Damballa has pulled its original blog post after admitting that the methodology of its botnet survey was incorrect. The security firm's analysis of active, malicious botnet command and control servers ignored the existence of deliberately established sinkholes, rendering its findings misleading. In particular it misrepresented …
location, location, location
" "Half of the servers used by cyber-criminals for the purpose of controlling their botnet empires are located in commercial hosting facilities within countries not traditionally associated with this kind of crime," "
Otherwise known as not pissing on your own doorstep?
"the hosting providers within the top-10 may wish to investigate what makes them so attractive to criminals and should strive to become less so over time."
3 Reasons which I, as a customer, value just as much as any crims do, so I would say that they ought to strive to keep those factors.
I expect the hosts in question will simply look at these results and claim that it shows how popular they are as a host - claiming percentages of servers infected etc etc.
As mentioned by an @AC popularity may well be the cause. I just looked at the about page on 1-1 internet and you can see that they host a MASSIVE proportion of EU sites (ok they may have omitted some other players in their stats).
No one reading this with any valid concept of cyber crime will be thinking that the crims are hosting botnets on servers that Mr.Criminal has paid for, so they are merely finding vulnerable sites to host them on.
I see a growing trend in bloggers (even so called respected ones) to point out bad, with little context or analysis.
OK now what?
The authors of this study seem to be implying they know where a large number of C&C servers are, and they're in countries with relatively effective police forces, etc. So they need to take these details to them, get court orders to close down the identified servers for 30 days, take these to the host companies (very publicly), have the sites shut down. If no one steps forward complaining about there site being taken down (lets assume there will be at least one or two misidentified sites), then the site is taken down permanently.
Additionally, any of these sites who's owner details (which will be fake no doubt) is used on another site automatically get taken down for 30 days, pending the real person stepping forward, and then deleted permanently.
True this will not stop the criminals, who will just open more sites with more fake credentials, but the more difficult you make it, the better is for all of us...
My thoughts? Are C&C the best counterpoints?
While I approve of anything that bothers the spammers and reduces the spam, I'm not convinced that the C&C servers are the best points of attack. This is fundamentally a kind of arms race situation where the spammers always have the initiative. Each time the spammers devise new ways to hide their C&C system and new ways for the zombots to find them, the defenders are put back on their heels trying to figure out what has happened. Actually, if you believe that computer security is possible, doesn't that mean the spammers have the advantage here? The problem of concealing a clandestine network is fundamentally a security question.
In contrast, there are areas where the characteristics of spam prevent the spammers from hiding, and I think that is where we should focus the anti-spam efforts. "Follow the money" and cut it off. Most concretely, the spammers need to have visible servers where the suckers can go before they can send the spammers any money or be fooled into installing zombot software. Those servers and the DNS registrations that lead to them are better loci of attack because they cannot be hidden from the suckers and the spammers want the simple-minded suckers to connect as easily as possible.
The other characteristic of spam that should be exploited is that there are far more people annoyed by spam than there are suckers who fall for it. I think this argues for a crowd-based approach that will assist the large number of people (even if only a small percentage want to help in fighting the spam) in cutting the spammers off from their small supply of suckers. Essentially I think the major email suppliers (as in Google before they went evil) should offer something like SpamCop on steroids. An interactive form that will analyze the spam intelligently (perhaps in two or three rounds) to direct more effective responses against the spammers and all of the spammers' accomplices. (I think this system should also route replies to the secondary victims of spam, such as the legitimate companies that want to defend their valuable brands from the spammers' exploitation and devaluation.)
I think such a system could really make the bathwater too hot for the spammers. I'm not saying they would miraculously become decent human beings. I'm just saying the spammers would move under less visible rocks. They are fundamentally lazy scumbags and scammers looking for easy profits, and spam email should NOT offer those profits.
The anti-MS icon for this comment? Because I feel that most of the zombot part of the current spam problem is an externalized cost and liability that Microsoft has shed and forced everyone else to bear. Again, follow the money.
"Countries such as China and Russia that (for better and mostly worse) tend to be most associated with hacking, spamming and cybercrime rank far below Western countries..."
Then why does the pie chart on the guy's web site show that Russia accounts for 26% while the US accounts for 23%? Is there some definition of 'far below' that I'm not aware of? I
Hosting providers don't care
I've made numerous reports to various hosting providers about spammers and scammers hosting their web sites on a provider. Hosting providers don't care if they are hosting scum, because
1) Scum pay them. Very well, in fact.
2) You, the person complaining about it, don't pay them.
3) There is no downside to hosting them. The hosting providers all say "as long as the spam doesn't come from us, we are in the clear."
So unless those conditions change, the hosting providers will continue to allow spammers and scammers on their networks.
I normally don't say "there ought to be a law", but in this case, there ought to be a law that says "If you host a site that is spamvertised, and you are informed of it, and you fail to take action, then you are guilty as an accessory and shall be fined heavily".
Failing that, the old "blacklist the entire hosting provider's netblock until they change" solution.
Grenade, for rectal use only by the spammers and hosting providers who love them.
Some do care
Having had a server hacked and a bot installed I can say that some ISPs do care. The bot was spotted quickly and the server shut down as a result. The ISP was Intergenia and the report that the bot was active came from 1&1.
1&1 has a *huge* data centre in Karlsruhe and many of the ISPs in Germany have pretty big data centres. AFAIK it's still a requirement in France to host .fr sites in France. Obviously the more sites you host the more C&C bots you will have all things being equal.
consistent monthly spam-l threads about them.
Likewise theplanet networks are consistently reported.
germany and ARIN networks are for me the worst as I already block the majority of APNIC.
Most C&Cs are hacked servers
Most C&Cs are hacked servers with an patchlevel from another galaxy, far far away. if you installed j00mla 1 year ago and never patch it (like many many people do) its just a question of time time until your server gets h4x0r'd. those server-operators even never notice their lodgerz, because they do no harm to their websites.
Damballa got it wrong..
1&1 is innocent: