Intelligent Machines

Tracking Criminal Data Centers

A study shows that companies that host malicious Web content are well hidden and hard to shut down.

Malicious Web content is increasingly distributed by professional criminals who operate their own infrastructure. These crooks run hosting companies that are used to host harmful code, and issue commands to hijacked computers. At a talk given this week at Source Boston, a conference on computer security, one researcher described the tactics one such malicious hosting company uses to evade being shut down.

While spam and malware may seem to be in infinite supply online, malicious hosting companies play a vital role in propagating these pests, says Alex Lanstein, a senior security researcher at FireEye, a security firm based in Milpitas, CA. For example, he points to the shutdown in late 2008 of the malicious hosting company McColo. When this one company ceased operations, more than two-thirds of the spam on the Internet stopped.

However, other companies have risen to take the place of McColo. In particular, Lanstein points to a pool of compromised computers, or “botnet”, known as Grum, which at certain peak points last year was responsible for 26 percent of the world’s spam. Lanstein says he traced Grum’s operations back to a block of Internet protocol (IP) addresses hosted by a single company in the Ukraine called SteepHost.

Lanstein found that the IP addresses commanding Grum were spread across all the addresses managed by SteepHost, which he believes indicates that the company is operating purely as a criminal data center.

But it’s far from easy to take a malicious hosting company down. Lanstein says he contacted the companies providing services to SteepHost. They did block some of the malicious IP addresses used by the company, but Lanstein notes that SteepHost responded by contracting for a backup connection from a different provider. “They didn’t want to get shut down, and so they got better transit,” he says. “It’s frustrating.”

Even when a malicious hosting company is shut down, there’s nothing to stop another one from rising to replace it. “The bad guys are really good at getting IP space,” Lanstein says.

The problem, he says, is that there aren’t mechanisms in place to take IP addresses away from bad actors. Even the blocks of IP addresses owned by McColo were only returned to the pool a couple of months ago, since they couldn’t be confiscated as long as the owners remained paid in full for their use. “I can imagine why there are IP address shortages,” Lanstein says.

Malicious hosting companies also sometimes protect themselves by hiding behind other businesses. Earlier this year, a Russian Internet service provider called Troyak was taken offline after it became clear that it was providing service to several hosting companies that were providing command and control support to botnets.

At Source Boston, HD Moore, chief security officer for Boston-based computer security firm Rapid7, gave a keynote speech in which he pointed out how crowded the IP address space is becoming: 91 percent of usable address space has already been allocated.

Moore noted that a different problem might emerge as a side effect of efforts to resolve the shortage. The successor for the current system, known as IPv6, would open up a huge number of available IP addresses. In that scenario, Moore said, there would be so much available space that rogue hosting companies could grab big blocks of IP addresses, which would be harder to track.

Get stories like this before anyone else with First Look.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.