Bad, bad, cybercrime-friendly ISPs!

Bad, bad, cybercrime-friendly ISPs!

Summary: In a post-McColo, post-Atrivo and post-EstDomains cybercrime ecosystem, the researchers at FireEye have recently launched a "Bad Actors series" aiming to put the spotlight on some of the currently active badware actors online. The sampled ISPs represent safe heavens for drop zones for banker malware,  DNSChanger malware, rogue security software and live exploit URLs.

SHARE:
TOPICS: Security
13

In a post-McColo, post-Atrivo and post-EstDomains cybercrime ecosystem, the researchers at FireEye have recently launched a "Bad Actors series" aiming to put the spotlight on some of the currently active badware actors online. The sampled ISPs represent safe heavens for drop zones for banker malware,  DNSChanger malware, rogue security software and live exploit URLs.

From Starline Web Services, to ZlKon, Internet Path/Cernel, HostFresh and UralNet, the series draw a simple conclusion - that a dysfunctional abuse departments can indeed act as driving factor for the growth of cybercrime.

The main objective of a dysfunctional abuse department is to on purposely delay the review and take down process of a domain/customer in question, thereby increasing the average time for the campaign to remain online. Which is exactly what most of these ISPs are involved into, while charging premium prices in the process of ignoring community requests for shutting down a malicious campaign in question.

Interestingly, what we're witnessing for the time being is a mixed abuse of, both, legitimate infrastructure and purely malicious one. For instance, the bad actors that FireEye is profiling, will receive traffic coming from abused legitimate infrastructure such as the Digg, Google Video and YouTube's latest malware campaigns. Moreover, we cannot talk about cybercrime-friendly ISPs without mentioning the domain registrars of choice for the majority of cybercriminals, which KnujOn keeps profiling. Their February, 2009 Registrar Report states that 10 registrats are responsible for 83% of the fraudulent sites that they've analyzed, with the Chinese registrar XIN NET topping the chart for a second time.

With new cybercrime-friendly ISPs popping up on the radar, consider keeping an eye on the upcoming additions to the bad actors series.

Image courtesy of Google's Postini 2008 Spam Report in a post-McColo Internet.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Why easy obvious

    solution are never used.

    Cut the crooked ISPs from the net until they have cleaned they act. (but since they are clearly criminal in nature a instant life time ban will do)

    if an ISP host a malicious website/file and do not remove it right away after been notified, that ISP should be terminated instantly.
    Mectron
    • ok that a rather great idea

      But how do you manage it outside usa Let's see
      China ,Russian, Most Balkan nation that are not in EU ,Palestine,Most of Central America country My favorite for that discussion Sweden, Norway, . Should i stop there .... or you get the point.

      Piracy is a there to stay if you cut P2P they will find other way ,create encrypt files to the Nth limit . What ever you try they will find a way ....

      Does drug sell have stop no
      Does prostitution have stop no
      does Piracy will stop never .......

      Until Sweden change it laws don't hold your breath. You'll turn blue.

      Even More Until they find a way to make all country in the world obey .... ( i wanna see that happen with china .....) Piracy will live for a very long time
      Quebec-french
      • Easy

        If everyone pushes null BGP routes for them, no problem, they'll drop off the net.
        rpmyers1
      • This was never about P2P

        it is about cyber-criminals with Phising operation, and website/FTP site that harbor maleware. Nothing with the P2P, P2P is not illegal.

        Ceci est a propros de crybe-criminel qui plante des site web empoisner sur le net. Rian a voir les les site de telecharment P2P.
        Mectron
        • damn, you have tried hard on that one man wow

          You do speak french for real a few mistake here and there a few typo but Man your french is good should be proud of yourself me . its what second third language .... Surprising come donw to Montreal will a few cold one :)

          But my main idea i have put everything under the word Piracy ...malware virus illegal activity and all the such .... like i said in USA or canada or Britain or EU try its in china .....

          thx for your french and the debate
          Quebec-french
  • Somewhere on those two wires---

    It shouldn't be that hard to stop hackers.
    BALTHOR
  • RE: Bad, bad, cybercrime-friendly ISPs!

    But also Hosting Company...
    I recently warn IXwebhosting that one of their users was collecting account details, such as FTP or SQL passwords, easily accessible over internet.

    Could they admit that their servers are not secure?
    koomo
    • Simple

      Cut IXWebhosting (it is pure crap anyway) from the net until they boot the user.
      Mectron
      • Your solution is too simplistic...

        Do you think every single customer of IXWebhosting is a SPAMMER/Phisher/Malware host? I'm thinking they're not. So, they have one bad customer and they should be banned from the net and what about all their innocent customers? They should be cut off from the net as well and lose much valuable business because their ISP didn't act quickly enough? How would you like to call your ISP with a connection problem and have them say "Oh, we had a bad customer, so our provider cut us off"?
        MGP2
        • The problem isn't "a"

          Most ISPs that have problems have them for a long time. Fixing something in a week? Yeah, that might be pushing it. The same problem for months and years with hundreds of reports? Notsomuch.
          rpmyers1
  • RE: Bad, bad, cybercrime-friendly ISPs!

    If peoples use Linux or Ubuntu all much more better. all things no problems. Stopping to use bad windows or anys microsofts produce as causing much problems. If all stop using microsofts stuffs than whole world be jouyfulls happiest places.
    Col Mustard
  • RE: Bad, bad, cybercrime-friendly ISPs!

    Cut them off. You know their IP address blocks so it's easy.

    If your provider doesn't want to cut them off, you cut them off. You know their IP address blocks.

    Somebody must have an off-the-shelf solution.
    Dr.C
  • RE: Bad, bad, cybercrime-friendly ISPs!

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut