit, like everyone else on the planet probably gets spammed senseless. Especially through public email addresses. Who can blame someone for ignoring emails from unsolicited sources?
To sum up, this sounds like the lazy excuse of an indolent individual: Why haven't you done X? asks the boss. "Well I sent them an email, but they never replied" whines the guy who just wants to get back to playing Facebook.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Sounds like the ISP is very cooperative, just not with who the submitter would like.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Seriously, if cisco approached me about a criminal matter I would ignore them to. They have no legal authority to demand anything from anyone.
No, blame Canada, blame Canada
With all their beady little eyes
And flappin' heads so full of lies
Blame Canada, blame Canada
We need to form a full assault
It's Canada's fault
Entire 1-10 January is holiday due to weekends configuration this year. Almost noone works while it happens. So obviously noone is available to respond to Cisco complaints either.
Who do you think hit the Ukrainian power network the other week? Who do you think regularly attacks Ukrainian government web sites? Who do you think allows the army of Russian trolls located in St. Petersburg to remain active to spew their nonsense?
If anyone is surprised the Russians don't respond to close down hackers emanating from within their borders, they've been living under a rock for the last decade. This is what Russia is now known for, other than collapsing economy and a ruble not far behind. They have nothing else and the only way to take their minds off the problems Heir Putin has created is to blame someone, anyone, for their self-inflicted problems.
After all, they need to do something to cover up the roughly 2,000 dead Russian soldiers who have died invading Ukraine, the money they're losing as Putin tries to prop up the dictator Assad, not to mention the terrorists in East Ukraine who have literally destroyed everything they touch. As Russia begins to run out of money towards the end of this year, be prepared for an even bigger onslaught of trolls as their desperation becomes frenetic.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
90% of the malicious ads are for US companies selling US products in US dollars.
Close them down and the malware is blocked, but also the advert and route to the US company who will lose profit.
NOTE: do you think it impossible that some US criminal gang hacked russian computer owners? After all, you keep bleating on about how US computers have been take over as botnets by criminals. Are you also saying that russian computer owners are far more educated and capable computer owners than the USA computer owners?
Pilot wanted in the UK to provide what happened when an A10 fired on a column of Challenger tanks. Refused.
US serviceman wanted to face criminal prosecution when they skipped out of Germany because he got back to the US airbase before the police could catch him. Requests to extradite him refused.
Just poison all DNS and BGP entries related to the ISP that's not co-operating and their customer... take them offline for most of the world... I'm sure they'll be MORE than happy to help resolve the situation once they're about to go out of business. ;-)
Eurobyte operate a fairly big block rented from Webazilla, which is 46.30.40.0/21.. and I recommend that you block traffic to that entire lot. But a lot of Webazilla's other customer are pretty shitty too. I don't think you miss much if you blocked traffic to the entire AS35415.
Never email donotemail@WeAreSpammers.com
We see the same behaviour regardless of country. In Australia the only way we were able to get anything more than a generic response was by reporting it through ASD, With the US we have never managed to get a response from ISP's there, we just forward to the US authorities now and hope they deal with it. Basically unless you are coming through the local government then you are fucked getting just about ANY ISP to do anything useful.
I don't think that anyone would or should care about your router enough to conform to your bigotry.
They're worse than the spammers. I don't filter spam to my inbox period. I have my own mail server too. If your ISP doesn't take my mail- guess what. You don't get my mail. And you know what? You'll probably have the call me instead if you use one of these ISPs. I'm looking at you Google! Your over-active filtering sucks.
The combined irony and hypocrisy sustains me!
Are serious, "didn't answer critical email"? If it so critical that you threat a company business why you didn't make a phone call or contact officials?
I would recommend to eurobyte to sue cisco and opendns, so they think twice before doing stupid things next time.
https://en.m.wikipedia.org/wiki/Public_holidays_in_Russia
and nothing new. You pay a little premium not to be disconnected as soon as somebody sends a legal request. Not reacting to something like that is what their customer pays for.
Who is talking here? company that did build back door's for the 3 letter agency...ask Snowden... just ignore them all together...