Security → Re: FTC Shutters N. Calif. Hosting Firm for Botnets, Kiddie Porn

Wow... after reading that, I was expecting to hear I won $4MILLION USDOLLARS. Seriously, it reads like a scam.

Roughly translated: we thought we had set this puppy up to have plausible deniability, but now we are not so sure. Sorry about that.

Keep stomp

Indeed, and their response to a portion of the ICQ logs that were released underscores that strategy.

The "misunderstanding" angle, though based in the Ukraine we were actually collecting evidence for US law enforcement:I am not sure who they think that explanation is going to convince.

Besides the damming ICQ logs, the FTC submitted documentation from multiple sources confirming a long history of botnet activity and C&C history originating from their network:

minus the citations

quote:

---

..... Spamhaus has a long history with 3FN, and has sent 3FN more than 70 abuse reports since 2005. Spamhaus's abuse complaints to 3FN have been answered by two individuals since 2007: "Sergey Dubenco" and "Nick Tooms. Both ofthese individuals appear to be located outside of the United States, possibly in Ukraine or Estonia. Based on Spamhaus's interactions with 3FN, it is Linford's view that 3FN is actively collaborating with and protecting its clients who are engaged in spam and botnet-related activity. Linford bases this conclusion on 3FN's interactions with Spamhaus since 2007. During that period, 3FN has demonstrated aconsistent "push a pawn" strategy, whereby 3FN feigns cooperation with Spamhaus by temporarily removing offending web sites and servers, only to reinstate them shortly after Spamhaus has withdrawn the IP address from the SBL.

In several cases, 3FN has moved offending websites to other IP addresses controlled by 3FN, in what Linford believes to be an effort to evade detection by Spamhaus. Linford includes several examples of3FN's suspect behavior in his declaration, including an incident involving botnet command and control servers hosted by 3FN. Between November 2008 and March 2009, Spamhaus reported 17 different IP addresses controlled by 3FN that were home to botnet command and control servers. In Linford's view, this is a huge number of command and contro servers to be located on anyone network in the same time frame, and puts 3FN in the same category as McColo and Atrivo/Intercage - two notorious rogue ISPs that were taken offline by their upstream providers.

In response to Spamhaus's abuse complaints regarding the botnet command and control servers, 3FN assured Spamhaus that the command and control servers located by Spamhaus had been taken down. This assertion proved to be false. Data collected by Andre' DiMino (discussed below) establishes that at least five of the command and control servers reported by Spamhaus - and purportedly taken down by 3FN - were not in fact removed.

Andre' DiMino, Co-Founder and Director, The Shadowserver Foundation

Andre' DiMino is the Co-Founder and Director of The Shadowserver Foundation, a group of security researchers that gather information on malicious software, botnet activity,and compromised servers. As described in depth in DiMino's declaration, Shadowserver employs a comprehensive and regularly validated method of capturing and logging information related to Internet-based malicious activity.

At the FTC's request, DiMino queried the Shadowserver database for reports of malicious activity originating from IP addresses controlled by 3FN. DiMino's query covered the time period January 1, 2008 through May 7,2009. During that period, DiMino found 311 unique IP addresses controlled by 3FN that were found to be participating in, or facilitating, malicious activity.

DiMino's database search also revealed 4,576 unique malicious software programs ("malware") that use 3FN's servers as a botnet command and control server. DiMino's analysis of this malware found a range of malicious behavior, including programs capable of keystroke logging, password stealing, data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution.

At the FTC's request, DiMino searched the Shadowserver database for evidence of botnet command and control servers at a series of IP addresses provided by the FTC. The FTC obtained these IP addresses from Spamhaus, which connected them to botnet command and control activity, and reported them to 3FN in late 2008 and, in one case, early 2009. As detailed in Steve Linford's declaration, 3FN responded to Spamhaus's complaint and reported that these command and control servers were taken offline. DiMino's data confirms that 3FN's representations to Spamhaus were false. In fact, the botnet command and control servers purportedly taken down by 3FN continued to operate after the date 3FN told Spamhaus they had been taken offline.

Dean Turner, Director of the Global Intelligence Network, Symantec Corporation.

Dean Turner is the Director ofthe Symantec Corporation's Global Intelligence Network. Among other responsibilities, Turner manages and co-authors Symantec's annual Internet Threat Report, coordinates the research and analysis conducted on attack data gathered from Symantec's network of Intemet sensors, and manages Symantec's Deepsight Analyst teams, which study cyber attacks and the vulnerability of systems to cyber attacks.

Symantec's Global Intelligence Network database consists of information gathered bySymantec's network of "infield sensors" - software and hardware managed by Symantec that
report Internet threat data back to Symantec as well as sensors in the control of third parties (for example, users of Symantec's anti-virus software who have agreed to share data with Symantec.)

At the FTC's request, Turner queried the Global Intelligence Network databases by searching for cyber intrusions or attacks originating from IP addresses belonging to 3FN in the past six months. Turner's query found more than 600 IP addresses controlled by 3FN launching a variety of attacks, including a number of attacks capable of taking control of a user's computer. Turner's query also revealed phishing and spam activity originating from 3FN IP addresses, and 17 different 3FN IP addresses that housed botnet command and control servers.

---

I am confident that the court will make the current temporary order permanent, and 3FN will loose their US connectivity. However, I doubt that much of their financial assets are within the reach of US authorities. Nor do I beleive the the FBI search warrant will produce enforceable indictments as the individuals are outside of the jurisdiction in what can only be described as "unfriendly" territory. The recovered data will no doubt produce a considerable amount of valuable intelligence.

These actions will not put the people behind 3FN out of business. Watch where some of their "clients" resurface at, such as "Hayter Merchants Inc" of "Belize", and Hayter's sub "Mirall Inc", purveyors of sick violent extreme porn e.g. »whois.domaintools.com/al ··· rape.com

MGD

This is a huge rabbit hole and after the investigation this was the only possible action, as you are correct nothing other then 'connectivity' is in an enforceable area, but now that its cut it will resurface somewhere else and likely sooner then later.

Ultimately it is another example of why when I become Emperor of the Internet, I'm chucking the Registry guys up against the wall first as they help enable these rabbit holes. The internet is not without its problems and some people are very very good at exploiting those, and operate in ways that they are pretty well untouchable, but you never know what will happen down the road as sometimes things change (or people find themselves in a different location where the rules are different ).

Blake

A valid point indeed. There has, and continues to be, a disproportionate amount of nefarious and fraudulently registered domains processed through some registrars. A fact that ICANN fails to address. ICANN appears to be oblivious to the tactic of the multiple paper shell company set ups that enable either existing or applying registrars to masquerade and project themselves as being located in places where they are not.

I believe ICANN recently agreed to require registrars to publish where they are incorporated and registered at. However, there have been repeated statements from the outside, that this requirement falls short of being transparent, and that ICANN should require that they list the domicile country of the corporate officers as well.

It has not been that long ago that ICANN actually entertained the idea of cloaking all domain registrations by default. Surely an indication of a lack of awareness of the current state of the "NET".

MGD