Tracking Criminal Data Centers
A study shows that companies that host malicious Web content are well hidden and hard to shut down.
Malicious Web content is increasingly distributed by professional criminals who operate their own infrastructure. These crooks run hosting companies that are used to host harmful code, and issue commands to hijacked computers. At a talk given this week at Source Boston, a conference on computer security, one researcher described the tactics one such malicious hosting company uses to evade being shut down.
While spam and malware may seem to be in infinite supply online, malicious hosting companies play a vital role in propagating these pests, says Alex Lanstein, a senior security researcher at FireEye, a security firm based in Milpitas, CA. For example, he points to the shutdown in late 2008 of the malicious hosting company McColo. When this one company ceased operations, more than two-thirds of the spam on the Internet stopped.
However, other companies have risen to take the place of McColo. In particular, Lanstein points to a pool of compromised computers, or “botnet”, known as Grum, which at certain peak points last year was responsible for 26 percent of the world’s spam. Lanstein says he traced Grum’s operations back to a block of Internet protocol (IP) addresses hosted by a single company in the Ukraine called SteepHost.
Lanstein found that the IP addresses commanding Grum were spread across all the addresses managed by SteepHost, which he believes indicates that the company is operating purely as a criminal data center.
But it’s far from easy to take a malicious hosting company down. Lanstein says he contacted the companies providing services to SteepHost. They did block some of the malicious IP addresses used by the company, but Lanstein notes that SteepHost responded by contracting for a backup connection from a different provider. “They didn’t want to get shut down, and so they got better transit,” he says. “It’s frustrating.”
Even when a malicious hosting company is shut down, there’s nothing to stop another one from rising to replace it. “The bad guys are really good at getting IP space,” Lanstein says.
The problem, he says, is that there aren’t mechanisms in place to take IP addresses away from bad actors. Even the blocks of IP addresses owned by McColo were only returned to the pool a couple of months ago, since they couldn’t be confiscated as long as the owners remained paid in full for their use. “I can imagine why there are IP address shortages,” Lanstein says.
Malicious hosting companies also sometimes protect themselves by hiding behind other businesses. Earlier this year, a Russian Internet service provider called Troyak was taken offline after it became clear that it was providing service to several hosting companies that were providing command and control support to botnets.
At Source Boston, HD Moore, chief security officer for Boston-based computer security firm Rapid7, gave a keynote speech in which he pointed out how crowded the IP address space is becoming: 91 percent of usable address space has already been allocated.
Moore noted that a different problem might emerge as a side effect of efforts to resolve the shortage. The successor for the current system, known as IPv6, would open up a huge number of available IP addresses. In that scenario, Moore said, there would be so much available space that rogue hosting companies could grab big blocks of IP addresses, which would be harder to track.