Information Warfare: The War Below


January 14, 2010: While Western governments debate the efficacy, or legality, of going on the offensive against Internet spies and criminals, more Internet security companies, and academic researchers, are taking the initiative. The most recent victory was the elimination of the Neustar of Lethic botnet, which represented about ten percent of all spam email sent. Other efforts have crippled botnets, and some botnets have been taken down quietly (because illegal, or methods of uncertain legality, were used.) No government has had the courage to openly go after destroying botnets, although it's believed there is some classified activity in their area.

The biggest victory took place in 2008, when a small ISP, McColo Corporation, was taken off line. This caused worldwide spam traffic to decline by over 50 percent in one day. Before that, two similar ISPs, the Russian Business Network and Intercage, had a less dramatic impact on spam traffic, and Internet based criminal activity in general, when they were shut down.

The basic tactic here was to compile a report of the known criminal activity being conducted via a particular ISP, and then present it to police authorities (like the FBI in the U.S.), who can get court orders to shut the ISP down. What made the McColo take down work was the discovery that child pornography sites were hosted on places like McColo. While ISPs cannot be held legally responsible for most customer activity, copyright infringement and child pornography are two things the ISP can be prosecuted for it they know it's on their servers, and do nothing about it. While the ISPs doing the hosting, like McColo, will play games with the authorities (moving the criminal sites to another server, or shutting them down and then letting them start again under a different name), you can take the same evidence to the ISPs that "peer" (connect to) the offending ISP, and get them to disconnect with the offending ISP. Since the Internet is a network of networks, if an ISP cannot connect to the "web" of thousands of ISPs (especially the major ones), they are not connected to the Internet. That's how McColo, the Russian Business Network and Intercage got shut down. And that's how new ISPs, specializing in supporting criminals, will get shut down.

Internet crime, particularly spam (unsolicited email) has become a big money maker. Because of the very low cost of sending it, you need only one response for several million spam messages, to make lots of money. But the same ISPs that host the spammers, also host operations that try to sneak into business, government and personal computers to steal stuff (bank account information, trade secrets, classified military information). As much as the bad guys try to find places to hide, they tend to congregate at unscrupulous ISPs that will charge a bit extra, and look the other way. Now these rogue ISPs are under attack, and this will slow down the Internet bandits, and increase their cost of doing business.

When McColo went dark, Internet criminals lost touch with their botnets (networks of PCs infected with a hidden program that allowed the botnet controller to direct the zombie (infected) PCs to send spam or unleash programs that tried to infect other PCs or break into business or government networks and steal information. Internet security companies monitor many of these botnets, and one of the largest collection of botnets, called the Srizbi network, suddenly went haywire. Over 450,000 zombie PCs were frantically trying to connect to the disconnected McColo servers that the Srizbi criminals used to control their botnets.

Internet security firms use traffic analysis (examining patterns of activity in the Internet) to spot stuff, and the pre-programmed instructions of all those Srizbi zombies was similar enough to reveal who the zombies were. This is being monitored to try and identify all the zombies, and help get them uninfected. The security firms also hope to get a better idea of exactly who the Srizbi gang is, and where they are, and possibly get them arrested and taken out of business. All this has implications for Cyber War operators, which use lots of zombies to set up wartime attacks, and engage in espionage and low level attacks right now.

There are also some more specific threats out there. Google recently threatened to leave China (where it has over a third of the search business, and partnerships with more than a dozen other companies) when it was discovered that Chinese Cyber War hackers had gotten into Googles' control network, in order to track the activities of reform minded Chinese Internet users. Google also discovered that the Chinese had used those hacking techniques to get into twenty other corporate networks, all for the purpose of silencing dissent, and calls for reform, within China.

China appears to feel that it cannot be touched, while it does whatever it likes on the Internet. Chinese net-based espionage has become more widespread over the last five years, and no one seems able to do anything about it.





Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contribute. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   contribute   Close