2008-12-18

Enemy Within

When considering our preparedness (or lack of it) for cyber warfare or fighting cyber criminals, an old African quotation comes to mind: "When there is no enemy within, the enemies outside cannot hurt you."

At first thought, the concept of an enemy within might call to mind the Federal Trade Commission halting the scareware schemes, in which e-marketeers falsely claimed their scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The FTC estimated more than 1 million consumers were duped into buying needless products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, at $40 per install. Yes, a cool $40 million from such a scam based on ineffective products.

The enemy within, though, is actually more insidious than that. According to an alarming annual security report from Cisco Systems Inc. (Nasdaq: CSCO), there was a 90 percent growth rate in threats originating from legitimate domains, nearly double what the company saw in 2007.

In addition, vulnerabilities in virtualization products nearly tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization to save money and increase productivity. The technology basically lets one computer do the job of many, by sharing the resources of a single computer across multiple environments. More importantly, you can further establish virtual environments for Web serving and data transit.

HostExploit was able to determine the problem with McColo by penetrating its virtual environment and exposing it for the business it actually was. This evil network was run from Moscow by cyber criminals; however, it was fully maintained within a data center in Southern California. In similar fashion, recent attacks on Georgia were launched from Plano, Texas, controlled by a Russian group apparently based in London.

The enemy within we should all be most concerned with are these collocation centers. Most would be surprised to learn one particular Russian network operator has three virtual hubs in the U.S.: Ashburn, Va.; New York; and Los Angeles. This may sound worse than it is -- U.S. operators have hubs and nodes in Moscow; this is just the way of the Web Wide World, and allows us to speed the flow or maintain virtualized Web-serving across the globe.

What is disturbing is this particular Russian network operator is RETN, also formerly known as Eltel, a very dirty Russian network infamous for hosting spammers and malware. RETN/Eltel will be reactivating the McColo IPs anytime now, allowing the botnets to contact their masters and the spam to flow again, according to Spamhaus.

In this virtual network operator jigsaw puzzle, consider the potential enemy within. In this unregulated and open market, anyone with a credit card (like RETN) can rent rack space or even simply dispatch a server, right next to equipment from Global Crossing, Level 3, Hurricane Electric, and many others, foreign and domestic. And that's all that's needed to launch a botnet-controlled attack for cyber warfare or cyber criminal purposes from St. Petersburg, Beijing, or Islamabad. Except that it's happening within U.S. cyber space.

Within a very short period, these virtual thugs can send billions of spam messages, distribute malware, or, as the hackers did earlier this year, access White House emails. Add to this the ability to use anonymous proxy networks via botnet C&C (command and controls), and they can make themselves look las if they're from the U.S., China, or whatever virtual destination they choose.

If there was ever a serious case for necessary government regulation and watchfulness, this is it, before anyone jumps up to call this infringing on Internet freedom or net neutrality. These are commercial, criminal concerns operating strategically important communication data and collocation centers; tighter controls would have no effect on individual Net surfing or Web hosting. What more oversight and control would do is create a less welcoming place to harbor the enemy within.

Internet Evolution


2008-12-15

EstDomains Active Domain List and Registrar Abuse

Estdomains Active Domain List

as of December 1st 2008 as now maintained by Directi is now available in a search able form on HostExploit.com .

The total: 272,488 active domains is provided as a community service, any research or abuse comments on these domains are welcomed to abuse(at)directi.com or estlist (at)hostexploit.com. Any of suspected illegal or child pornography content should be reported directly to IWF here




The images shown continue the review of the actions that Directi, in conjunction with HostExploit, have recently taken to track down and stop abusive domain names and registrants from abusing Directi’s services.

Registrar Abuse

• This provides for a total of 180,745 domains suspended from August 2008 and 527,000 domains with removal of domain registrant anonymity (Privacy Protect).

• Over 50,000 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.

• These domain names (and/or their registrants) were involved in various types of abuse, such as rogue pharma, spamming, phishing/spoofing, malware perpetration, child pornography, financial frauds and falsified ‘Whois’ information.

• All other services utilized by any of these domain names have also been revoked.

• Of particular note is the suspension of a further 103 domains purveying child pornography the majority of which were apparently registered via Regname org and Buy-Cheap-Domain info (see notes below).

• Over the past three months, certain resellers have been identified who have been the destination of choice for bad actors; among these are Vivids Media GMBH, Klikdomains, MyNick.name, and Webst.ru. Approximately 125,000 domain names registered through these resellers have been suspended so far.


Discussion

One advantage of this exercise has been the development of active communication channels between us and the community. We've been able to refresh contacts with organizations e.g. Knujon, CastleCops, Spamhaus, McAfee, and Artists Against 419, among others, sharing intelligence on abuse activity.

In scouring for more such cases however, every emphasis is made on avoiding any false positives. All domains suspended were following abuse complaints and exhaustive analysis. With this is mind and with the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery) e.g. 1.2 Avoid harm to others.

An active list of directly suspended domains is available for down load from HostExploit.com.
We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com

Child Pornography - Researchers note:

We at HostExploit encourage community awareness, investigation and exposure of cyber crime. It is important to stress in virtually all jurisdictions, US, UK, and internationally, it is against the law to download content, possess, or in some cases to attempt to visit websites containing child pornography. This can only be carried out by law enforcement or under the direct authorization of law enforcement. No actual visits have been made to any such website by researchers associated with this report or HostExploit. In determining whether a website within this category is via law enforcement or governmentally authorized child protection agencies. Any reader or researchers, who believe they have knowledge of such a website or online service, should contact your local agency. For community purpose, HostExploit has an informational area for “Reporting Cyber Crime’ and in this case for reporting ‘Illegal Content’ .

Child Pornography on the Internet, Background:

US -Since its establishment in March 1998, the CyberTipline of the US based National Center for Missing & Exploited Children (NCMEC) has received more than 628,680 reports involving the possession, manufacture, and distribution of child pornography, the online enticement of children for sex acts, child prostitution, child sex-tourism, child molestation (not in the family), unsolicited obscene material sent to a child, and misleading domain names.


UK - IWF is the UK’s internet ‘Hotline’ for the public and IT professionals to report potentially illegal online content within our remit. IWF work in partnership with the online industry, law enforcement, government, the education sector, charities, international partners and the public to minimize the availability of this content, specifically, child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK.


Worldwide - INHOPE is the International Association of Internet Hotlines and was founded in 1999 under the EC Safer Internet Action Plan http://www.europa.eu.int/iap . INHOPE represents Internet Hotlines all over the world, supporting them in their aim to respond to reports of illegal content to make the Internet safer. Click here to find out more about INHOPE

2008-10-11

Actions against registry services abuse – Report Oct 2008 - HostExploit and Directi

Jart Armin of HostExploit.com & Bhavin Turakhia, CEO of Directi are pleased to jointly report on the outcome of community actions against abuse of Directi’s domain registry and PrivacyProtect.








The above in figures review of the actions that Directi, in conjunction with HostExploit, have recently taken to track down and stop abusive domain names and registrants from abusing Directi’s services.
Registrar Abuse

  • Over 50,000 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.
  • These domain names (and/or their registrants) were involved in various types of abuse, such as spamming, phishing/spoofing, malware perpetration, suspected pedopornography, financial frauds and falsified ‘Whois’ information.
  • All other services utilized by any of these domain names have also been revoked.
  • Over the past three months, certain resellers have been identified who have been the destination of choice for bad actors; among these are Vivids Media GMBH, Klikdomains, MyNick.name, and Webst.ru. Approximately 125,000 domain names registered through these resellers have been suspended so far.

PrivacyProtect

  • A large incentive for bad actors to use Directi’s services has been PrivacyProtect.org. This service has been disabled for over 27,000 abusive domain names.
  • The service had been permanently disabled for all existing and new registrations through resellers/registrars that have seen high volumes of abusive registrations - notable being the ones mentioned above and Estdomains. This has amounted to approximately 500,000 domain names which had privacy protection canceled.

Analysis

When suspending domain names on receiving complaints about their involvement in abuse, HostExploit is pleased to report that, Directi, while reviewing the complaints over the past few months, even before the ‘Atrivo-Cyber Crime USA’ report, found certain trends:

  • Domain names registered with the same/similar contact information (name, address patterns)
  • Bulk registrations of domain names with a slight variation in the domain name e.g. 018xyz.com, 018xyza.com, 018xyzb.com, 018xyzc.com …. by abusive registrants/customers
  • Same blacklisted name servers being repeatedly utilized.
  • Registrations in the same customer account involved in various forms of abuse
  • Based on these, we reviewed all domain names, first in the customer's account, then in the reseller's account and then across the databases. Based on these similarities, 35,000 domain names were identified and have been labeled as co-network.

Discussion

Directi’s strengthened abuse team continues to review complaints and revoke privacy protection for abusive domain names, while also forwarding the complaint to the Registrars for whom Directi provide software and other services for them to take action. Where reports of abuse emerge from security community blogs or forums, Directi are now proactively making searches for such comments and investigating any issue that may involve Directi or a reseller.

One advantage of this exercise has been the development of active communication channels between us and the community. We've been able to refresh contacts with organizations e.g. StopBadware, Knujon, CastleCops, Spamhaus, and Artists Against 419, among others, sharing intelligence on abuse activity.

In scouring for more such cases however, every emphasis is made on avoiding any false positives. With this is mind and with the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery)
http://www.acm.org/about/code-of-ethics e.g.

1.2 Avoid harm to others.

"Harm" means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of the following: Internet users, and the general public.


An active list of directly suspended domains is available for down load from 
HostExploit.com

HostExploit and Directi have agreed to maintain their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. HostExploit confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis.

We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com

Together with the community we hope to continue taking steps to make the Internet a better and safer place.

2008-09-07

Joint statement from Directi, HostExploit and Kunujon

In light of recent developments, Jart Armin of HostExploit.com Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet. Here are few of the points they would like to jointly make -

* Directi, HostExploit, Knujon recognize and confirm that they share the common goal of continuing to combat spam and abuse on the Internet through cooperation, collaboration and proactive action. In conversation yesterday, Directi, HostExploit and Knujon agreed to publish this statement to clarify any misconceptions and affirm their mutual commitment to work closely to combat abuse.

* Directi clarified to HostExploit that, LogicBoxes (a Directi business) is not hosting any of Atrivo's websites. Atrivo runs its web infrastructure under the name of Hostfresh.com which is not affiliated with Directi in any manner.

* Directi also confirmed that ESTDomains is not a Directi company, and Directi does not control the actions or clients of ESTDomains, a fact that HostExploit was already aware of.

* HostExploit confirms that its report was not meant to allege that LogicBoxes is directly sponsoring Internet abuse, rather its report was meant, in good faith, only to provide relevant parties with all information and data which can be used to clean up websites that were violating principles of ethical behavior. HostExploit hopes that other Internet news sites which may have taken the data in the HostExploit report out of context in assuming that LogicBoxes is directly affiliated with Atrivo rectify this misconception. Directi confirms that LogicBoxes is simply a software provider to various ICANN Accredited Registrars, and its only role was providing software for domain registration and DNS management.

* HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them. Directi HostExploit and Knujon intend to continue this information exchange to speedily resolve abuse issues, and to further demonstrate transparency the community can contact either Directi or / and HostExploit to ensure action is taken.

* Directi has clarified that privacyprotect.org is merely a privacy protection service used by many of Directi's legitimate clients, not unlike the privacy protection services offered by other Registrars. Directi further confirmed that privacy protection had already been disabled on a large percentage of Atrivo's domain names over a month ago. Since Directi offers privacy protection free of cost, there are miscreants who use it to cloak their malicious activities. However Directi reaffirmed that its abuse team will suspend privacy protection on any domain for which they receive a genuine complaint in less than 24 hours. In fact a few months ago, based on reports and data obtained from the antispam community, Directi ceased to offer its privacy protection services to all customers of ESTDomains and to tens of thousands of other domains obtained through the community. Currently over half a million genuine customers of Directi use privacy protection services to prevent their whois data from being harvested.

* Directi affirms they are in no way supporting illicit online pharmacies. KnujOn has sent a list of newly populated fake pharmacy domains that Directi suspended. Directi and KnujOn now jointly call on the Internet community, private industry, and government to help develop policy and methods to put a stop to the fake pharmacy menace since Registrars cannot do this alone.

* Knujon acknowledges that the 48 Registrars that it thought were phantom are actually in existence as Delaware incorporated legitimate companies with a valid ICANN Accreditation and accurate contact information. Knujon's confusion stemmed from the fact that ICANN does not require these companies to publically report their incorporation details.

* Directi and HostExploit have discussed further ways to enhance their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. Directi acknowledges and applauds HostExploit continuous efforts in tracking down miscreants. HostExploit and Knujon confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis.

Together with the community we hope to continue taking steps to make the Internet a better and safer place.

2008-09-06

ATRIVO – Cyber Crime USA Report - Update 090608 a

We demonstrated a limited number of examples of badware websites with Directi providing some form of Internet connectivity with data confirmation on Sept 04 08, and historical third party sources. Below we show the welcome results of actions taken by Directi as of Saturday 090608. - Click on the graphics to enlarge.


xpantivirussecurity.com – rogue anti-virus – was with connectivity by Atrivo and Directi (OpticalJungle), registrar Directi (PublicDomainRegistry), registrant, obviously false data March 08 courtesy Sunbelt Software





Graphics of internet connectivity 9/4/08









Graphics of Internet connectivity Sat 9/6/08






Loads.cc – botnet and DDos for hire service – was with connectivity by Directi (OpticalJungle), registrar Directi (PublicDomainRegistry) registrant, obviously false data Cited Nov 2007

Graphics of internet connectivity 9/4/08





Graphics of Internet connectivity Sat 9/6/08



No Internet Connectivity!



Comment:


“That's one small step for Directi, one giant leap for a safer Internet”.



On behalf of the online community we thank Bhavin Turakhia, CEO and Directi, for their prompt actions, to our findings. These examples are perhaps only a small in comparison to the overall problem we face, but are still significant victories in the fight against cyber crime and the head on approach of HostExploit's 'Atrivo - Cyber Crime USA' report.


We all hope this leads to even greater actions and security focus by the Hosting and Registrar community?





Jart Armin

HostExploit.com

2008-08-28

Report Slams U.S. Host as Major Source of Badware

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

Document available for download from hostexploit.com


Video of the Exploitation of a PC User - YouTube

Press reviews:

2008-04-17

The Top 25 World's Exploit Hosts and Servers - Issue 1: The Base

The Top 25 World's Exploit Hosts and Servers, deals with a holistic problem, requiring a holistic solution, "HostExploit.com" will attempt to be part of the solution.



With the increasing subversion of the DNS (Domain Name System) by the now widespread automated domain generation in the 100’s to 1,000’s per week by the exploiters. This combined with the usage of armies of virtually untraceable P2P (Peer to Peer) directed botnets and undetectable polymorphic viruses and malware. It may appear increasingly difficult for the community to even block such threats let alone reduce them. This involves the whole area of internet security and network security.


Table 1. - The Top25 World's Exploit Hosts and Servers




However, this route is controversial and hitherto a taboo subject; i.e. the hosts, registrars, and servers. Whether it is; spam, exploits, malware, spyware or even botnet control, the domains are registered, the web sites are hosted or served by an organization, i.e. the 'web host' and are assigned an AS # (Autonomous System) by ICANN. To commence we begin exposing the 'Top 25 World's Exploit Hosts and Servers' these alone serve and provide an estimated 80%+ of all the bad stuff on the Internet, infect; good servers, good websites, and overall are a scourge to the average internet user .



Why controversial or taboo?


- It is complex - Yes it is, however through already man years worth of detailed research and even more community references we will partition into manageable chunks. So will add downloadable lists, rules, block information, and educational explanation where possible . Commencing as we do here with a top down 'peeling the onion' approach.


- It involves big money, in most cases many $millions - As we unfold this subject we will provide focused details on a particular 'Exploiting Host' with the economics involved, where possible. It is our view that because an organization makes a great deal of money and exploits or spams the average user, whether 'intentional exploiters' e.g. Atrivo or 'allowed themselves to be highly infected' e.g. The Planet, does not exclude it from exposure.


- Many innocent or grey web sites may suffer due to the few - this will undoubtedly be the case . A major technique for the exploiters is to hide the needle in the haystack , however we and most Internet users would argue, this is not our problem. It is the problem for the host or server, if they are legitimate they will or should move heaven and earth to clean up their act for the benefit of the legitimate webmasters, and more importantly the . For the innocent webmasters, why are you still hosting your web site with these hosts and servers anyway?



In the final analysis this is about choice. Choice for the average PC user to reduce the threat of being exploited, the ISP (Internet Service Provider) to assist in 'prevention' for their users, the hosts, servers, and DNS registrars, to not just take an anonymous client and probably stolen credit card. Authorities such as ICANN are well aware of this increasing problem, perhaps this helps create the groundswell for them to act on behalf of the 99% of Internet users.



Useful Article Links:



Article Downloads - Top 25 csv, IP block lists


SecureWorks - Top Spam Botnets


ICANN - Advisory on Fast Flux Hosting and DNS


DNS Education - How Domain Servers Work




2008-03-24

HostExploit - What? Why? Who?

HostExploit – ‘A call to arms’- Why another Internet security blog and more ‘black hole’ lists? - It's the HOSTS!

It has become increasingly apparent the malware, spam, phishing and other BadWare distributors are now engaged in automated domain generation, 100’s to 1,000’s per week, which is proving a serious difficulty for major domain / IP ‘blocklist’ and ‘blacklist’ providers to simply keep up .

Added to this we now have; iFrame attacks via web portals, several major international web hosts with 1,000’s of their innocent and money paying clients having hacked and infectious (to web surfers) web sites, DDos (distributed denial of service), polymorphic malware that many anti-virus / spyware / malware solutions are unable to detect, and millions of PC users being directed to rogue and fake web sites.

Finally we have the rise of the Botnets, anonymously managed fast and double-flux (ever changing IP addresses) control of 1,000’s of infected zombie PCs.


We now believe the general situation on the Internet calls for an alternative and added open source approach to deal with this head on, i.e. the web hosts and Internet carriers. Every one of the IP’s, web sites or domains are hosted or carried by someone, we feel it is time to break the taboo and name, list and expose the ones that host the malware that infects us all. This approach is not to replace existing methods, but we hope it will add to the security community’s and PC user’s array of possible tools to reduce the threat.


HostExploit – Who? This blog and associated list(s) is edited by Jart Armin and James McQuaid, however the research is provided by a wider volunteer group, some of whom would rather remain anonymous, due to their other professional Internet activities. All those involved are web professionals within; web hosting, server management, DNS (Domain Name System), Internet security, and IDS (Intrusion Detection Systems).


HostExploit – Who is this for?
You, i.e. any PC user, webmaster, ISP (Internet Service Provider) or web host, who wants to reduce the threat of infection or exploitation. Where necessary or possible all topics and articles will contain added information to illuminate and educate.


HostExploit – What to expect?

• Bad Host Lists – these will be in several formats for users to apply for themselves or distribute freely. These lists will initially focus on the (b) and (c) categories (see below) can be used to black hole, block or just for general awareness - click here.


• Specific bad host exposures – On a regular basis there will be articles exposing a specific host and providing detailed and where possible quantification with a historical background.

• Bad Host categorization – host or AS (autonomous server) issue comes down to a certain level of semantics and initially crude differentiation – so we will commence with an ‘a b c’ method:

(a) Hosts / Servers / AS of 'infected sites' = - i.e. infected or hacked sites / domains which have bad exploit code, infected iFrame, SQL injections, XSS exploits, etc. to exploit visitors.

(b) Hosts / Servers / AS of 'user infector sites' = i.e. where the malware and rogues are located and more often than not, users are directed to from infections on sites within (a)

(c) Hosts / Servers / AS of 'user receptor sites' = The ultimately very bad = including the so called "the bullet proof servers" masked by the botnets to; receive, trade, pay affiliates, warez, etc. etc. - from (b); stolen IDs, credit cards, bank phishing info, for (a) to pay partners and affiliates to infect the web sites. Also for DDos Botnet C&C (command and control) actions.


HostExploit - To Inform and educate – Articles that attempt to help explain the processes and terminology involved.


HostExploit – Want to help or have your say?
This is an open source ‘non-profit’ volunteer group and we welcome help, input or feedback. However for security reasons there is no allowance for onsite comments so email HostExploit (at) gmail.com.

It is likely input would be within the following:


• To keep informed or pass on the information? – sign up for a ‘Feedburner’ feed and then you will be informed about new articles. Feel free to pass on articles and the list(s), publish in your blog or magazine or newspaper, under a ‘Creative Commons License’, obviously it is courteous to show hostexploit.com as a reference.


• Have information we may have missed or a new exposure? – email us.

• Web Host / Server / AS, and feel any information or inclusion within the list(s) is in error? – Please email us and say where we are wrong, our objective is to reduce such a list and we will be delighted to explain the error or demonstrate you have cleaned up your act.