Bad, bad, cybercrime-friendly ISPs!

Summary:In a post-McColo, post-Atrivo and post-EstDomains cybercrime ecosystem, the researchers at FireEye have recently launched a "Bad Actors series" aiming to put the spotlight on some of the currently active badware actors online. The sampled ISPs represent safe heavens for drop zones for banker malware,  DNSChanger malware, rogue security software and live exploit URLs.

In a post-McColo, post-Atrivo and post-EstDomains cybercrime ecosystem, the researchers at FireEye have recently launched a "Bad Actors series" aiming to put the spotlight on some of the currently active badware actors online. The sampled ISPs represent safe heavens for drop zones for banker malware,  DNSChanger malware, rogue security software and live exploit URLs.

From Starline Web Services, to ZlKon, Internet Path/Cernel, HostFresh and UralNet, the series draw a simple conclusion - that a dysfunctional abuse departments can indeed act as driving factor for the growth of cybercrime.

The main objective of a dysfunctional abuse department is to on purposely delay the review and take down process of a domain/customer in question, thereby increasing the average time for the campaign to remain online. Which is exactly what most of these ISPs are involved into, while charging premium prices in the process of ignoring community requests for shutting down a malicious campaign in question.

Interestingly, what we're witnessing for the time being is a mixed abuse of, both, legitimate infrastructure and purely malicious one. For instance, the bad actors that FireEye is profiling, will receive traffic coming from abused legitimate infrastructure such as the Digg, Google Video and YouTube's latest malware campaigns. Moreover, we cannot talk about cybercrime-friendly ISPs without mentioning the domain registrars of choice for the majority of cybercriminals, which KnujOn keeps profiling. Their February, 2009 Registrar Report states that 10 registrats are responsible for 83% of the fraudulent sites that they've analyzed, with the Chinese registrar XIN NET topping the chart for a second time.

With new cybercrime-friendly ISPs popping up on the radar, consider keeping an eye on the upcoming additions to the bad actors series.

Image courtesy of Google's Postini 2008 Spam Report in a post-McColo Internet.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.