RealTime IT News

Malware Writers Get Bold, Rent Datacenters

Security firm Kaspersky Lab has uncovered a disturbing trend among the criminal syndicates that write and distribute botnets . Instead of relying just on individual PCs, they are now taking advantage of loopholes and laxness to set up shop in datacenters.

Botnets, a collection of computers infected with some kind of malicious program, have traditionally been individual infected computers. Someone foolishly visited the wrong Web site or clicked on a link sent to them by a stranger, or even a friend, and since they didn't have adequate anti-malware protection, they became infected.

The bot hid in their computer, silently doing its work. It might be pumping out hundreds of spam messages a day or be used for distributed denial of service (DDoS) attacks. Most of these bots were individual PCs, but security firms have found corporate PCs to be unknowingly infected as well.

However, security firms and ISPs have gotten smart to these tactics. Botnets are being taken down at faster rates and don't last as long as they used to.

So moving into a professionally-run datacenter would seem to take some spine. However, thanks to loopholes, laxness and in some cases, overwhelmed administrators, the bad guys have begun to set up their own virtual datacenters in legitimate datacenters.

They go so far as to buy the computers and rent space in hosting providers, writes Dennis Fisher, editor of Threatpost, the Kaspersky security blog and a security evangelist for Kaspersky Lab. Then they apply for a large block of IP addresses.

That's where things break down. There is supposed to be careful screening done, but not always. "In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation," Fisher writes.

This is a problem in parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages which can lead to confusion and difficulty in tracking down exactly who is doing what online. Plus, some of these countries are lackadaisical, not very computer-sophisticated or just not worried about these issues, which allow such an environment to thrive.

Exploiting geography

That's what makes addressing the problem a challenge. If someone from Russia applies for IP space in Africa or the Caribbean, there's a language barrier and the legitimate excuse of logistics. And if it's a datacenter in a poor country, would they really care?

Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor, told Fisher "It takes one more level out of it: You own your own IP space and you're your own ISP at that point."

The most famous example of this was the Russian Business Network, a St. Petersburg company that pretended to be a legitimate ISP but was anything but legitimate. It hosted all kinds of porn, including child porn, malware and other malicious software. The only reason the company was taken down was after a Washington Post report shined a light on the company and its upstream provider in England cut RBN off completely.

It reflects a problem with IP allocation: once given, it's a real pain to revoke. The RBN was granted IP addresses in 2006 but its space wasn't revoked until May 2008. Plus, by that point, the block of IP addresses are likely blacklisted all over the place, making that block of addresses worthless.

"This is part of the problem that's causing the IPv4 shortage," Lanstein told Fisher. There have been predictions that the number of IPv4 addresses would run out very soon but that prediction has been made several times.