Safe crime

Introduction

We have previously advocated the view that endpoint security is just one of several tools needed to accomplish secure environments. This article will examine one particular threat against the Internet community and discuss how it may be overcome.

Internet hosts used maliciously

Typically malicious Internet hosts (e.g. web servers) can be categorized into two different categories

1. hosts that are infected by malware or used for other unwanted activity without the responsible entity's knowledge
2. hosts that by design serve malware or other unwanted activity

These two types must be handled completely differently in order to stop their illegitimate activity.

Type 1 - The unknowing victim

This is by far the biggest group. The number of computers - particularly client computer infected by for example a bot, or web servers running for example a malicious javascript - has been steadily increasing over the latest years. These two categories probably comprise the most serious threats to Internet users around the world.

There are some issues involved in removing this problem, and we shall examine some of these briefly:

• Identifying the infected computer,
• Informing the entity that is responsible for the infected computer about the infection,
• Cleaning the infected computer (or removing it from Internet access).

These issues are all characterized by the fact that it is usually not bad will that prevents cleaning the computer (or encouraged the infection it in the first place, we should add).

Most of us - private persons and organizations - are not interested in hosting a computer, which participate in malicious activity. There may of course be technical difficulties involved in removing the threat, but security organizations as well as the infected computer's Internet Service Provider (ISP) will usually be willing to help removing a security threat of this type.
Ultimately police and/or other authorities in the country where the infected computer is located, may be involved in eliminating this type of threat. The case that was discussed in our security article - Hey, your computer is infected! - is an example.

We refer to our previous security article - Your computer has been quarantined and cannot access the Internet - for a general discussion regarding how to diminish this type of threat in a general manner.

Type 2 - Evil by design

This is a totally different problem, which requires completely different procedures to solve.

In this case the person or organization responsible for the malicious computer knows that it is malicious. That is the whole point!
And the responsible entity would not at all willingly participate in the three bullet points mentioned for type 1 above. On the contrary, their interests are more like

• Keeping the infected computer unidentified,
• Hiding the identity of the person(s) responsible for the infected computer,
• Keeping the infected computer malicious (and ensure its Internet access).

In many countries the legislation and enforcing of this, allow the authorities to find and take down malicious computers that are physically located in that country. However, as we all know, the Internet is without physical borders corresponding to those that divide nations.

This finally brings us to this article's title, how some characteristics with the Internet as well as lack of common legislation and willingness to enforce such legislation allow safe crime.

Bulletproof hosting

Wikipedia's introduction to bulletproof hosting is:

(...) a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute.

The term "considerable leniency" may in many cases be considered as a euphemism for "total freedom".

Bulletproof hosting sites represent a major problem for those who combat cybercrime. These malicious sites are often hosted by smaller ISPs, usually located in countries where either the legislation and/or the authorities' willingness/ability to follow-up legislations are lacking, at the best. By obtaining access to a bulletproof server, cybercriminals may use this to perform their illegitimate activity and avoid legal action against them (in theory at least).

Information about how to get in contact with bulletproof hosting organizations has traditionally been available primarily to those who operate on the darker side of the Internet. This is no longer the situation, by performing a simple Google search anyone can get access to web sites where such hosting services can be purchased.

The bulletproof hosting services' web sites are professionally set up and resemble any ordinary commercial web site. Below is a snapshot of one type of hosting that a bulletproof hosting site has to offer. Note that any content (except porn) is allowed.

The financial malware Zeus/Zbot uses bulletproof hosting extensively, as this online statistics show.
Note: You are strongly adviced not to follow links from this statistics as they may contain malware.

Solving the bulletproof hosting problem

In our security article almost exactly two years ago - Combattere i malware su due fronti - we wrote about two instances where Internet organizations that were instrumental in hosting bulletproof domains were taken down.

The bulletproof hosting problem cannot be solved without international cooperation, as the Internet is borderless. Bulletproof hosting is yet another example of issues where international cooperation is needed. Several types of coordinated efforts must be initiated and prioritized between:

• Legislation bodies (nations and multinational organizations)
• Law-enforcing agencies
• Organizations in the private sector (ISPs, security organizations)

The international community has managed to agree upon, and cooperate together against other types of criminal activity (child porn, trafficking, drugs). Cybercrime is another field, which requires international efforts as it is borderless by design.

Needless to say, completing some of the abovementioned bullet points worldwide will take considerable time and effort, and bulletproof hosting will not disappear overnight.
Increased efforts by those parties, which must be instrumental in order to solve the problem, are encouraged and called for. 
Dare we hope for actions from the appropriate authorities?