Friday, 14 November 2008

Directions in cybercrime

Something is missing today. What is it? Hundreds of millions of unwanted SPAM emails. A California based hosting company, McColo Corp, had their servers blocked from the web and the volumes of SPAM nearly halved. The move seems to have been largely orchestrated by journalists and Google.

Google has a cached copy of the McColo terms of use. The following (copyright McColo and quoted as fair use) is from there:

I) Prohibited Uses
A. Utilize the Services to send mass unsolicited e-mail to third parties.

B. Utilize the Services in connection with any illegal activity. Without limiting the general application of this rule, Users may not:

(i) Utilize the Services to copy material from third parties (including text, graphics, music, videos or other copyrightable material) without proper authorization.

(ii) Utilize the Services to misappropriate or infringe the patents, copyrights, trademarks or other intellectual property rights of any third party.

(iii) Utilize the Services to traffic in illegal drugs, illegal gambling, obscene materials or other any products or services that are prohibited under applicable law.


(viii) Utilize the Services to distribute, advertise or promote software or services that have the primary purpose of encouraging or facilitating unsolicited commercial e-mail or spam.

(ix) Utilize the Services to solicit or collect, or distribute, advertise or promote, e-mail address lists for the purpose of encouraging or facilitating unsolicited commercial e-mail or spam.

(x) McColo has no restrictions on contents. Adult materials, MP3s, games, and audio/video streaming are permitted. However, customers are strictly prohibited from using egg-drops, IRC bots, warez materials and shell hosting services on McColo regular network. IRC BOT controllers are not allowed on both networks.

Oh dear... It seems that they have not been enforcing these very well at all. It seems that IRC traffic used to control the botnets has routinely been routed through McColo servers. Host Exploit are making a lot of the running on this one and they claim that the payment servers for at least 40 child porn sites are being run through McColo. McColo have no restrictions on content indeed. Here is a link to a Washington post document listing what McColo have apparently been up to. SRIZBI, the world's biggest botnet, is on there and is apparently currently uncontrolled.

An earlier disconnection (technically a depeering) of the Atrivo / Intercage servers produced a short term drop of 10% in SPAM. How short term? About 3-5 days. I would expect th drop caused by taking McColo off the air to to take a little longer because there are presumably more botnets being controlled. So, what happens next?

In the short term, I see a scramble to regain control over the botnets that have been severed from their command and control systems. We may even see some of them change hands although it is increasingly clear that many of the individual gangs ultimately serve the same master.

What about the longer term? Well, I would have thought that the gangs behind the SPAM engines would be looking to safeguard their operations. In the past, the IRC control channels (and there are other channels which I can discuss if anyone is interested)have tended to go via smaller independent IRC servers who have been reluctant to terminate the control channels since this often earned them a DDOS attack - that is to say that the botnets would be turned on them as punishment. Attacks against the control channel have largely been limited to killing the channel and hoping no-one minded all that much. By taking out whole server farms at a stroke, things have ratcheted up a whole lot. I would have thought that the botmasters would be looking to move their command mechanisms somewhere much more under their control. Emil Kacperski who ran the Atrivo / Intercage organisation and Vladimir Tsastsin who ran EstDomains may or may not have been associated with the known rogue Russian Business Network - who am I to want a libel case? Certainly, many of the operations that McColo have been hosting were formerly hosted or controlled by the now depeered Russian Business Network. So, moving operations into the west was a solution to a previous problem.

This makes things interesting. If the illegal parts are all in Russia, Estonia and the Ukraine, it is fairly easy to target them as they are concentrated in one geographic area and it is possible to effectively filter traffic although not necessarily good for international relations. If they are centered in the west then the legal framework makes it easy to shut down the operations and that is not what organised crime wants. China? They have their own agenda and it would be even easier to filter the traffic. Africa? Not a lot of bandwidth in the less controlled areas and too much law in the well controlled bits.

Now, what would I do if I were a cyber criminal? Well, they keep knocking out my single points of failure. That happened before so they built in mechanisms to cope with the loss of a single IRC channel. Now the opposition are axing whole server farms. Maybe it is time to abandon centralised control in the same way that the STORM botnet did. Ok, STORM was effectively killed by the Microsoft Malicious Software Removal Tool but it took a long time to die. What if there were multiple STORM type peer to peer botnets? Presumably Microsoft would still kill them off and they would have a limited lifespan - but isn't living defined as not dying for one more day, every day? That is what I would be working on if I were a black hat.
As for how the payment side for illegal content, I wouldn't like to guess how that will be done. All that I can say is that we are living in interesting times indeed.

I was asked a question by a client this week. She wondered what I thought the effect of the recession would be on cybercrime. Clearly, legitimate business is having to tighten their collective belts. Traditionally, SPAM has been used to sell fake medications, specifically Viagra and Cialis and dubious services such as penis enlargement guides. These can be seen as luxury goods. We may see the mix changing and adverts for treatments for high blood pressure and other necessary medications may start to dominate. Much of the Viagra sold over SPAM is fake and has never seen the inside of Pfizer's plant. What would happen if people bought fake medicines for life threatening conditions? You know that criminals would sell them.

As for more targeted attacks such as industrial espionage, well, the criminals will do what we all do when profits are lower. They will work harder.

Speaking of which, I have a report to write.

Signing off

Mark Long, Digital Looking Glass

No comments: