Wednesday, December 23, 2009

Attackers Buying Own Data Centers for Botnets, Spam

Via -

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that's the way it's supposed to work everywhere. Applicants who can't show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don't have the resources to investigate every application as fully as they'd like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation.

"It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers," said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. "It takes one more level out of it: You own your own IP space and you're your own ISP at that point.

"If there's a problem, who are you going to talk to? It's a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren't going to push back if you say you need a /24 or /16. They're not the Internet police," Lanstein said.

No comments:

Post a Comment