Saturday, September 13, 2008

Internet Landfills: Praise for Brian Krebs

Have you ever played Sim City? One of the problems a City Manager has to deal with is the disposal of waste. One of the possible solutions to that problem, is that you can create a landfill. The next problem is always where to put it, because your Sims will all complain and move away if you put it in their neighborhood. The same thing happens in real life. Google ("public meeting" and landfill) and you'll find tens of thousands of pages about meetings where Citizens get together to complain about the landfill that either is, or has been proposed to be, near their homes.

At the Birmingham InfraGard meeting on September 9th, I shared a presentation called "The Beautification of Internet Landfills". It started out with a couple definitions:

Internet Landfill
A network, hosting site, or registrar which attracts an entirely unlikely percentage of criminal activity
Causing such landfills to reform their evil ways, or find themselves in legal trouble, or bandwidth impaired due to “public shunning

The meeting dropped a challenge to the Birmingham InfraGard members to become part of the "Neighborhood Watch" for the Internet.

When you see Badness, as a Corporate Security Professional, what do you do:

  • (A) Protect your own systems from the Badness?
  • (B) Share what you've learned with others, so they can be protected too?
  • (C) Trace the Badness to its origins and attempt to shut it down?
  • (D) Report the Badness to an appropriate Law Enforcement Agency?

The answer should be (E) - All of the above.

If you don't know HOW, I told the InfraGard members, then lets share information together to LEARN how.

One of the best ways to see an example of this in action is to follow the SecurityFix column by Brian Krebs of the Washington Post, and to examine and emulate the work of the fine researchers and security companies that he mentions frequently there.

We've all read the stories about the Russian Business Network, and how they were hosting criminal content all the way back to 2004, primarily under the guise of "Too Coin Software". RBN has been documented as the host of hundreds of child pornography websites, the notorious "" advertising network, and other badness such as the UrSnif Trojan and the SetSlice exploit. As recently as April 2007, they were infecting visitors with spam-based exploits being pushed by our friends Naked Britney and Paris. After making a ridiculous claim to have relocated to Panama (despite still being fed by upstream provider SBT Telecom in St. Petersburg), RBN continued to host its badness until they were outed by a journalistic campaign of exposure.

While there were some great publications shining a light on RBN, the one that seemed to me to have the greatest impact was the October 13, 2007 piece in Brian Krebs' must read column, SecurityFix.
"Shadowy Russian Firm Seen as Conduit for Cybercrime"
An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming, and identity theft, according to computer security experts...

Last week, Krebs declared that he was going on a campaign to unmask some other criminal organizations working openly and unafraid on the Internet.

Many people miss perhaps the best part of the first report, which was:

Report Slams US Host as Major Source of Badware

Following this report, the comments lit up like crazy, including, as we were shocked to see, Emil K., the owner of Intercage/Atrivo, who proclaimed his innocence, but also promised quick action on any criminal activity, and posted his ICQ number in case anyone had anything they wanted to report:

It was also interesting to see Konstantin Poltev rise to his defense in the comments, also proclaiming his own innocence, and providing his personal email address ( and promising to take quick action against any abuse on their site saying "We are going to perform a total clean-up, really total."

Another Intercage employee invited anyone who has problems for a tour of his data center, and reminded that you can email "" with abuse complaints, or "" or "" if you have suggestions to improve their business.

Some of his columns since then have included:
Scammer-Heavy U.S. ISP Grows More Isolated which reminded us that Atrivo is Bad, and showed how Atrivo's various Internet Connectivity sources have been pulling the plug to avoid being associated with their evil.

A Superlative Scam and Spam Site Registrar which introduced the public to what security researchers have long known: Criminals like to register domains with EstDomain, because they ignore abuse complaints and let the crime continue.

EstDomains: A Sordid History and a Storied CEO which called attention to the well-known criminal career of Vladimir Tsastsin, the CEO of EstDomains, and asked the question if we should have a domain registrar who has done time for credit card fraud, document forgery, and money laundering.

Fake Antispyware Purveyor Doubles as Domain Registrar which focused on the practices of Klikdomains, aka Vivids Media GMBH, which has been behind many of the fake anti-virus and anti-spyware products. Because of Krebs work, Directi Internet Solutions, in India, has changed their business practices, and will no longer allow Klik to use its anonymizing service "PrivacyProtect" when registering domains. Directi's president, Bhavin Turakhia, shared with Krebs that nearly half of the 100,000 domains registered by Klik have eventually been suspended for abuse. After Krebs targeted their domains, Directi terminated another 21,000 sites in 48 hours!

The current series by Krebs resulted from some of the replies he received from another Must Read series, called Web Fraud 2.0, the week of August 17-23. The components of that series were:

Web Fraud 2.0: Cloaking Connections

Web Fraud 2.0: Validating Your Stolen Goods

Web Fraud 2.0: Digital Forgeries

Web Fraud 2.0: Distributing Your Malware

Interesting Sidebar found in WIRED along these same lines:
Online Posse Assembles, to Unmask Russia's Hackers

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.