November 23,2008:
The war against Internet crime has turned against the bad guys, as ISPs (Internet Service Providers) that
provide access for the Internet criminals, have been identified and cut off
from the Internet. This had an interesting side-effect recently, as nearly half
a million hijacked computers frantically sought to "call home."
It all began
with the recent take-down, of ISP McColo Corporation, which caused worldwide
spam traffic to decline by over 50 percent in one day. In the past years, two
other similar ISPs, the Russian Business Network and Intercage, had similar,
but not as dramatic, impact on spam traffic, and Internet based criminal
activity in general, when they were shut down.
The basic
tactic here was to compile a report of the known criminal activity being
conducted via a particular ISP, and then present it to police authorities (like
the FBI in the U.S.). What made this work was the discovery that child
pornography sites were hosted on places like McColo. While ISPs cannot be held
legally responsible for most customer activity, copyright infringement and
child pornography are two things the ISP can be prosecuted for it they know
it's on their servers, and do nothing about it. While the ISPs doing the
hosting, like McColo, will play games with the authorities (moving the criminal
sites to another server, or shutting them down and then letting them start
again under a different name), you can take the same evidence to the ISPs that
"peer" (connect to) the offending ISP, and get them to disconnect
with the offending ISP. Since the Internet is a network of networks, if an ISP
cannot connect to the "web" of thousands of ISPs (especially the
major ones), they are not connected to the Internet. That's how McColo, the
Russian Business Network and Intercage got shut down. And that's how new ISPs,
specializing in supporting criminals, will get shut down.
Internet
crime, particularly spam (unsolicited email) has become a big money maker.
Because of the very low cost of sending it, you need only one response for
several million spam messages, to make lots of money. But the same ISPs that
host the spammers, also host operations that try to sneak into business,
government and personal computers to steal stuff (bank account information,
trade secrets, classified military information). As much as the bad guys try to
find places to hide, they tend to congregate at unscrupulous ISPs that will
charge a bit extra, and look the other way. Now these rogue ISPs are under
attack, and this will slow down the Internet bandits, and increase their cost
of doing business.
When McColo
went dark, Internet criminals lost touch with their botnets (networks of PCs
infected with a hidden program that allowed the botnet controller to direct the
zombie (infected) PCs to send spam or unleash programs that tried to infect
other PCs or break into business or government networks and steal information.
Internet security companies monitor many of these botnets, and one of the
largest collection of botnets, called the Srizbi network, suddenly went
haywire. Over 450,000 zombie PCs were frantically trying to connect to the
disconnected McColo servers that the Srizbi criminals used to control their
botnets.
Internet
security firms use traffic analysis (examining patterns of activity in the
Internet) to spot stuff, and the pre-programmed instructions of all those
Srizbi zombies was similar enough to reveal who the zombies were. This is being
monitored to try and identify all the zombies, and help get them uninfected.
The security firms also hope to get a better idea of exactly who the Srizbi
gang is, and where they are, and possibly get them arrested and taken out of
business.
All this has
implications for Cyber War operators, which use lots of zombies to set up
wartime attacks, and engage in espionage and low level attacks right now.