On CBS MoneyWatch: 5 Things You Should Buy at Walmart
BNET Business Network:
BNET
TechRepublic
ZDNet

March 4th, 2009

Bad, bad, cybercrime-friendly ISPs!

Posted by Dancho Danchev @ 12:09 pm

Categories: Anti Virus, Botnets, Hackers, Malware, Passwords, Phishing, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms

Tags: Security, Cybercrime, ISP, Starline, ZlKon, Cernel, HostFresh, UralNet, Dancho Danchev

In a post-McColo, post-Atrivo and post-EstDomains cybercrime ecosystem, the researchers at FireEye have recently launched a “Bad Actors series” aiming to put the spotlight on some of the currently active badware actors online. The sampled ISPs represent safe heavens for drop zones for banker malware,  DNSChanger malware, rogue security software and live exploit URLs.

From Starline Web Services, to ZlKon, Internet Path/Cernel, HostFresh and UralNet, the series draw a simple conclusion - that a dysfunctional abuse departments can indeed act as driving factor for the growth of cybercrime.

The main objective of a dysfunctional abuse department is to on purposely delay the review and take down process of a domain/customer in question, thereby increasing the average time for the campaign to remain online. Which is exactly what most of these ISPs are involved into, while charging premium prices in the process of ignoring community requests for shutting down a malicious campaign in question.

Interestingly, what we’re witnessing for the time being is a mixed abuse of, both, legitimate infrastructure and purely malicious one. For instance, the bad actors that FireEye is profiling, will receive traffic coming from abused legitimate infrastructure such as the Digg, Google Video and YouTube’s latest malware campaigns. Moreover, we cannot talk about cybercrime-friendly ISPs without mentioning the domain registrars of choice for the majority of cybercriminals, which KnujOn keeps profiling. Their February, 2009 Registrar Report states that 10 registrats are responsible for 83% of the fraudulent sites that they’ve analyzed, with the Chinese registrar XIN NET topping the chart for a second time.

With new cybercrime-friendly ISPs popping up on the radar, consider keeping an eye on the upcoming additions to the bad actors series.

Image courtesy of Google’s Postini 2008 Spam Report in a post-McColo Internet.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 12 Talkback(s)
RE: Bad, bad, cybercrime-friendly ISPs!
Cut them off. You know their IP address blocks so it's easy.

If your provider doesn't want to cut them off, you cut them off. You know their IP address blocks.

Somebody must have an off-the-shelf solution.... (Read the rest)
Posted by: Dr.C Posted on: 03/05/09 You are currently: a Guest | | Terms of Use
Why easy obvious  Mectron | 03/04/09
ok that a rather great idea  Quebec-french | 03/04/09
Easy  rpmyers1 | 03/04/09
This was never about P2P  Mectron | 03/04/09
damn, you have tried hard on that one man wow  Quebec-french | 03/05/09
Somewhere on those two wires---  BALTHOR | 03/04/09
RE: Bad, bad, cybercrime-friendly ISPs!  koomo | 03/04/09
Simple  Mectron | 03/04/09
Your solution is too simplistic...  MGP2 | 03/04/09
The problem isn't "a"  rpmyers1 | 03/05/09
RE: Bad, bad, cybercrime-friendly ISPs!  Col Mustard | 03/04/09
RE: Bad, bad, cybercrime-friendly ISPs!  Dr.C | 03/05/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here