Skip to Content

Tracking Criminal Data Centers

A study shows that companies that host malicious Web content are well hidden and hard to shut down.
April 23, 2010

Malicious Web content is increasingly distributed by professional criminals who operate their own infrastructure. These crooks run hosting companies that are used to host harmful code, and issue commands to hijacked computers. At a talk given this week at Source Boston, a conference on computer security, one researcher described the tactics one such malicious hosting company uses to evade being shut down.

While spam and malware may seem to be in infinite supply online, malicious hosting companies play a vital role in propagating these pests, says Alex Lanstein, a senior security researcher at FireEye, a security firm based in Milpitas, CA. For example, he points to the shutdown in late 2008 of the malicious hosting company McColo. When this one company ceased operations, more than two-thirds of the spam on the Internet stopped.

However, other companies have risen to take the place of McColo. In particular, Lanstein points to a pool of compromised computers, or “botnet”, known as Grum, which at certain peak points last year was responsible for 26 percent of the world’s spam. Lanstein says he traced Grum’s operations back to a block of Internet protocol (IP) addresses hosted by a single company in the Ukraine called SteepHost.

Lanstein found that the IP addresses commanding Grum were spread across all the addresses managed by SteepHost, which he believes indicates that the company is operating purely as a criminal data center.

But it’s far from easy to take a malicious hosting company down. Lanstein says he contacted the companies providing services to SteepHost. They did block some of the malicious IP addresses used by the company, but Lanstein notes that SteepHost responded by contracting for a backup connection from a different provider. “They didn’t want to get shut down, and so they got better transit,” he says. “It’s frustrating.”

Even when a malicious hosting company is shut down, there’s nothing to stop another one from rising to replace it. “The bad guys are really good at getting IP space,” Lanstein says.

The problem, he says, is that there aren’t mechanisms in place to take IP addresses away from bad actors. Even the blocks of IP addresses owned by McColo were only returned to the pool a couple of months ago, since they couldn’t be confiscated as long as the owners remained paid in full for their use. “I can imagine why there are IP address shortages,” Lanstein says.

Malicious hosting companies also sometimes protect themselves by hiding behind other businesses. Earlier this year, a Russian Internet service provider called Troyak was taken offline after it became clear that it was providing service to several hosting companies that were providing command and control support to botnets.

At Source Boston, HD Moore, chief security officer for Boston-based computer security firm Rapid7, gave a keynote speech in which he pointed out how crowded the IP address space is becoming: 91 percent of usable address space has already been allocated.

Moore noted that a different problem might emerge as a side effect of efforts to resolve the shortage. The successor for the current system, known as IPv6, would open up a huge number of available IP addresses. In that scenario, Moore said, there would be so much available space that rogue hosting companies could grab big blocks of IP addresses, which would be harder to track.

Keep Reading

Most Popular

Geoffrey Hinton tells us why he’s now scared of the tech he helped build

“I have suddenly switched my views on whether these things are going to be more intelligent than us.”

Meet the people who use Notion to plan their whole lives

The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.

Learning to code isn’t enough

Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

Deep learning pioneer Geoffrey Hinton has quit Google

Hinton will be speaking at EmTech Digital on Wednesday.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.