Skip to Content

Tracking Criminal Data Centers

A study shows that companies that host malicious Web content are well hidden and hard to shut down.
April 23, 2010

Malicious Web content is increasingly distributed by professional criminals who operate their own infrastructure. These crooks run hosting companies that are used to host harmful code, and issue commands to hijacked computers. At a talk given this week at Source Boston, a conference on computer security, one researcher described the tactics one such malicious hosting company uses to evade being shut down.

While spam and malware may seem to be in infinite supply online, malicious hosting companies play a vital role in propagating these pests, says Alex Lanstein, a senior security researcher at FireEye, a security firm based in Milpitas, CA. For example, he points to the shutdown in late 2008 of the malicious hosting company McColo. When this one company ceased operations, more than two-thirds of the spam on the Internet stopped.

However, other companies have risen to take the place of McColo. In particular, Lanstein points to a pool of compromised computers, or “botnet”, known as Grum, which at certain peak points last year was responsible for 26 percent of the world’s spam. Lanstein says he traced Grum’s operations back to a block of Internet protocol (IP) addresses hosted by a single company in the Ukraine called SteepHost.

Lanstein found that the IP addresses commanding Grum were spread across all the addresses managed by SteepHost, which he believes indicates that the company is operating purely as a criminal data center.

But it’s far from easy to take a malicious hosting company down. Lanstein says he contacted the companies providing services to SteepHost. They did block some of the malicious IP addresses used by the company, but Lanstein notes that SteepHost responded by contracting for a backup connection from a different provider. “They didn’t want to get shut down, and so they got better transit,” he says. “It’s frustrating.”

Even when a malicious hosting company is shut down, there’s nothing to stop another one from rising to replace it. “The bad guys are really good at getting IP space,” Lanstein says.

The problem, he says, is that there aren’t mechanisms in place to take IP addresses away from bad actors. Even the blocks of IP addresses owned by McColo were only returned to the pool a couple of months ago, since they couldn’t be confiscated as long as the owners remained paid in full for their use. “I can imagine why there are IP address shortages,” Lanstein says.

Malicious hosting companies also sometimes protect themselves by hiding behind other businesses. Earlier this year, a Russian Internet service provider called Troyak was taken offline after it became clear that it was providing service to several hosting companies that were providing command and control support to botnets.

At Source Boston, HD Moore, chief security officer for Boston-based computer security firm Rapid7, gave a keynote speech in which he pointed out how crowded the IP address space is becoming: 91 percent of usable address space has already been allocated.

Moore noted that a different problem might emerge as a side effect of efforts to resolve the shortage. The successor for the current system, known as IPv6, would open up a huge number of available IP addresses. In that scenario, Moore said, there would be so much available space that rogue hosting companies could grab big blocks of IP addresses, which would be harder to track.

Keep Reading

Most Popular

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Uber Autonomous Vehicles parked in a lot
Uber Autonomous Vehicles parked in a lot

It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.

If they ever hit our roads for real, other drivers need to know exactly what they are.

supermassive black hole at center of Milky Way
supermassive black hole at center of Milky Way

This is the first image of the black hole at the center of our galaxy

The stunning image was made possible by linking eight existing radio observatories across the globe.

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.