Re: Article on spammers and their infrastructure

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Dec 22, 2009 at 8:58 PM, Alex Lanstein <ALanstein () fireeye com>
wrote:

> I might as well reply to this here.  The folks from threatpost had me
> talk at length about the various issues with doing cybercrime enforcement
> and how things have changed, and they picked that section for their post.
>
> My key point I wanted to hammer home was that most of the modern botnets
> (and/or malware that has phone home capability) have a much more stable
> infrastructure, as more and more of the hosting pieces are controlled by
> the bad guys.
>
> In the old days you'd see C&C servers running from popped boxes, but now
> you're seeing the criminals renting their own servers from xyz
> datacenter, or worse, buying their own racks/cages and going to an LIR or
> RIR to get direct IP allocations.  They then rent out those allocations
> to other shell companies (or possibly to other criminals) and handle the
> abuse notifications on the frontend.  Since these data centers have many
> transit options, nullrouting an ip block at a single ISP hasn't been very
> effective.  And of course, getting an RIR to revoke IP space only happens
> if you don't pay the bills.  A year after allocation the blocks are
> pretty much burned anyways, so that's not a real barrier.  There doesn't
> even seem to be any policies against intentional fraudulent SWIPing of IP
> space, or at least, not one that's enforced.  The Knujon guys have had
> some success in the domain space, maybe this could happen in the ip world
> as well?
>
> The only technical statement in there that I think was misinterpreted was
> the "owning your own ip space makes you an isp" which I clearly didn't
> mean.  It's a quote so I must have said it but it must I think I had some
> qualifiers in there in that I was talking about the abuse desks at an
> ISP.  If they are the ISP they claim it was a downstream customer and
> that they've fixed the issue, when really it's their own stuff that they
> shuffle around.

Not that I need to do so, but I might as well -- I know Alex pretty well,
as both a trusted colleague & friend, and he is spot on in his assessment
here. If anything, he was mild in his criticizes -- this type of criminal
"diversification" has been the standard bat-and-switch method of operation
for several years now.

The criminals -- especially the professional Eastern Europeans -- have
become quite adept in their campaigns of registering domains, obtaining IP
address space, hosting facilities, etc., and are quite successful in their
criminal endeavors.

Folks should not be so obtuse about these activities. It's almost blatantly
in-your-face, so to speak. These guys have no fear of retribution.

$.02,

- - ferg


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLMbTTq1pz9mNUZTMRAvd8AJ0b/EY2TtqYKRqzsxxGr9GzG4TElgCgotLP
TYjuUwZjUYGRM+WLzwhDHRI=
=L6n9
-----END PGP SIGNATURE-----

-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/