Enemy Within

When considering our preparedness (or lack of it) for cyber warfare or fighting cyber criminals, an old African quotation comes to mind: "When there is no enemy within, the enemies outside cannot hurt you."

At first thought, the concept of an enemy within might call to mind the Federal Trade Commission halting the scareware schemes, in which e-marketeers falsely claimed their scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The FTC estimated more than 1 million consumers were duped into buying needless products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, at $40 per install. Yes, a cool $40 million from such a scam based on ineffective products.

The enemy within, though, is actually more insidious than that. According to an alarming annual security report from Cisco Systems Inc. (Nasdaq: CSCO), there was a 90 percent growth rate in threats originating from legitimate domains, nearly double what the company saw in 2007.

In addition, vulnerabilities in virtualization products nearly tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization to save money and increase productivity. The technology basically lets one computer do the job of many, by sharing the resources of a single computer across multiple environments. More importantly, you can further establish virtual environments for Web serving and data transit.

HostExploit was able to determine the problem with McColo by penetrating its virtual environment and exposing it for the business it actually was. This evil network was run from Moscow by cyber criminals; however, it was fully maintained within a data center in Southern California. In similar fashion, recent attacks on Georgia were launched from Plano, Texas, controlled by a Russian group apparently based in London.

The enemy within we should all be most concerned with are these collocation centers. Most would be surprised to learn one particular Russian network operator has three virtual hubs in the U.S.: Ashburn, Va.; New York; and Los Angeles. This may sound worse than it is -- U.S. operators have hubs and nodes in Moscow; this is just the way of the Web Wide World, and allows us to speed the flow or maintain virtualized Web-serving across the globe.

What is disturbing is this particular Russian network operator is RETN, also formerly known as Eltel, a very dirty Russian network infamous for hosting spammers and malware. RETN/Eltel will be reactivating the McColo IPs anytime now, allowing the botnets to contact their masters and the spam to flow again, according to Spamhaus.

In this virtual network operator jigsaw puzzle, consider the potential enemy within. In this unregulated and open market, anyone with a credit card (like RETN) can rent rack space or even simply dispatch a server, right next to equipment from Global Crossing, Level 3, Hurricane Electric, and many others, foreign and domestic. And that's all that's needed to launch a botnet-controlled attack for cyber warfare or cyber criminal purposes from St. Petersburg, Beijing, or Islamabad. Except that it's happening within U.S. cyber space.

Within a very short period, these virtual thugs can send billions of spam messages, distribute malware, or, as the hackers did earlier this year, access White House emails. Add to this the ability to use anonymous proxy networks via botnet C&C (command and controls), and they can make themselves look las if they're from the U.S., China, or whatever virtual destination they choose.

If there was ever a serious case for necessary government regulation and watchfulness, this is it, before anyone jumps up to call this infringing on Internet freedom or net neutrality. These are commercial, criminal concerns operating strategically important communication data and collocation centers; tighter controls would have no effect on individual Net surfing or Web hosting. What more oversight and control would do is create a less welcoming place to harbor the enemy within.

Internet Evolution


EstDomains Active Domain List and Registrar Abuse

Estdomains Active Domain List

as of December 1st 2008 as now maintained by Directi is now available in a search able form on HostExploit.com .

The total: 272,488 active domains is provided as a community service, any research or abuse comments on these domains are welcomed to abuse(at)directi.com or estlist (at)hostexploit.com. Any of suspected illegal or child pornography content should be reported directly to IWF here

The images shown continue the review of the actions that Directi, in conjunction with HostExploit, have recently taken to track down and stop abusive domain names and registrants from abusing Directi’s services.

Registrar Abuse

• This provides for a total of 180,745 domains suspended from August 2008 and 527,000 domains with removal of domain registrant anonymity (Privacy Protect).

• Over 50,000 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.

• These domain names (and/or their registrants) were involved in various types of abuse, such as rogue pharma, spamming, phishing/spoofing, malware perpetration, child pornography, financial frauds and falsified ‘Whois’ information.

• All other services utilized by any of these domain names have also been revoked.

• Of particular note is the suspension of a further 103 domains purveying child pornography the majority of which were apparently registered via Regname org and Buy-Cheap-Domain info (see notes below).

• Over the past three months, certain resellers have been identified who have been the destination of choice for bad actors; among these are Vivids Media GMBH, Klikdomains, MyNick.name, and Webst.ru. Approximately 125,000 domain names registered through these resellers have been suspended so far.


One advantage of this exercise has been the development of active communication channels between us and the community. We've been able to refresh contacts with organizations e.g. Knujon, CastleCops, Spamhaus, McAfee, and Artists Against 419, among others, sharing intelligence on abuse activity.

In scouring for more such cases however, every emphasis is made on avoiding any false positives. All domains suspended were following abuse complaints and exhaustive analysis. With this is mind and with the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery) e.g. 1.2 Avoid harm to others.

An active list of directly suspended domains is available for down load from HostExploit.com.
We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com

Child Pornography - Researchers note:

We at HostExploit encourage community awareness, investigation and exposure of cyber crime. It is important to stress in virtually all jurisdictions, US, UK, and internationally, it is against the law to download content, possess, or in some cases to attempt to visit websites containing child pornography. This can only be carried out by law enforcement or under the direct authorization of law enforcement. No actual visits have been made to any such website by researchers associated with this report or HostExploit. In determining whether a website within this category is via law enforcement or governmentally authorized child protection agencies. Any reader or researchers, who believe they have knowledge of such a website or online service, should contact your local agency. For community purpose, HostExploit has an informational area for “Reporting Cyber Crime’ and in this case for reporting ‘Illegal Content’ .

Child Pornography on the Internet, Background:

US -Since its establishment in March 1998, the CyberTipline of the US based National Center for Missing & Exploited Children (NCMEC) has received more than 628,680 reports involving the possession, manufacture, and distribution of child pornography, the online enticement of children for sex acts, child prostitution, child sex-tourism, child molestation (not in the family), unsolicited obscene material sent to a child, and misleading domain names.

UK - IWF is the UK’s internet ‘Hotline’ for the public and IT professionals to report potentially illegal online content within our remit. IWF work in partnership with the online industry, law enforcement, government, the education sector, charities, international partners and the public to minimize the availability of this content, specifically, child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK.

Worldwide - INHOPE is the International Association of Internet Hotlines and was founded in 1999 under the EC Safer Internet Action Plan http://www.europa.eu.int/iap . INHOPE represents Internet Hotlines all over the world, supporting them in their aim to respond to reports of illegal content to make the Internet safer. Click here to find out more about INHOPE