Skip to Content

Tracking Criminal Data Centers

A study shows that companies that host malicious Web content are well hidden and hard to shut down.
April 23, 2010

Malicious Web content is increasingly distributed by professional criminals who operate their own infrastructure. These crooks run hosting companies that are used to host harmful code, and issue commands to hijacked computers. At a talk given this week at Source Boston, a conference on computer security, one researcher described the tactics one such malicious hosting company uses to evade being shut down.

While spam and malware may seem to be in infinite supply online, malicious hosting companies play a vital role in propagating these pests, says Alex Lanstein, a senior security researcher at FireEye, a security firm based in Milpitas, CA. For example, he points to the shutdown in late 2008 of the malicious hosting company McColo. When this one company ceased operations, more than two-thirds of the spam on the Internet stopped.

However, other companies have risen to take the place of McColo. In particular, Lanstein points to a pool of compromised computers, or “botnet”, known as Grum, which at certain peak points last year was responsible for 26 percent of the world’s spam. Lanstein says he traced Grum’s operations back to a block of Internet protocol (IP) addresses hosted by a single company in the Ukraine called SteepHost.

Lanstein found that the IP addresses commanding Grum were spread across all the addresses managed by SteepHost, which he believes indicates that the company is operating purely as a criminal data center.

But it’s far from easy to take a malicious hosting company down. Lanstein says he contacted the companies providing services to SteepHost. They did block some of the malicious IP addresses used by the company, but Lanstein notes that SteepHost responded by contracting for a backup connection from a different provider. “They didn’t want to get shut down, and so they got better transit,” he says. “It’s frustrating.”

Even when a malicious hosting company is shut down, there’s nothing to stop another one from rising to replace it. “The bad guys are really good at getting IP space,” Lanstein says.

The problem, he says, is that there aren’t mechanisms in place to take IP addresses away from bad actors. Even the blocks of IP addresses owned by McColo were only returned to the pool a couple of months ago, since they couldn’t be confiscated as long as the owners remained paid in full for their use. “I can imagine why there are IP address shortages,” Lanstein says.

Malicious hosting companies also sometimes protect themselves by hiding behind other businesses. Earlier this year, a Russian Internet service provider called Troyak was taken offline after it became clear that it was providing service to several hosting companies that were providing command and control support to botnets.

At Source Boston, HD Moore, chief security officer for Boston-based computer security firm Rapid7, gave a keynote speech in which he pointed out how crowded the IP address space is becoming: 91 percent of usable address space has already been allocated.

Moore noted that a different problem might emerge as a side effect of efforts to resolve the shortage. The successor for the current system, known as IPv6, would open up a huge number of available IP addresses. In that scenario, Moore said, there would be so much available space that rogue hosting companies could grab big blocks of IP addresses, which would be harder to track.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

How scientists traced a mysterious covid case back to six toilets

When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.

Google DeepMind’s new generative model makes Super Mario–like games from scratch

Genie learns how to control games by watching hours and hours of video. It could help train next-gen robots too.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.