Security

Dodgy Domains Dumped by ISPs

bots, security, mccolo, intercage, spam, bots
Illustration: Melinda Beck
Few tears were shed when McColo Corp., a San Jose-based ISP that allegedly hosted companies known to be prolific purveyors of spam and other malware, was suddenly taken offline last week by its upstream service providers.

The takedown in September of another company with a similar reputation -- this one named Intercage -- also evoked little sympathy from an Internet community that clearly is fed up with the massive volumes of spam and other crimeware flowing across the Web.

What's remarkable about the McColo and Intercage shutdowns is that they weren't initiated by law enforcement officials or via court order. Neither did they happen because either company was forced into bankruptcy or had other financial problems. Instead, both companies were forced offline when their upstream ISPs, acting upon information provided by security researchers, simply disconnected them and their customers from the Internet.

Behind the scenes of the McColo and Intercage cases, a ferocious struggle is taking place between the purveyors of Web-based malware and loosely aligned but highly committed groups of security researchers who are out to neutralize them.

Those who support these self-appointed Net police -- and many do -- dismiss any suggestions that the researchers are acting as online vigilantes and instead liken their efforts to Neighborhood Watch programs designed to keep city streets safe. Backers claim that the effort to shut down miscreant ISPs is needed because of the inability of law enforcement agencies to deal with a problem that is global in nature, as well as a lack of applicable laws both domestically and internationally.

A few people, though, do question whether there is a hint of vigilantism behind the takedowns -- even as they acknowledge that there may not be any other viable options for dealing with the problem at this point.

Soon after Intercage was forced offline, for instance, Earl Zmijewski, vice president and general manager at Internet monitoring company Renesys Corp., asked in a blog post why law enforcement officials hadn't been involved in the shutdown. "While I'm not a big fan of cyber-crime or the providers who knowingly host these activities, I can't help but wonder where law enforcement is in this story," Zmijewski wrote. "We still have laws, right?"

The shutdown of McColo prompted a similar reaction from Maxim Weinstein, manager of StopBadware.org, an anti-malware group that is spearheaded by Harvard University's Berkman Center for Internet & Society. In a blog post last week, Weinstein applauded the efforts that resulted in McColo being disconnected from the Internet. But he also expressed concern about innocent companies and individuals who might have been negatively affected by the move.

"Surely McColo and previously-taken-down Intercage had legitimate customers, owners of websites and or domain names that they used for their personal blogs, their small businesses, their family photo albums, and so on," Weinstein wrote. "What happened to those users when their providers and their sites suddenly became unavailable?"

McColo hosted a staggering variety of cybercrime activity, according to a group of researchers who said they had investigated and documented the company's practices for more than two years. In addition to Web sites that spewed out huge quantities of spam, McColo is alleged to have hosted child pornography and counterfeit pharmaceutical sites as well as the command and control servers for some of the Internet's biggest botnets.

The company was kicked offline last Tuesday after The Washington Post provided its upstream service providers with information about McColo's alleged hosting of spammers and other cybercrooks. According to an entry in the Post 's Security Fix blog by reporter Brian Krebs, the information was gathered from security researchers over the past four months.

Benny Ng, director of infrastructure at Hurricane Electric, a Fremont, Calif.-based ISP that was one of the McColo's service providers, said that his company's decision to pull the plug on the company was based solely on what it was given by the Post . "We were informed of what was going on, so we went to our router and just turned their ports off," Ng said.

According to Ng, the decision was a straightforward and perfectly legal one because what McColo was doing was completely against Hurricane Electric's terms of service. "Having a company like McColo on your network doesn't look good," he said. "As an operator of an international Internet backbone service, you just can't have that."

The fear of ending up on an Internet blacklist is also a powerful motivator in such cases. Several groups and companies -- including StopBadware.org, The Spaumhaus Project Ltd., HostExploit.com and Castlecops -- maintain extensive lists of Web sites and domains that are allegedly associated with spamming, rootkits, adware, spyware, phishing and other threats.

The blacklists are used by many security vendors and corporate IT departments as part of their efforts to block spam and other malware. As such, ending up on one or more of the lists can have drastic consequences for an ISP or Web site. And sometimes, all it takes for a service provider to end up being blacklisted is for a handful of its customers to be identified as spammers, according to an executive at a hosting firm who asked not to be named.

"You could have thousands of customers, out of which one is a spammer," the executive said. "Those lists could still say, 'We believe XYZ is a service provider that sponsors spam. We don't like you and we won't let others talk to you.'" He added that there often is little transparency into the rules used by blacklist groups to determine what constitutes a spammer, and that it sometimes can be hard to get off of the lists in a timely manner. "They basically have you over a barrel," the executive said. "So yes, we do pay attention to them."

Others, though, say that the only people really opposed to the efforts of antispam and anti-malware groups are the cybercriminals themselves and those who support them for financial gain -- such as service providers that host spam sites. In addition, in the cases of both the McColo and Intercage shutdowns, the only role the security community played was to collect evidence showing conclusively that the two companies were hosting clients involved in all sorts of criminal activity, said Garth Bruen, founder of the antispam group KnujOn.

The actual decisions to pull the plug on the hosting companies was made by their service providers, not by the security researchers, Bruen said. "That was their choice to do it," he noted. "We just gave them the information to help them make up their mind."

Such cooperation between security researchers, ISPs and hosting companies can be very useful, according to Bruen. He pointed to a "very long dialogue" that KnujOn and HostExploit.com had with a large India-based hosting company named Directi that resulted in the latter agreeing to suspend "thousands and thousands" of domains that were allegedly being used to send spam or sell counterfeit drugs.

Almost everyone concedes that the private policing effort may not be enough to completely eradicate spammers and other cybercriminals. In fact, many operations that are shut down by one service provider often resurface a short time later at another location on the Internet. That was the case for Intercage, at least temporarily. The same thing happened with McColo, which briefly came back online on Saturday via an ISP based in Sweden.

But the anti-malware campaigns are making it costlier to run such operations, Bruen claimed. For instance, almost immediately after McColo was shut down last week, spam volumes plunged by more than 40%, according to researchers at IronPort Systems Inc. The shutdown also forced operators of some of the largest and nastiest botnets in the world to relocate their operations, he and other security researchers said.

What's going on is "a little closer to vigilance than it is to vigilantism," StopBadware.org's Weinstein said in an interview last week. "The researchers who are coming out with these reports are not inciting specific action against any company," he added. "What they are doing is publishing data and putting it in front of people who are making these decisions."

Often, though, it's hard to know for sure if a hosting provider is complicit in the illegal activities taking place on its networks, or the extent of its culpability for such activities if it is aware of them, Weinstein said. "That's definitely a concern," he acknowledged. "But I don't think there's an easy answer to it."

Similar doubts were expressed even in the Post 's full story about the McColo takedown that the newspaper itself had helped trigger. According to the story, it's hard to know the extent to which McColo could be held legally responsible for the activities of its hosted clients. There also is no evidence that McColo has ever been charged with any crimes, the story reported.

The apparent lack of action on the part of U.S. law enforcement agencies to curb either McColo or Intercage is surprising, said Zmijewski, the Renesys executive. "It's not like these companies were in the middle of nowhere," he said, adding that many of the activities being carried out by companies hosted by the two ISPs, such as spamming and child pornography, were clearly illegal.

Zmijewski thinks that invoking the rule of law would be preferable to having private groups initiate policing efforts of their own. But with law enforcement not getting involved, it isn't surprising that some people have begun "taking matters into their own hands," he said. For now, he added, "this perhaps is the only option."

Subscribe to the Security Watch Newsletter

Comments