tag:blogger.com,1999:blog-63063005450357028202024-03-05T20:49:25.279-08:00HostExploit - Exposing Abuse of Web Site Hosts and RegistrarsWHETHER IT IS; SPAM, MALWARE, PHISHING, AD-WARE, SPYWARE, CHILD PORNOGRAPHY, OR CYBER WARFARE, THEY ARE ALL HOSTED SOMEWHERE. 'HOSTEXPLOIT' PROVIDES ONGOING LISTS, BLOCKING RULES, AND EXPOSURE. - IF YOU ARE ONE OF THE HOSTS EXPOSED AND FEEL OUR ATTENTION IS UNFAIR? THEN WE WOULD WELCOME HEARING FROM YOU TO REMOVE YOU FROM OUR LISTS. – THIS IS A COMMUNITY EFFORT AND WE ALSO WELCOME ANY INPUT – CONTACT HOSTEXPLOIT(at)GMAIL.COMHostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-6306300545035702820.post-90949622997367452982009-04-09T09:17:00.000-07:002009-04-09T09:22:45.376-07:00Actions against registry services abuse – Report April 2009<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://hostexploit.com/images/stories/Directi%20Hostexploit%200409b.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 530px; height: 498px;" src="http://hostexploit.com/images/stories/Directi%20Hostexploit%200409b.jpg" alt="" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://hostexploit.com/images/stories/Directi%20Hostexploit%200409a.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 348px; height: 562px;" src="http://hostexploit.com/images/stories/Directi%20Hostexploit%200409a.jpg" alt="" border="0" /></a><br /><br /><div style="text-align: center;"><br /></div><br />The above in figures review the recent actions of Directi, in conjunction with HostExploit independent advice, taken to track down and stop abusive domain names and registrants from abusing Directi’s services.<br /><br /><b>Registrar Abuse</b> <ul><li>8,506 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.</li><li>These domain names (and/or their registrants) were involved in various types of abuse, such as spamming, phishing/spoofing, malware perpetration, child pornography, financial frauds and falsified ‘Whois’ information.</li><li>All other services utilized by any of these domain names have also been revoked.</li></ul> <p><b>Analysis</b><br /><br />When suspending domain names on receiving complaints about their involvement in abuse, HostExploit is pleased to report that, Directi, while reviewing the complaints over the past few months, found certain trends:</p> <ul><li>Domain names registered with the same/similar contact information (name, address patterns)</li><li>Bulk registrations of domain names with a slight variation in the domain name e.g. 2008bases1.net, 2008bases2.net, 2008bases3.net, 2008bases4.net, 2008bases5.net …. by abusive registrants/customers</li><li>Same blacklisted name servers being repeatedly utilized.</li><li>Registrations in the same customer account involved in various forms of abuse</li><li>Based on these, we reviewed all domain names, first in the customer's account, then in the reseller's account and then across the databases.</li></ul> <p>An active list of directly suspended domains is available for down load from HostExploit.com<br /><br />Note: HostExploit and Directi’s agreement to maintain cooperative collaboration to clamp down on spam and other forms of abuse on the Internet has and is continuing to work. HostExploit confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis. With the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery) http://www.acm.org/about/code-of-ethics<br /><br />We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com.<br /><br />Together with the community we hope to continue taking steps to make the Internet a better and safer place.</p>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-19988956094761506902009-02-19T12:21:00.000-08:002009-02-19T12:49:41.964-08:00Are you a Conficker Zombie?<div style="text-align: justify;">With the advent of Conficker and to avoid becoming one of the estimated now 20 million or so zombie recruits of the botnet armies requires ongoing awareness. At least we need to be personally alert, to make it difficult for the cyber criminals. If you are reading this article on a MS widows based PC and you have not upgraded your XP or Vista operating system since October 2008, there is a reasonable chance you are a zombie, or rather your PC is.<br /></div><br /><div style="text-align: justify;">Before we see the regular smirks and responses from Mac and Linux users, stressing how safe they are and it is all the fault of Microsoft. The now common place blended attacks, whose singular purpose is to add your PC to the zombie botnet armies, are designed to gain control regardless of operating system. MS Windows, Mac, Linux, iPhone, iPod, all have “Hosts files” which allow; you, webmasters, or network administrators to configure a direct link to a remote IP address. So if you can do this, guess who else could configure your host file, more about this below.<br /></div><br /><div style="text-align: justify;">As a couple of examples of the sophistication of the latest blended attacks, and also acts as the latest clue for Conficker bounty hunters.<br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhu613rervDFes6nqW2AUHwHQG6VGvrxMkBvNrfL0-FSn-DAQjL5LqHccGGbuNKURu_QIKB50KMkdM4mwchj8gMtVqe4T9L6eXJcHr94tW7RBzz2xCj6MZ-xYJQHOffLS3-Ig1C4cTt-g/s1600-h/cnfic_fr.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 308px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhu613rervDFes6nqW2AUHwHQG6VGvrxMkBvNrfL0-FSn-DAQjL5LqHccGGbuNKURu_QIKB50KMkdM4mwchj8gMtVqe4T9L6eXJcHr94tW7RBzz2xCj6MZ-xYJQHOffLS3-Ig1C4cTt-g/s400/cnfic_fr.jpg" alt="" id="BLOGGER_PHOTO_ID_5304609253173751426" border="0" /></a>Fig 1 - Fig 1 - Conficker - (ref; Internetpol.fr)<br /></div><br /><div style="text-align: justify;">Gone are the days when the simple diagnostic of an infected PC or Zombie was essentially the machine was overheating and a markedly drop in speed. The Conficker agents essentially check for the presence of the firewall and ask the firewall to open a backdoor to the Internet, once done it downloads the payload. Interestingly the early version checks if the target has a Ukrainian IP address also checked for a Ukraine keyboard and if either present stopped any infection. Once a PC is infected it will sleep solely to wake up every 3-4 hours to (quietly) call home for its latest instructions and IP addresses.<br /></div><br />Another recent example which is called “Virux” (see <a href="http://blog.trendmicro.com/virux-cases-escalate/">PE_VIRUX variants</a> - TrendMicro)<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDdz22N9ES6JbwBBLoRulpBjLdW0Nga7FN2Gw_iK-oLzwScGNmijjPStWv8VLHdHoP9MgokCju-Xx3afhpFlO0e7QKNHm4XZCg0nGGnTrjV5QTjbMHkBQIqMFTa2gUfni2QYaH6QRdREo/s1600-h/Virux_+trend.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 134px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDdz22N9ES6JbwBBLoRulpBjLdW0Nga7FN2Gw_iK-oLzwScGNmijjPStWv8VLHdHoP9MgokCju-Xx3afhpFlO0e7QKNHm4XZCg0nGGnTrjV5QTjbMHkBQIqMFTa2gUfni2QYaH6QRdREo/s400/Virux_+trend.jpg" alt="" id="BLOGGER_PHOTO_ID_5304610843509829666" border="0" /></a>Fig 2 - Virux (TrendMicro)<br /></div><br /><div style="text-align: justify;">Here Virux infects the PC via the browser and phones home via IRC (Internet Relay Chat) servers for botnet control instructions. Just to emphasize there is some dispute as to where Virux is another variant or from the same stable as Conficker, due to its similarity of attack vectors, or just an update of the older “Virut” exploit which gained fame back in November 2008 for utilizing a vulnerability in <a href="http://www.adobe.com/support/security/bulletins/apsb08-19.html">Adobe Reader </a> . Either of these examples, both Conficker and Virux, block access to security websites and anti-virus downloads. Also using sophisticated Geo Location IP systems to gain further exploits for the appropriate location of the victim and more importantly this is for enhanced cyber criminal affiliate sales, for example resale and botnet rental of say just PCs on the US West Coast or Australia, etc.<br /></div><br /><div style="text-align: justify;">Now for the good news, all the above should alarm the average reader, however most of this can and should be avoided. Either of these examples spreads through the use of; network sharing, weak passwords, and the bad guys making use of the autorun.inf files which are copied to USB drives and other removable media. Further if you have made use of the latest operating system updates, anti-virus, and upgraded to use Adobe Reader 9.0. Also why anyone whether and individual or company, would not use the free “<a href="http://opendns.com">OpenDNS</a>” service which you can set to avoid phishing, adware, or many of these nuisances, is still surprising.<br /></div><br /><div style="text-align: justify;">For a really simple check, how is your “Hosts file”? For more the wider details visit Tom Olzak’s excellent article <a href="http://blogs.techrepublic.com.com/security/?p=738">here</a> . For MS windows users it is really simple; using windows explorer go to <span style="font-weight: bold; font-style: italic;">c:\windows\system32\drivers\etc </span>open the hosts file in Notepad, if you see anything else beyond the standard “<span style="font-weight: bold;">127.0.0.1 localhost</span>” then ask yourself why, or more worryingly you are already a botnet zombie.<br /></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-90981244930728215502009-02-13T15:52:00.000-08:002009-02-16T05:14:16.988-08:00Conficker; A Bounty Hunter’s Guide<span style="font-size:100%;"><span style="font-family:trebuchet ms;">You know things are serious when Microsoft Corp. ponies up a </span><a style="font-family: trebuchet ms;" href="http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx" target="_blank">$250,000 bounty</a><span style="font-family:trebuchet ms;">. The software vendor is offering the cash in exchange for information leading to the arrest and conviction of the Conficker worm creator(s). </span></span><p style="text-align: justify;font-family:trebuchet ms;"><span style="font-size:100%;"><br />It's part of an unprecedented and coordinated response with ICANN and security researchers from Afilias, AOL LLC , Arbor Networks Inc. , CNNIC, F-Secure Corp. , Georgia Tech, Global Domains International Inc., Internet Storm Center (ISC) , M1D Global, NeuStar Inc. (NYSE: NSR), Public Internet Registry, Shadowserver Foundation, Support Intelligence, Symantec Corp. (Nasdaq: SYMC), and VeriSign Inc. (Nasdaq: VRSN) to disable the hosting and distribution of the worm. </span></p><p style="text-align: justify;font-family:trebuchet ms;"><span style="font-size:100%;"><br />Obviously no one's out to justify or encourage the "Wild West" ethics where this reward's concerned, and it's not the first time Microsoft has gone this route. In 2005, the vendor offered $250,000 for the identity of the creator of Netsky, a.k.a. the Sasser worm, leading to the unmasking of German student Sven Jaschan. But for the interested, the curious, and the bounty-minded, what follows is a starter guide and roadmap to help this latest industry-wide effort along.</span></p><br /><span style="color: rgb(255, 0, 0); font-weight: bold;">What is Conficker?</span><br /><br /><span style="font-size:100%;"><span style="font-family:trebuchet ms;">First, do not get blindsided by the linguistics, and its plethora of names. Conficker.A is what CA Inc. (Nasdaq: CA) calls it, but it also goes by Conficker.worm (McAfee Inc. (NYSE: MFE)); Downadup (Symantec); and Kido and Net-Worm.win32.kido.bt (Kaspersky Lab ). They are all the same thing. It spreads through the use of network shares and weak passwords. Additionally, it uses Windows AutoRun functionality, wherein autorun.inf files are copied to USB drives and other removable media.</span><br /><br /><br /><span style="font-family:trebuchet ms;">When Conficker takes control of the user’s PC</span><br /><br /><br /><span style="font-family:trebuchet ms;">• Injects its code into the address space of one of the “svchost.exe” system processes.</span><br /><br /><br /><span style="font-family:trebuchet ms;">• Disables system restore</span><br /><br /><br /><span style="font-family:trebuchet ms;">• Blocks any addresses which contain the following strings:</span><br /><br /><br /><span style="font-family:trebuchet ms;">indowsupdate / wilderssecurity / threatexpert / castlecops / Spamhaus / cpsecure / arcabit / emsisoft / sunbelt / securecomputing / rising / prevx / pctools / norman / k7computing / ikarus /</span><span style="font-family:trebuchet ms;">hauri / hacksoft / gdata / fortinet / ewido / clamav / comodo / quickheal / avira / avast / esafe / ahnlab / centralcommand / drweb / grisoft / eset nod32 / f-prot / jotti / Kaspersky / f-secure / computerassociates / networkassociates / etrust /panda / Sophos / trendmicro / mcafee / Norton Symantec / Microsoft defender / rootkit / malware / spyware / virus</span><br /><br /><br /><br /><span style="font-family:trebuchet ms;">Each day, the worm generates a fresh list of about 250 random domain names such as abfhhibxci.cn. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author. It should be stressed that this malware is infecting PCs but has not yet been switched on via command and control functions to act as a botnet.</span></span><br /><br /><span style="color: rgb(255, 0, 0); font-weight: bold;font-family:trebuchet ms;" >From whence did Conficker spring?</span><br /><br /><div style="text-align: justify;"><span style="font-size:100%;"><span style="font-family:trebuchet ms;">Conficker was first reported to Microsoft as a remote code execution vulnerability in Windows 2000, 2003, 2008, XP, and Vista server service in October 2008; </span><a style="font-family: trebuchet ms;" href="http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx" target="_blank">a security update</a><span style="font-family:trebuchet ms;"> was released on Oct. 23. Estimates vary as to the extent of infection: F-Secure reported on Jan. 16 that Conficker had infected 9 million PCs worldwide with 353,495 unique IP addresses; 10 days later, this was revised to 15 million infected PCs.</span></span><br /></div><br /><span style="color: rgb(255, 0, 0);font-family:trebuchet ms;" >Where are the major infection centers?</span><br /><br /><div style="text-align: justify;"><span style="font-size:100%;"><a style="font-family: trebuchet ms;" href="http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=9526" target="_blank">Panda Security</a><span style="font-family:trebuchet ms;"> reported on Jan. 21 Conficker in 83 countries, and an estimated 6 percent of the entire world’s PCs were infected, say, 18 million. It further estimated the countries with the highest rates of virulence were the U.S., China, Spain, Taiwan, and Brazil. Press reports have circulated that American military systems were infected by USB drives, and that U.K. Royal Navy warship and submarine systems were infected and rendered unusable; French fighter planes were also reportedly being grounded. Symantec is monitoring 450,000 IP addresses (PCs) with the original infection, with another 1.7 million PCs infected per day.</span></span><br /></div><br /><span style="font-weight: bold; color: rgb(255, 0, 0);">Who created Conficker?</span><br /><br /><div style="text-align: justify;"><span style="font-size:100%;"><span style="font-family:trebuchet ms;">In this case, the $250,000 question could take a dozen pages of explanation. One simple form of analysis for the potential bounty hunter is to follow the rabbit. But you'll need some Russian language skills. If we examine Kaspersky’s Virus List of Jan. 2, the Conficker worm was originally downloading from trafficconverter.biz, so that's a good starting place. A little examination shows this domain was originally registered via the now defunct EstDomains in December 2008. Even better, some additional Googling gives us a clue to the origin: In Russian hacker forums, we can see earlier offerings from trafficconverter.biz providing excellent reseller margins of $30 a pop to hackers for ensuring downloads of infectious, rogue, anti-virus software</span></span>.<br /></div><br /><div style="text-align: center; color: rgb(255, 0, 0);">Not resolving - trafficconverter. biz<br /><br />Resolving – trafficconverter2.biz<br /></div><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyMefrX_1ZpqGtRCbMIqfccaP4zCXuH5z1Y0ejaBW9EYxsWR5qqasm147_uwV2ymy9nIvsEq8L9BurtChFU31KK3g7HFlu8LYD4y1E7Y08ziQ3VPjZyfHhlhPadluL__iRc3R4LfnOZqI/s1600-h/trafficconverter2_ip.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 95px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyMefrX_1ZpqGtRCbMIqfccaP4zCXuH5z1Y0ejaBW9EYxsWR5qqasm147_uwV2ymy9nIvsEq8L9BurtChFU31KK3g7HFlu8LYD4y1E7Y08ziQ3VPjZyfHhlhPadluL__iRc3R4LfnOZqI/s400/trafficconverter2_ip.jpg" alt="" id="BLOGGER_PHOTO_ID_5302434741029641810" border="0" /></a><br /><div style="text-align: center; color: rgb(255, 0, 0);">Sister site – RX-Partners.biz<br /></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU9ecuDus6j4wpuyj-LhFnz5vYgxP_6-xc3CuTqNCcA5TBLbHTCkcB8A1I2anYAnoo4_IFmGQo8HejaqZ9jR6zzLXpoEvMTunTOM6ObIsKmjp1n2xlDpTTQQ98UjKdL-MgJjgrcffsiuY/s1600-h/rx_partners+biz_ip.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 140px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU9ecuDus6j4wpuyj-LhFnz5vYgxP_6-xc3CuTqNCcA5TBLbHTCkcB8A1I2anYAnoo4_IFmGQo8HejaqZ9jR6zzLXpoEvMTunTOM6ObIsKmjp1n2xlDpTTQQ98UjKdL-MgJjgrcffsiuY/s400/rx_partners+biz_ip.jpg" alt="" id="BLOGGER_PHOTO_ID_5302435141276593554" border="0" /></a><br /><div style="text-align: justify;"><span style="font-size:100%;"><span style="font-family:trebuchet ms;">Given the limited space and time, see what conclusions you can draw. You should end up with a combination of hosts, each with a questionable, cybercriminal reputation: AS43816 Centralux (a.k.a. WebAlta, Russia); AS28753 NetDirect (Germany); and AS41867 Geonic (Ukraine). Whether this gets you any closer to Microsoft's reward will depend on which rabbit hole you go down. But safe to say that this sort of incentive will flush out Conficker's writer(s)... The only remaining question is just how long that will take.<br /><br />Happy hunting!</span></span><br /></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-28058171471322938482009-02-11T11:56:00.000-08:002009-02-11T12:04:42.901-08:00Cloning Security<div style="text-align: justify;"><a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt90A6Cgan81cwdCVUQmj62-r2Yx8nTt3v1xBfeJtXhhNDAAQiTZT7wWNdPCRpirZTcKoPJJyK7_srBa8snRON1S8bhAllZ4hMc3Ru2cIWZLj5O2zWJP1T1tcb0o6Dza5wvjgQPD59Eys/s1600-h/clonesecurityt.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt90A6Cgan81cwdCVUQmj62-r2Yx8nTt3v1xBfeJtXhhNDAAQiTZT7wWNdPCRpirZTcKoPJJyK7_srBa8snRON1S8bhAllZ4hMc3Ru2cIWZLj5O2zWJP1T1tcb0o6Dza5wvjgQPD59Eys/s320/clonesecurityt.jpg" alt="" id="BLOGGER_PHOTO_ID_5301631637833952738" border="0" /></a>Coming to a PC near you very soon is an innovative and possibly deadly combination of well known exploitation techniques, emerging from the dark side of the Internet. What makes this new attack so innovative are the targets: Internet security information and research Web sites. Hackers in the last week have been creating exact clones of Internet security Websites using proxies, DNS (domain name server) spoofing or redirection, and dedicated denial-of-service (DDoS) attacks.<br /><br />It should not surprise anyone to realize Internet security research, forums, and information Websites are attacked on a regular or even daily basis. Mostly it is nuisance spam, bogus log-in attempts, or hack attempts to gain entry to the administrator side, and in more intense cases, DDoS.<br /><br /><br />But this cloning approach emerged from investigation only in the last week. To begin with, there was the discovery purely by accident, of an exact clone of the <span style="font-weight: bold;">HostExploit</span> Website. After further investigation, it was discovered this was not an isolated case, with one server hosting clones of security sites like <span style="font-weight: bold;">avertlabs.com </span><span>(McAfee)</span><span style="font-weight: bold;">, isc.sans.org, milw0rm.com, nmap.org, packetstormsecurity.org, secunia.com, securiteam.com, securityfocus.com, securityreason.com, thedarkvisitor.com, www-935.ibm.com </span><span>(IBM)</span><span style="font-weight: bold;">, and xforce.iss.net </span><span>(IBM)</span><span style="font-weight: bold;">.</span><br /><br />In itself this was a worrying discovery, if simply viewed from content theft, hijacked traffic, click through, SSL forgery, PayPal information, and RSS links etc., of relatively high-traffic security sites. However, in parallel to the emergence of these clones commencing on Friday and over the weekend, several of the real sites listed as clones and a few others -- <span style="font-weight: bold;">Metasploit, Zone-H</span>, and <span style="font-weight: bold;">Kaspersky</span> -- were under hacker or DDoS attack, and in some cases a mixture of the two. For a while a couple sites were completely unavailable for a day or so, and one or two are still under a continuous DDoS attack.<br /><br />Working off limited data from server logs and network traffic, at least a couple of the attacks originated from Poland (AS5617 TPNET); Romania (AS 9050 Romtelecom, AS39650 VIANET); Russia (JSC servers funneled via RTcomm, and Rostelecom via AS9002 RETN); and Turkey (AS9121 TTNet, AS8386 KOCNET). Many of these servers appear regularly on lists of the worst European offenders for hosting spam and exploits, according to the German-based anti-spam service <a href="http://www.uceprotect.com/" target="new">UCEprotect</a>.<br /><br />I must emphasize here that there's no proven link between the appearances of the clones and this weekend's attacks. This could be a simple coincidence, but as Edmund Burke said. <span style="font-style: italic;">"Better be despised for too anxious apprehensions, than ruined by too confident security." </span>It does leave the open question, if by hacking and DDoS, the real security Websites were offline the only source available could be the clones. It is by a simple step to include by DNS redirection, cookie plants, and other exploits, to ensure visitors went to and continued to visit the false, cloned sites.<br /><br />Consider the mayhem that could be caused by providing bad file downloads and misinformation using these sorts of exploits, botnets, and spam, or even distorting the core news and advisories this sector, its enterprise customers and the press depend upon. Worst of all, even without any changes from the real sites, the data gathered from all those misdirected, security-minded visitors would be hugely valuable.<br /><br />Obviously the intended outcome of the attacks and the clones is to damage reputations, create distrust, and ultimately make it easier for cyber-criminals to operate. The good news is thanks to swift action, these discovered clones and the hacker site serving them are offline. This is certainly not the last we will see of this approach.</div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-86605960294274722352009-01-28T12:45:00.000-08:002009-01-28T14:37:58.311-08:00Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 2<strong><em><span style="color: rgb(255, 0, 0);">The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis</span><br /><br />Note:</em></strong><em> This post is a joint effort of <a href="http://hostexploit.com/" onclick="javascript:pageTracker._trackPageview ('/outbound/hostexploit.com');">HostExploit.com</a>, Jeff Carr of <a href="http://intelfusion.net/wordpress/">IntelFusion</a> and Greg Walton of <a href="http://www.infowar-monitor.net/" onclick="javascript:pageTracker._trackPageview ('/outbound/www.infowar-monitor.net');">InforWarMonitor.net</a>. Further analysis may be forthcoming by individual contributors at their respective Web sites.</em> <p class="MsoNormal" style="font-family:trebuchet ms;">On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and<span> the Kyrgyzstan official domain registration service Domain.kg have only </span><span>been available inter</span><span>mittently from Jan 18<sup>th</sup> 09. </span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span>Russian-based servers primarily known fo</span><span>r cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.</span></p><p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5NxotDra5dZyqbkA94msHlmeQ_fMeKJj8ZI2Vu0bZtfJmvwGdtGh-afflp25-vC0fsM2N4RSzVd_1SJTYka57yzjN1miJbv3Tbs5Fl4QWYJTqadKOB0md9Fx0sCCHcf8tZdUaJ8xqPwc/s1600-h/kyrgy-as-map-0109-color.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 255px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5NxotDra5dZyqbkA94msHlmeQ_fMeKJj8ZI2Vu0bZtfJmvwGdtGh-afflp25-vC0fsM2N4RSzVd_1SJTYka57yzjN1miJbv3Tbs5Fl4QWYJTqadKOB0md9Fx0sCCHcf8tZdUaJ8xqPwc/s400/kyrgy-as-map-0109-color.jpg" alt="" id="BLOGGER_PHOTO_ID_5296450171709989522" border="0" /></a></p><p style="font-style: italic;" class="MsoNormal"><span style="font-size:100%;">Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.</span></p><p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkc-pWgwIgUGtpGSHddOHC5DyO5E6fUgMRTmYLrB9YH6Q5Hh4ey01Db2Saw2Vrd6GsMGWFyBrOK8ap2WnKW5Wk2cqGgsxOLtmu000x8dds_KhhFXVjkLscMvHZ3fJTawygZbiMR6u39lk/s1600-h/kyrgy+ru+servers+table+0109.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 124px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkc-pWgwIgUGtpGSHddOHC5DyO5E6fUgMRTmYLrB9YH6Q5Hh4ey01Db2Saw2Vrd6GsMGWFyBrOK8ap2WnKW5Wk2cqGgsxOLtmu000x8dds_KhhFXVjkLscMvHZ3fJTawygZbiMR6u39lk/s400/kyrgy+ru+servers+table+0109.jpg" alt="" id="BLOGGER_PHOTO_ID_5296449826917574146" border="0" /></a></p><p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSCgQ2rMZeoS8cCPAONxCGp1nE6hW2ari6QYLitGPjIX21vFmkUz5ZZnK508_qHUiy6faXXpek9xIh0n6HvQt7csYHho3CAR-91zJE75rpwDZm6HNkwJbnhkzLWhdnvK9IU3ikeDyjnEs/s1600-h/kyrgy+BGP+1+0109.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 323px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSCgQ2rMZeoS8cCPAONxCGp1nE6hW2ari6QYLitGPjIX21vFmkUz5ZZnK508_qHUiy6faXXpek9xIh0n6HvQt7csYHho3CAR-91zJE75rpwDZm6HNkwJbnhkzLWhdnvK9IU3ikeDyjnEs/s400/kyrgy+BGP+1+0109.jpg" alt="" id="BLOGGER_PHOTO_ID_5296449526529715954" border="0" /></a></p><p style="font-style: italic;" class="MsoNormal"><span style="font-size:100%;">Figure 3 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15<sup>th</sup><sup>th</sup> of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo </span>of <span style="font-size:100%;">Kyrgyzstan.</span></p><p class="MsoNormal"><span><br /></span> </p><h2>Timeline of Political Events</h2> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:85%;">January 17: <a href="http://www.rferl.org/Content/Prominent_Opposition_Leader_Detained_In_Kyrgyzstan/1371396.html" onclick="javascript:pageTracker._trackPageview ('/outbound/www.rferl.org');">Prominent opposition leader detained in Kyrgyzstan</a></span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:85%;">January 17: <a href="http://www.iwpr.net/?p=rca&s=f&o=349265&apc_state=henprca" onclick="javascript:pageTracker._trackPageview ('/outbound/www.iwpr.net');">Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement) </a></span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:85%;">January 19: <a href="http://www.rferl.org/Content/Two_Kyrgyz_Opposition_Leaders_Detained_Charged/1371773.html" onclick="javascript:pageTracker._trackPageview ('/outbound/www.rferl.org');">Two opposition leaders detained and charged</a></span></p> <p class="MsoNormal" face="trebuchet ms"><span style="font-size:85%;">January 19: <a href="http://www.smh.com.au/news/world/russia-presses-kyrgyzstan-to-close-us-base/2009/01/18/1232213448844.html" onclick="javascript:pageTracker._trackPageview ('/outbound/www.smh.com.au');">Russia presses Kyrgyzstan to close US base </a></span></p> <p class="MsoNormal" face="trebuchet ms"><span style="font-size:85%;">January 20: <a href="http://www.rferl.org/Content/Kyrgyz_Opposition_Denied_Use_Of_Parliament_Press_Center/1372339.html" onclick="javascript:pageTracker._trackPageview ('/outbound/www.rferl.org');">Kyrgyzstan Opposition denied use of Parliament Press Center</a></span></p> <p class="MsoNormal" style="font-family: trebuchet ms;"><span style="font-size:85%;">January 21: <a href="http://www.eurasianet.org/departments/insightb/articles/eav012109a.shtml" onclick="javascript:pageTracker._trackPageview ('/outbound/www.eurasianet.org');">Kyrgyzstan government targets opposition</a></span></p> <p class="MsoNormal" style="font-family: trebuchet ms;"><span style="font-size:85%;">January 22: <a href="http://www.rferl.org/articleprintview/1373504.html" onclick="javascript:pageTracker._trackPageview ('/outbound/www.rferl.org');">Journalists ordered to file personal information</a></span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:85%;">January 22: <a href="http://www.rferl.org/articleprintview/1373425.html" onclick="javascript:pageTracker._trackPageview ('/outbound/www.rferl.org');">Kyrgyz Opposition Party denied registration</a></span> </p> <p> </p> <h2>Analysis</h2> <p style="font-family:trebuchet ms;"><span style="font-weight: normal;font-size:100%;" >The Kyrgyz cyber attacks during the week of January 18<sup>th</sup> fall right in line with an escalating series of repressive political actions by the Bakiev government<span> </span>against this latest attempt to form an opposition political party – the United Peoples Movement (UPM). Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) which brought him to power.</span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:100%;">Opposition leader </span><span style="font-size:100%;"><span> </span></span><span style="font-size:100%;"><span>Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: <em>“Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said</em>.(IWPR article)</span></span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:100%;"><span>This appears to be a cyber operation for hire by the Bakiev government to control information access against its political opposition. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime. </span></span></p> <p class="MsoNormal" style="font-family:trebuchet ms;"><span style="font-size:100%;">There is no evidence that the Russian government is directly involved, however Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the RF to deny access to these servers by Russian hackers. </span></p> <h3>Related Links:</h3><span style="font-weight: bold;font-family:times new roman;font-size:78%;" ><a href="http://hostexploit.blogspot.com/2009/01/cyberwar-cyber-iron-curtain-now.html">Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1</a></span><br /><p style="font-weight: bold;font-family:times new roman;" class="MsoNormal"><span style="font-size:78%;"><a href="http://intelfusion.net/wordpress/%28http://www.citizenlab.org/modules.php?op=modload&name=News&file=article&sid=737&mode=thread&order=0&thold=0%29" onclick="javascript:pageTracker._trackPageview ('/outbound/www.citizenlab.org');">Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)</a></span></p> <p style="font-weight: bold;font-family:times new roman;" class="MsoNormal"><span style="font-size:78%;"><a href="http://intelfusion.net/wordpress/?p=509" rel="bookmark">The Kyrgyzstan Cyber Attack That No One Is Talking About</a></span></p><p style="font-weight: bold;font-family:times new roman;" class="MsoNormal"><span style="font-size:78%;"><a href="http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=2155&mode=thread&order=0&thold=0">The Cyber Iron Curtain</a></span></p><h2 style="font-weight: bold;font-family:trebuchet ms;"><span style="font-size:78%;"><a href="http://www.secureworks.com/research/blog/index.php/2009/01/28/kyrgyzstan-under-ddos-attack-from-russia/"></a></span></h2>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-56141237010046697772009-01-26T11:47:00.000-08:002009-01-26T12:02:06.333-08:00Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1<div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA1jGBOBylsELUZW7LyvZ5zXtip0VBCsYkgQSUGMlvm2CAIA826iHPL-itylY42NjSai9BT4frK0k-oRVD8na_WS48vkBQDWeY3YyUMkb3dLyJoWX8gOGvvJsVZyKCRhpIP02Li2srZ1M/s1600-h/cybersubway2009.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 223px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA1jGBOBylsELUZW7LyvZ5zXtip0VBCsYkgQSUGMlvm2CAIA826iHPL-itylY42NjSai9BT4frK0k-oRVD8na_WS48vkBQDWeY3YyUMkb3dLyJoWX8gOGvvJsVZyKCRhpIP02Li2srZ1M/s400/cybersubway2009.jpg" alt="" id="BLOGGER_PHOTO_ID_5295691823011698114" border="0" /></a><span style="font-weight: bold;font-size:100%;" ><span style="font-family: trebuchet ms;">Fig 1. The new Cyber Version of the Iron Curtain</span></span><br /></div><br /><div style="text-align: justify;"><span style="font-size:100%;"><span style="font-family: trebuchet ms;">Large scale DDos attacks have been underway against Kyrgyzstan Internet service providers (ISPs) for several days. This further establishes the emergence of the ‘Cyber Iron-Curtain’ as shown in the schematic diagram above. For examples, the key national web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09. We are able to confirm the ‘usual suspects’ of well known organized cybercrime servers have been involved, (<a href="http://news.hostexploit.com/index.php?option=com_bca-rss-syndicator&feed_id=1">see Part 2 for details</a>). Although upstream providers in Russia and Kazakhstan have ironically been stating they are refusing to pass traffic because of the scale of the attacks. </span></span><br /><br /><br /><br /><span style="font-size:100%;"><span style="font-family: trebuchet ms;">The reasons for the cyber attacks are sketchy, as the Kyrgyz President Kurmanbek Bakiyev is seen as pro Kremlin. However, as a coincidence which is similar to DDos of Lithuanian web sites last year, when the Lithuanian Prime Minister visited the US. President Bakiyev is to visit Moscow on February 3, to discuss the extension of Russian investment in the Kyrgyz energy sector and Russia are pressurizing Kyrgyzstan to close the US military air base used to support operations in Afghanistan. (</span><a style="font-family: trebuchet ms;" href="http://www.smh.com.au/news/world/russia-presses-kyrgyzstan-to-close-us-base/2009/01/18/1232213448844.html">Sydney Morning Herald - news link</a><span style="font-family: trebuchet ms;">)</span></span><br /><br /><br /><br /><span style="font-size:100%;"><span style="font-family: trebuchet ms;">Another view is to effectively neutralize the recently unified opposition United People’s Movement (UPM). In its founding charter, the coalition seeks a new political system for Kyrgyz and the removal of President Kurmanbek Bakiyev from office. Complaining of widespread corruption, increasing human rights abuse, and the deterioration of living standards, the UPM is planning a series of protests for February and March. </span></span><br /><br /><br /><br /><span style="font-size:100%;"><span style="font-family: trebuchet ms;">The Kyrgyz state general prosecutor has launched criminal investigations involving at least four opposition leaders in recent weeks. This past weekend, opposition leader Omurbek Tekebayev, chairperson of the Ata Meken Party, was arrested on vague weapons charges as he headed for a meeting in the northwestern Talas region of Kyrgyz. He has since been released.</span></span><br /><br /><br /><br /><span style="font-size:100%;"><span style="font-family: trebuchet ms;">The cyberwar attacks on </span></span><span style="font-size:100%;"><span style="font-family: trebuchet ms;">Kyrgyzstan </span></span><span style="font-size:100%;"><span style="font-family: trebuchet ms;">have also by confirmed on </span><a style="font-family: trebuchet ms;" href="http://intelfusion.net/wordpress/?p=509">IntelFusion</a><span style="font-family: trebuchet ms;"> and </span><a style="font-family: trebuchet ms;" href="http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=2149&mode=thread&order=0&thold=0">Information Warfare Monitor</a><span style="font-family: trebuchet ms;"> describing three out of the four Kyrgyz ISPs having been taken down, e.g. AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan and the Kyrgyzstan official domain registration service AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan</span></span><br /><br /><br /><br /><span style="font-size:100%;"><span style="font-family: trebuchet ms;">Hence from a ‘Cyber Iron-Curtain’ perspective there is now provided a ‘control at will’ by Russia of communication and increasing cyber influence over its former Soviet satellites, a modern parallel to Winston Churchill’s post second world war description of the Soviet sphere of influence. Separately, the blocking of these major websites in Kyrgyzstan suggests that we should probably move this country up the relative scale of importance for the monitoring cyberwar around the world. </span></span><br /><br /><br /><br /><span style="font-size:100%;"><span style="font-family: trebuchet ms;"> Click here for the </span><a style="font-family: trebuchet ms;" href="http://news.hostexploit.com/index.php?option=com_bca-rss-syndicator&feed_id=1">RSS feed for Part 2 and further reports</a><span style="font-family: trebuchet ms;">. </span></span><br /></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-25076955793216772152009-01-23T03:43:00.000-08:002009-01-23T04:06:16.274-08:00Majority of Top 100 Websites Host Malicious Content<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwZM0jWyca2-YeFSjIZeJs02KqKC02CH_cERxQldqTZtyWYJZIwSbOHLEjNj7vfEbXLJ1IT6dYaxmYAM4FfVXfmZEskQ1ubEPzSDefX_RBHG5LGPP0R6G8qj4CnDToXXom9DuI7KhORjM/s1600-h/toxicfinal+%282%29.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 212px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwZM0jWyca2-YeFSjIZeJs02KqKC02CH_cERxQldqTZtyWYJZIwSbOHLEjNj7vfEbXLJ1IT6dYaxmYAM4FfVXfmZEskQ1ubEPzSDefX_RBHG5LGPP0R6G8qj4CnDToXXom9DuI7KhORjM/s320/toxicfinal+%282%29.jpg" alt="" id="BLOGGER_PHOTO_ID_5294457686949538274" border="0" /></a><span style="font-family: trebuchet ms;font-size:100%;" >A majority of the top 100 websites hosted either malicious content or masked redirects according to a Websense report.<br /><br />Summarizing its significant findings during the six-month period ending in December 2008.<br /><br /><br />The highlights are:</span><span style="font-size:100%;"> <span style="font-size:130%;"><span style="color: rgb(255, 0, 0); font-weight: bold;font-family:trebuchet ms;" ><br /><br /><br /><br /><br />Web Security</span></span><span style="font-family:trebuchet ms;"><br /></span></span><ul><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">77 percent of Web sites with malicious code are legitimate sites that have been compromised.</span><span style="font-family:trebuchet ms;">The number of malicious Web sites identified by Websense Security Labs from January first, 2008 through January first, 2009 has increased by 46 percent.</span></span></li><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites. </span></span></li><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">This represents a 16 percent increase over the last six-month period.</span> </span></li></ul><span style="font-size:100%;"><span style="font-size:130%;"><span style="font-weight: bold; color: rgb(255, 0, 0);font-family:trebuchet ms;" ><br />Messaging Security </span></span> <span style="font-family:trebuchet ms;"><br /></span></span><ul><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">84.5 percent of email messages were spam. This represents a 3 percent decrease over the last six months. </span></span></li><li><span style="font-size:100%;"> <span style="font-family:trebuchet ms;"> 90.4 percent of all unwanted emails in circulation during this period contained links to spam sites or malicious Web sites. This represents almost a 6 percent increase in emails containing malicious links to compromised sites.</span></span></li><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">Shopping remained the leading topic of spam (22 percent), followed closely by cosmetics (15 percent) and medical (14.5 percent). This remained consistent over the last six months.</span></span></li></ul><ul><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">Pornography-related spam increased sharply by 94 percent, but still only represented 9 percent of all email spam. </span> <span style="font-family:trebuchet ms;"> 6 percent of spam messages were phishing attacks, representing a 33 percent decrease over the last six months. </span></span></li><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">This represents a change in tactics as spammers concentrated on data-stealing Trojan horses and DNS poisoning tactics to lure victims to malicious sites. </span> </span></li></ul><span style="font-size:100%;"><span style="font-size:130%;"><span style="color: rgb(255, 0, 0);font-family:trebuchet ms;" ><br />Data Security</span></span> <span style="font-family:trebuchet ms;"><br /></span></span><ul><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">39 percent of malicious Web attacks included data-stealing code.</span> </span></li><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">57 percent of data-stealing attacks are conducted over the Web. </span></span></li><li><span style="font-size:100%;"><span style="font-family:trebuchet ms;">This represents a 24 percent increase over the six-month period.</span> </span></li></ul><span style="font-size:100%;"><span style="font-family:trebuchet ms;"><br />The full report is here</span><a style="font-family: trebuchet ms;" href="http://www.websense.com/site/Docs/whitepapers/en/WSL_ReportQ3Q4FNL.PDF?CMP=NR012109A"> (PDF)</a></span>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-72341901935100313712009-01-16T07:11:00.000-08:002009-01-16T07:27:56.169-08:00Cyberwar - The Battle for Gaza (part 2)<div style="text-align: justify;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8shQ7p6berkQdAogqL_J4Kx_UzI-k6oJvT8b0TMGtwXOtO2c45XNkyzkUyhWJtjIXxnn__aTzKNwtkWQc2EuqqsLPPM5q1ylU1L6qseSePwvSrpqJNxGU44UFRZ-LKkLxxzjyoGtsBjI/s1600-h/1923_Turk.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px; height: 246px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8shQ7p6berkQdAogqL_J4Kx_UzI-k6oJvT8b0TMGtwXOtO2c45XNkyzkUyhWJtjIXxnn__aTzKNwtkWQc2EuqqsLPPM5q1ylU1L6qseSePwvSrpqJNxGU44UFRZ-LKkLxxzjyoGtsBjI/s320/1923_Turk.jpg" alt="" id="BLOGGER_PHOTO_ID_5291911122354669618" border="0" /></a><span style="font-size:100%;"><span style="font-family: trebuchet ms;">Cyberwar as a word or term, does appear to be inflammatory for many and a cause of considerable debate. Quite simply it is reasonably defined as asynchronous warfare via the web, i.e. the occurrence of two or more processes at different times, and war in its self does not need to have governments fighting each other. As examples, most would agree The American War of Independence was a war, but fought by a section of the populace against a government, or ruling entity.</span><br /></span></div><br /><div style="text-align: justify; font-family: trebuchet ms;"><span style="font-size:100%;">Propaganda, which can reasonably be considered as an element of cyber warfare, has always been seen as a crucial weapon or of war from the now classical literature of Thomas Paine’s pamphlet “Common Sense”, to the current website hacks or running battles within the social networks.<br /><br />In the follow up to the earlier blog article, here we can initially consider the battle within the social networks. Within Facebook there has been considerable activity, <a href="http://thejdif.org/">The Jewish Internet Defense Force</a>, a group that claims to have 5,000 members worldwide are reported to regularly attack the Facebook wall of the group “Support the Fight Against Cancer with Just a Click!”, which currently has 1,350,137 members and describes itself as a “cancer truth group” that appears to blame the “Zionist Jewish Mafia” for the disease. While on Facebook we also see as examples; “Israel is not a country!” with 8,878 members, in counterbalance we have "Palestine is not a country Delist it from Facebook as one!" with 3,649 members, and “End the siege on Gaza now….” with 45,806 members.<br /></span></div><br /><div style="text-align: justify;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQIoDUcT0cCLyZSOdFkfHxFMMXs6X4mgjg5IHga9LaPyoLoNougqmepJJvxHgGSihN93RK7yxmdrBdwb02Hjw84xEPoz-Re6ffjZKp-vgc2ijPx5Xnnkv8Spf_Sy1_HBo726T6Px0RRM/s1600-h/jdif_wiki_defacement.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 240px; height: 215px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQIoDUcT0cCLyZSOdFkfHxFMMXs6X4mgjg5IHga9LaPyoLoNougqmepJJvxHgGSihN93RK7yxmdrBdwb02Hjw84xEPoz-Re6ffjZKp-vgc2ijPx5Xnnkv8Spf_Sy1_HBo726T6Px0RRM/s320/jdif_wiki_defacement.jpg" alt="" id="BLOGGER_PHOTO_ID_5291911393855408802" border="0" /></a><span style="font-size:100%;"><span style="font-family: trebuchet ms;">Within Wikipedia there are similar battles with TheJDIF’s own article being regularly defaced with swastikas or jihadist slogans. However at the same time they have produced a well researched blacklist of what they consider as “Heavily Biased Anti-Israel Wikipedia Editors”. The Wikipedia article on Hamas is being revised by one side of the argument or the other hourly, if we look at the article’s revision history.</span><br /><br /><br /><br /><span style="font-family: trebuchet ms;">The more conventional web site hacking reported earlier has shown a marked increase in activity not only against Israeli websites but to wider international targets. Notable targets from the many of the pro-Palestinian effort, have been; the United States Army's Military District of Washington website, NATO Parliamentary Assembly website in Brussels, the UNICEF website in Italy, Government websites in Colombia, and many international academic websites, for example University of Applied Sciences in Switzerland. Commercial websites continue to be targeted increasingly in USA, UK, Denmark, France, Netherlands, Australia, and a notable example of Google’s web site in Egypt.</span><br /><br /><br /><br /><span style="font-family: trebuchet ms;">The most reported hacker recently in this conflict recently is “Agd_Scorp / Peace Crew”, actually these are better known in hackers’ circles as the Turkish group “1923turk”of which 6,319 hacks and defacements can be attributed to over the last week. Other hacker groups of note in quantitative terms over the last week are “Cold z3ro”, “DNS Team”, and “FesH4ck3rs Team”. To complete this small effort on quantification, for webmasters it may be interesting that according to </span><a style="font-family: trebuchet ms;" href="http://zone-h.org/">Zone-H.org</a><span style="font-family: trebuchet ms;"> an organization that has tracked hackers and hacking for many years, 70% of the attacks have been against web sites using Linux based servers. However this may more reflect the larger use of Linux over MS Windows for web serving operating systems.</span><br /><br /><br /><br /><br /><span style="font-family: trebuchet ms;">For one final word of warning, from the world of the cyber criminals who take advantage of this and similar situation and has nothing to do with Gaza protests, thanks to </span><a style="font-family: trebuchet ms;" href="http://garwarner.blogspot.com/2009/01/gaza-conflict-spam-points-to-fake-cnn.html">Gary Warner of University of Alabama</a><span style="font-family: trebuchet ms;"> . Be cautious about fake CNN, other news reports, and UNICEF appeals relating to the Gaza conflict, appearing in your email box. These are actually virus laden that lead to the download of malware. From further analysis the hosting of which is by </span><a style="font-family: trebuchet ms;" href="http://cidr-report.org/cgi-bin/as-report?as=AS46475">AS46475</a><br /> <span style="font-family: trebuchet ms;">Limestone Networks, Inc., Dallas Texas. This is the same IP hosting as Classmates.com recent malware and blacklisted by Spamhaus </span><a style="font-family: trebuchet ms;" href="http://www.spamhaus.org/sbl/sbl.lasso?query=SBL71257">SBL71257</a></span><br /></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-89221609941851498742009-01-05T11:39:00.000-08:002009-01-05T12:21:17.480-08:00CyberWar - The Battle for Gaza<div style="text-align: justify;"><a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFDF8S_5BV9ANK2dmdOYuehg6hecKAdyHAI9QTLSMRg_T83qATPuih6ci1qGRLieJnlY069u63jbukgaZzd_mxQTwXg_r5ATeA4ba-J9DfzB4u7pw6zqr_XxkIfGuwdxTDWm270ZmtuQU/s1600-h/DNS_team.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 266px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFDF8S_5BV9ANK2dmdOYuehg6hecKAdyHAI9QTLSMRg_T83qATPuih6ci1qGRLieJnlY069u63jbukgaZzd_mxQTwXg_r5ATeA4ba-J9DfzB4u7pw6zqr_XxkIfGuwdxTDWm270ZmtuQU/s320/DNS_team.jpg" alt="" id="BLOGGER_PHOTO_ID_5287897417129671106" border="0" /></a>Whatever your personal perspective of the rights and wrongs of the current Arab-Israeli war in Gaza, there is a second front being fought on the Internet. This form of warfare is a battle of words and often vivid imagery engaged by hackers from either side of the divide. The image shown here is a highly graphic example from a defaced Israeli commercial website, hacked by “DNS Team” today.<br /><br />Many are familiar with the explosive form of botnet based DDos (direct denial of service) style of cyberwarfare carried out and widely reported, against governmental web sites in Estonia in 2007 or Georgia in August 2008. In fact this particular cyberwar in the Middle East has been ongoing since at least 2001. As the Internet mirrors the real world, this cyberwar waxes and wanes as the ground warfare fans the flames on the Internet at times such as this.<br /><br />Of considerable interest to Internet security in general are the tactics utilized. As these reflect the application of many sophisticated cybercrime hacking techniques better known for commercial means, and is important to any commercial or governmental network operation.<br /><br />Although at first sight it would seem this is only of consequence to Israeli or Arab web sites this is not the case. For example many US, French, Spanish, UK, and Danish web sites are currently being defaced by hacking at the current rate of hundreds per hour. Many such defaced hacks are merely an inconvenience for the webmaster, however many appearing over the last two days is also containing malware links. Many are also provided with redirects or flash links to Jihadist forums or blogs, caused by SQL attacks.<br /><br />A few days ago the “Team Evil” Islamic group used a DNS attack on DomainTheNet's registration system server which redirected many well known Israeli web sites such as ynetnews.com, weather Forecast website, public utilities, and Bank Discount, and rerouting users to a page featuring anti-Israel messages. DomainTheNet is a multinational registration service provider (RSP), which offers registration and site-hosting services. The of the names used in the hacking; Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ, et. al., apparently emanate and have been reported as coming from Morocco.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjOQoPBo7T53HQbZIwEbBpkvKYbyhetuN4QkqON5sa2zB3ZO3pKNY6Zbzk9i-1mFfs0Il_q3kJPWBiWGcZsCUVKHvI6S7EJCw_WAq7DbD0mR7alAg1iqNgYaUHjIVEwGUTv6ye2vLC_E/s1600-h/Tw!$T3R.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 137px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjOQoPBo7T53HQbZIwEbBpkvKYbyhetuN4QkqON5sa2zB3ZO3pKNY6Zbzk9i-1mFfs0Il_q3kJPWBiWGcZsCUVKHvI6S7EJCw_WAq7DbD0mR7alAg1iqNgYaUHjIVEwGUTv6ye2vLC_E/s320/Tw!$T3R.jpg" alt="" id="BLOGGER_PHOTO_ID_5287899691445940674" border="0" /></a>In fact by tracking back to the associated routings and linked forums these activities are originating from Saudi Arabia and Turkey. As three embarrassing examples of the enemy within; Jihadist communication sites and forums; Anashed Net is registered in Saudi Arabia but hosted by Layered Tech and Raslny com is also registered in Saudi Arabia but hosted by SoftLayer, both hosts based in Plano Texas, USA. As Internet-Haganah (an Israeli website that tracks Jihadist sites) reports, Thabaat net which distributes Al Qaida propaganda is registered in Belgium and hosted in Denmark, ironically a key target for Jihadists due to the Islamic cartoon incident.<br /><br />The Associated Press reported in 2006 that Team-Evil had begun hacking and vandalizing US government websites as early as 2004. In 2002, an Israeli hacker named Ehud Tannenbaum, known as "The Analyzer", was sentenced to 18 months in jail for breaking into the NASA, Pentagon, and Defense Ministry computer systems, among other virtual locations.<br /><br />By way of even handedness it would be naïve to think this cyberwar is one sided, no Hamas or related web site is openly available as these were effectively taken down and have been kept offline from mid 2008 by the pro Israeli hackers “Fanat al-Radical”. A fascinating approach over the last few days is being made by an Israeli website ‘Help Israel Win’ which provides a download so your PC can become part of a worldwide pro-Israeli botnet. So far 7,786 have joined in, already a fairly powerful global computing force to, as they describe “Disrupt our Enemy’s Efforts”.<br /><br />A final word of warning the download has been analyzed as ‘Win32/Injector.K’ a well known PC hijacking trojan used in cyber crime. As is the case in cyber warfare, who is who and whether the hacking is being directed by governmental intelligence forces, criminal groups, or hacktivists is always a question. </div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-59790602132801253502008-12-18T09:03:00.000-08:002008-12-18T09:06:57.059-08:00Enemy WithinWhen considering our preparedness (or lack of it) for cyber warfare or fighting cyber criminals, an old African quotation comes to mind: "When there is no enemy within, the enemies outside cannot hurt you." </p><p> At first thought, the concept of an enemy within might call to mind the Federal Trade Commission halting the <a href="http://ftc.gov/opa/2008/12/winsoftware.shtm" target="new">scareware schemes</a>, in which e-marketeers falsely claimed their scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The FTC estimated more than 1 million consumers were duped into buying needless products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, at $40 per install. Yes, a cool $40 million from such a scam based on ineffective products. </p><p> The enemy within, though, is actually more insidious than that. According to an alarming <a href="http://cisco.com/en/US/prod/vpndevc/annual_security_report.html" target="new">annual security report</a> from <a href="http://www.internetevolution.com/complink_redirect.asp?vl_id=1131" target="new">Cisco Systems Inc.</a> (Nasdaq: CSCO), there was a 90 percent growth rate in threats originating from legitimate domains, nearly <i>double</i> what the company saw in 2007. </p><p>In addition, vulnerabilities in virtualization products nearly tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization to save money and increase productivity. The technology basically lets one computer do the job of many, by sharing the resources of a single computer across multiple environments. More importantly, you can further establish virtual environments for Web serving and data transit. </p><p> <a href="http://hostexploit.com/" target="new">HostExploit</a> was able to determine the <a href="http://www.internetevolution.com/author.asp?section_id=717&doc_id=167858">problem with McColo</a> by penetrating its virtual environment and exposing it for the business it actually was. This evil network was run from Moscow by cyber criminals; however, it was fully maintained within a data center in Southern California. In similar fashion, <a href="http://www.internetevolution.com/author.asp?section_id=717&doc_id=169078">recent attacks on Georgia</a> were launched from Plano, Texas, controlled by a Russian group apparently based in London. </p><p> The enemy within we should all be most concerned with are these collocation centers. Most would be surprised to learn one particular Russian network operator has three virtual hubs in the U.S.: Ashburn, Va.; New York; and Los Angeles. This may sound worse than it is -- U.S. operators have hubs and nodes in Moscow; this is just the way of the Web Wide World, and allows us to speed the flow or maintain virtualized Web-serving across the globe. </p><p> What is disturbing is this particular Russian network operator is <a href="http://www.retn.net/en" target="new">RETN</a>, also formerly known as Eltel, a very dirty Russian network infamous for hosting spammers and malware. RETN/Eltel will be reactivating the McColo IPs anytime now, allowing the botnets to contact their <a href="http://idbi.us/lexblog/wp-content/uploads/2008/06/the-eye-of-sauron.jpg" target="new">masters</a> and the <a href="http://www.spamhaus.org/sbl/sbl.lasso?query=SBL69578" target="new">spam to flow again</a>, according to Spamhaus. </p><p> In this virtual network operator jigsaw puzzle, consider the potential enemy within. In this unregulated and open market, anyone with a credit card (like RETN) can rent rack space or even simply dispatch a server, right next to equipment from Global Crossing, Level 3, Hurricane Electric, and many others, foreign and domestic. And that's all that's needed to launch a botnet-controlled attack for cyber warfare or cyber criminal purposes from St. Petersburg, Beijing, or Islamabad. Except that it's happening within U.S. cyber space. </p><p> Within a very short period, these virtual thugs can send billions of spam messages, distribute malware, or, as the hackers did earlier this year, access White House emails. Add to this the ability to use anonymous proxy networks via botnet C&C (command and controls), and they can make themselves look las if they're from the U.S., China, or whatever virtual destination they choose. </p><p> If there was ever a serious case for necessary government regulation and watchfulness, this is it, before anyone jumps up to call this infringing on Internet freedom or net neutrality. These are commercial, criminal concerns operating strategically important communication data and collocation centers; tighter controls would have no effect on individual Net surfing or Web hosting. What more oversight and control would do is create a less welcoming place to harbor the enemy within.<br /></p><p><a href="http://www.internetevolution.com/author.asp?section_id=717&doc_id=169419">Internet Evolution</a><br /></p><p><br /></p></span>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-66002732809668666452008-12-15T03:43:00.000-08:002008-12-15T03:55:53.710-08:00EstDomains Active Domain List and Registrar Abuse<span style="font-weight: bold; color: rgb(255, 0, 0);">Estdomains Active Domain List</span><br /><br />as of December 1st 2008 as now maintained by Directi is now available in a search able form on <a href="http://hostexploit.com/index.php?option=com_content&view=article&id=74&Itemid=84">HostExploit.com</a> .<br /><br />The total: 272,488 active domains is provided as a community service, any research or abuse comments on these domains are welcomed to abuse(at)directi.com or estlist (at)hostexploit.com. Any of suspected illegal or child pornography content should be reported directly to IWF <a href="http://www.iwf.org.uk/">here</a><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_AIDOkiqx7dlehS2mEOe9OPI3nzNSFgjCmGYPe6MnrGiYFvE2QJNi1FJs0apeiuOQl6Z6KKrKiJU2BgIIDAQISXG1X0iHPqDG2xBKKBRlmECqVwi7k2aHOTo-ynH90BXh4ym_IgFh38w/s1600-h/Directi+octnov+08+HostExploit.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 268px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_AIDOkiqx7dlehS2mEOe9OPI3nzNSFgjCmGYPe6MnrGiYFvE2QJNi1FJs0apeiuOQl6Z6KKrKiJU2BgIIDAQISXG1X0iHPqDG2xBKKBRlmECqVwi7k2aHOTo-ynH90BXh4ym_IgFh38w/s320/Directi+octnov+08+HostExploit.jpg" alt="" id="BLOGGER_PHOTO_ID_5279982064122901586" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIpCU74L3ooyfK0RLCgYvgCK5U91zGQS2rzuvDXHjEfAI-BZIdEiY_kPgLX-57fbCqIPIkvmBAa95ErNYpelNTPzcLZMhthH0-UFzmSFohHGoiWNSHAEDPC8oV6G3imsyBJPeZG7RSkgc/s1600-h/Directi+octnov+08+table+HostExploit.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 255px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIpCU74L3ooyfK0RLCgYvgCK5U91zGQS2rzuvDXHjEfAI-BZIdEiY_kPgLX-57fbCqIPIkvmBAa95ErNYpelNTPzcLZMhthH0-UFzmSFohHGoiWNSHAEDPC8oV6G3imsyBJPeZG7RSkgc/s320/Directi+octnov+08+table+HostExploit.jpg" alt="" id="BLOGGER_PHOTO_ID_5279982182302956498" border="0" /></a><br />The images shown continue the review of the actions that Directi, in conjunction with HostExploit, have recently taken to track down and stop abusive domain names and registrants from abusing Directi’s services.<br /><br /><span style="font-weight: bold; color: rgb(255, 0, 0);">Registrar Abuse</span><br /><br />• This provides for a total of 180,745 domains suspended from August 2008 and 527,000 domains with removal of domain registrant anonymity (Privacy Protect).<br /><br />• Over 50,000 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.<br /><br />• These domain names (and/or their registrants) were involved in various types of abuse, such as rogue pharma, spamming, phishing/spoofing, malware perpetration, child pornography, financial frauds and falsified ‘Whois’ information.<br /><br />• All other services utilized by any of these domain names have also been revoked.<br /><br />• Of particular note is the suspension of a further 103 domains purveying child pornography the majority of which were apparently registered via Regname org and Buy-Cheap-Domain info (see notes below).<br /><br />• Over the past three months, certain resellers have been identified who have been the destination of choice for bad actors; among these are Vivids Media GMBH, Klikdomains, MyNick.name, and Webst.ru. Approximately 125,000 domain names registered through these resellers have been suspended so far.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 0, 0);">Discussion</span><br /><br />One advantage of this exercise has been the development of active communication channels between us and the community. We've been able to refresh contacts with organizations e.g. Knujon, CastleCops, Spamhaus, McAfee, and Artists Against 419, among others, sharing intelligence on abuse activity.<br /><br />In scouring for more such cases however, every emphasis is made on avoiding any false positives. All domains suspended were following abuse complaints and exhaustive analysis. With this is mind and with the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery) e.g. <a href="http://www.acm.org/about/code-of-ethics">1.2 Avoid harm to others</a>.<br /><br />An active list of directly suspended domains is available for down load from HostExploit.com.<br />We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com<br /><br /><span style="font-weight: bold; color: rgb(255, 0, 0);">Child Pornography - Researchers note: </span><br /><br />We at HostExploit encourage community awareness, investigation and exposure of cyber crime. It is important to stress in virtually all jurisdictions, US, UK, and internationally, it is against the law to download content, possess, or in some cases to attempt to visit websites containing child pornography. This can only be carried out by law enforcement or under the direct authorization of law enforcement. No actual visits have been made to any such website by researchers associated with this report or HostExploit. In determining whether a website within this category is via law enforcement or governmentally authorized child protection agencies. Any reader or researchers, who believe they have knowledge of such a website or online service, should contact your local agency. For community purpose, HostExploit has an informational area for “<a href="http://hostexploit.com/index.php?option=com_content&view=article&id=17&Itemid=23">Reporting Cyber Crime</a>’ and in this case for reporting ‘<a href="http://hostexploit.com/index.php?option=com_content&view=article&id=18&Itemid=24">Illegal Content</a>’ .<br /><br /><span style="font-weight: bold; color: rgb(255, 0, 0);">Child Pornography on the Internet, Background:</span><br /><br /><span style="color: rgb(255, 0, 0);">US</span> -Since its establishment in March 1998, the <a href="http://www.missingkids.com/missingkids/servlet/PageServlet?LanguageCountry=en_US&PageId=169">CyberTipline</a> of the US based National Center for Missing & Exploited Children (NCMEC) has received more than 628,680 reports involving the possession, manufacture, and distribution of child pornography, the online enticement of children for sex acts, child prostitution, child sex-tourism, child molestation (not in the family), unsolicited obscene material sent to a child, and misleading domain names.<br /><br /><br /><span style="color: rgb(255, 0, 0);">UK</span> - <a href="http://www.iwf.org.uk/">IWF</a> is the UK’s internet ‘Hotline’ for the public and IT professionals to report potentially illegal online content within our remit. IWF work in partnership with the online industry, law enforcement, government, the education sector, charities, international partners and the public to minimize the availability of this content, specifically, child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK.<br /><br /><br /><span style="color: rgb(255, 0, 0);">Worldwide</span> - INHOPE is the International Association of Internet Hotlines and was founded in 1999 under the EC Safer Internet Action Plan http://www.europa.eu.int/iap . INHOPE represents Internet Hotlines all over the world, supporting them in their aim to respond to reports of illegal content to make the Internet safer. Click <a href="https://www.inhope.org/en/about/about.html">here</a> to find out more about INHOPEHostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-82793170421911046992008-10-11T05:39:00.000-07:002008-10-11T09:45:38.263-07:00Actions against registry services abuse – Report Oct 2008 - HostExploit and Directi<div style="text-align: justify;"><span class="Apple-style-span" style="color: rgb(51, 51, 51); font-size: 12px; line-height: 16px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; "><span class="Apple-style-span" style="font-family: 'trebuchet ms';">Jart Armin of HostExploit.com & Bhavin Turakhia, CEO of Directi are pleased to jointly report on the outcome of community actions against abuse of Directi’s domain registry and PrivacyProtect.</span></span><br /></div><div><span class="Apple-style-span" style="color: rgb(51, 51, 51); font-family: Geneva; font-size: 12px; line-height: 16px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;"><br /></span></div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh32W5tXKw3qi7RnNROZMFgeyBOUKDo0J3nhZVr8-b1IkSyRxRQ8qaJXDgDN6zyWI1_d_ZfGNY2i-pb0H4CNscr1bYGlf7yoKow4QeaVI8WMdj9DIWesKHBxuTTXI7RoZhQcW_Lo2tai4w/s1600-h/Directi_Hostexploit_Key1008.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh32W5tXKw3qi7RnNROZMFgeyBOUKDo0J3nhZVr8-b1IkSyRxRQ8qaJXDgDN6zyWI1_d_ZfGNY2i-pb0H4CNscr1bYGlf7yoKow4QeaVI8WMdj9DIWesKHBxuTTXI7RoZhQcW_Lo2tai4w/s400/Directi_Hostexploit_Key1008.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5255937690658849858" /></a><br /><div><br /></div><div><br /></div><div><br /></div><div><br /></div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm4LBmXyP4eUm_0nLSytFuzKKK-JlguWQ90SUHP59oBqhlIaRPj5zH9G0EOU9R91kLXqYlukmt6SHxyJzYp1SvvPDE43QspfAqzAQ8AvvvmxDJTUxS3ehLcuKDlxAewPEQM5WZyqKLKDg/s1600-h/Directi_Hostexploit_1008.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm4LBmXyP4eUm_0nLSytFuzKKK-JlguWQ90SUHP59oBqhlIaRPj5zH9G0EOU9R91kLXqYlukmt6SHxyJzYp1SvvPDE43QspfAqzAQ8AvvvmxDJTUxS3ehLcuKDlxAewPEQM5WZyqKLKDg/s400/Directi_Hostexploit_1008.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5255937540982085090" /></a><br /><span class="Apple-style-span" style="color: rgb(51, 51, 51); line-height: 16px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family:Geneva;font-size:12px;"><p style="text-align: justify; margin-top: 10px; margin-bottom: 15px; "><span class="Apple-style-span" style="font-size: small;"><br /></span></p><p style="text-align: justify; margin-top: 10px; margin-bottom: 15px; "><span class="Apple-style-span" style="font-size: small;">The above in figures review of the actions that Directi, in conjunction with HostExploit, have recently taken to track down and stop abusive domain names and registrants from abusing Directi’s services.<br />Registrar Abuse</span></p><ul><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Over 50,000 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">These domain names (and/or their registrants) were involved in various types of abuse, such as spamming, phishing/spoofing, malware perpetration, suspected pedopornography, financial frauds and falsified ‘Whois’ information.</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">All other services utilized by any of these domain names have also been revoked.</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Over the past three months, certain resellers have been identified who have been the destination of choice for bad actors; among these are Vivids Media GMBH, Klikdomains, MyNick.name, and Webst.ru. Approximately 125,000 domain names registered through these resellers have been suspended so far.</span></li></ul><p style="text-align: justify; margin-top: 10px; margin-bottom: 15px; "><b><span class="Apple-style-span" style="font-size: small;">PrivacyProtect</span></b></p><ul><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">A large incentive for bad actors to use Directi’s services has been PrivacyProtect.org. This service has been disabled for over 27,000 abusive domain names.</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">The service had been permanently disabled for all existing and new registrations through resellers/registrars that have seen high volumes of abusive registrations - notable being the ones mentioned above and Estdomains. This has amounted to approximately 500,000 domain names which had privacy protection canceled.</span></li></ul><p style="text-align: justify; margin-top: 10px; margin-bottom: 15px; "><b><span class="Apple-style-span" style="font-size: small;">Analysis</span></b><span class="Apple-style-span" style="font-size: small;"><br /><br />When suspending domain names on receiving complaints about their involvement in abuse, HostExploit is pleased to report that, Directi, while reviewing the complaints over the past few months, even before the ‘Atrivo-Cyber Crime USA’ report, found certain trends:</span></p><ul><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Domain names registered with the same/similar contact information (name, address patterns)</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Bulk registrations of domain names with a slight variation in the domain name e.g. 018xyz.com, 018xyza.com, 018xyzb.com, 018xyzc.com …. by abusive registrants/customers</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Same blacklisted name servers being repeatedly utilized.</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Registrations in the same customer account involved in various forms of abuse</span></li><li style="text-align: justify; "><span class="Apple-style-span" style="font-size: small;">Based on these, we reviewed all domain names, first in the customer's account, then in the reseller's account and then across the databases. Based on these similarities, 35,000 domain names were identified and have been labeled as co-network.</span></li></ul><p style="margin-top: 10px; margin-bottom: 15px; "><b><span class="Apple-style-span" style="font-size: small;">Discussion</span></b><span class="Apple-style-span" style="font-size: small;"><br /><br />Directi’s strengthened abuse team continues to review complaints and revoke privacy protection for abusive domain names, while also forwarding the complaint to the Registrars for whom Directi provide software and other services for them to take action. Where reports of abuse emerge from security community blogs or forums, Directi are now proactively making searches for such comments and investigating any issue that may involve Directi or a reseller.<br /><br />One advantage of this exercise has been the development of active communication channels between us and the community. We've been able to refresh contacts with organizations e.g. StopBadware, Knujon, CastleCops, Spamhaus, and Artists Against 419, among others, sharing intelligence on abuse activity.<br /><br />In scouring for more such cases however, every emphasis is made on avoiding any false positives. With this is mind and with the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery)</span><a href="http://www.acm.org/about/code-of-ethics" style="text-decoration: none; color: rgb(153, 153, 153); "><span class="Apple-style-span" style="font-size: small;">http://www.acm.org/about/code-of-ethics</span></a><span class="Apple-style-span" style="font-size: small;"> e.g.<br /><br /></span><span style="color: rgb(153, 153, 153); "><b><span class="Apple-style-span" style="font-size: small;">1.2 Avoid harm to others.</span></b><span class="Apple-style-span" style="font-size: small;"><br /><br />"Harm" means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of the following: Internet users, and the general public.</span></span><span class="Apple-style-span" style="font-size: small;"><br /><br />An active list of directly suspended domains is available for down load from </span><a href="http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15" style="text-decoration: none; color: rgb(153, 153, 153); "><span class="Apple-style-span" style="font-size: small;">HostExploit.com</span></a><span class="Apple-style-span" style="font-size: small;"><br /><br />HostExploit and Directi have agreed to maintain their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. HostExploit confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis.<br /><br />We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com<br /><br />Together with the community we hope to continue taking steps to make the Internet a better and safer place.</span></p></span>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-22501296857391700952008-09-07T15:06:00.000-07:002008-09-07T15:11:59.000-07:00Joint statement from Directi, HostExploit and Kunujon<div style="text-align: justify;">In light of recent developments, Jart Armin of HostExploit.com Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet. Here are few of the points they would like to jointly make -<br /><br />* Directi, HostExploit, Knujon recognize and confirm that they share the common goal of continuing to combat spam and abuse on the Internet through cooperation, collaboration and proactive action. In conversation yesterday, Directi, HostExploit and Knujon agreed to publish this statement to clarify any misconceptions and affirm their mutual commitment to work closely to combat abuse.<br /><br />* Directi clarified to HostExploit that, LogicBoxes (a Directi business) is not hosting any of Atrivo's websites. Atrivo runs its web infrastructure under the name of Hostfresh.com which is not affiliated with Directi in any manner.<br /><br />* Directi also confirmed that ESTDomains is not a Directi company, and Directi does not control the actions or clients of ESTDomains, a fact that HostExploit was already aware of.<br /><br />* HostExploit confirms that its report was not meant to allege that LogicBoxes is directly sponsoring Internet abuse, rather its report was meant, in good faith, only to provide relevant parties with all information and data which can be used to clean up websites that were violating principles of ethical behavior. HostExploit hopes that other Internet news sites which may have taken the data in the HostExploit report out of context in assuming that LogicBoxes is directly affiliated with Atrivo rectify this misconception. Directi confirms that LogicBoxes is simply a software provider to various ICANN Accredited Registrars, and its only role was providing software for domain registration and DNS management.<br /><br />* HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them. Directi HostExploit and Knujon intend to continue this information exchange to speedily resolve abuse issues, and to further demonstrate transparency the community can contact either Directi or / and HostExploit to ensure action is taken.<br /><br />* Directi has clarified that privacyprotect.org is merely a privacy protection service used by many of Directi's legitimate clients, not unlike the privacy protection services offered by other Registrars. Directi further confirmed that privacy protection had already been disabled on a large percentage of Atrivo's domain names over a month ago. Since Directi offers privacy protection free of cost, there are miscreants who use it to cloak their malicious activities. However Directi reaffirmed that its abuse team will suspend privacy protection on any domain for which they receive a genuine complaint in less than 24 hours. In fact a few months ago, based on reports and data obtained from the antispam community, Directi ceased to offer its privacy protection services to all customers of ESTDomains and to tens of thousands of other domains obtained through the community. Currently over half a million genuine customers of Directi use privacy protection services to prevent their whois data from being harvested.<br /><br />* Directi affirms they are in no way supporting illicit online pharmacies. KnujOn has sent a list of newly populated fake pharmacy domains that Directi suspended. Directi and KnujOn now jointly call on the Internet community, private industry, and government to help develop policy and methods to put a stop to the fake pharmacy menace since Registrars cannot do this alone.<br /><br />* Knujon acknowledges that the 48 Registrars that it thought were phantom are actually in existence as Delaware incorporated legitimate companies with a valid ICANN Accreditation and accurate contact information. Knujon's confusion stemmed from the fact that ICANN does not require these companies to publically report their incorporation details.<br /><br />* Directi and HostExploit have discussed further ways to enhance their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. Directi acknowledges and applauds HostExploit continuous efforts in tracking down miscreants. HostExploit and Knujon confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis.<br /><br />Together with the community we hope to continue taking steps to make the Internet a better and safer place.<br /></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-9308872681851336202008-09-06T02:53:00.000-07:002008-09-09T00:01:54.780-07:00ATRIVO – Cyber Crime USA Report - Update 090608 a<!--[if gte mso 9]><xml> <w:worddocument> <w:view>Normal</w:View> <w:zoom>0</w:Zoom> <w:trackmoves/> <w:trackformatting/> <w:punctuationkerning/> <w:validateagainstschemas/> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid> <w:ignoremixedcontent>false</w:IgnoreMixedContent> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText> <w:donotpromoteqf/> <w:lidthemeother>EN-US</w:LidThemeOther> <w:lidthemeasian>X-NONE</w:LidThemeAsian> <w:lidthemecomplexscript>X-NONE</w:LidThemeComplexScript> <w:compatibility> <w:breakwrappedtables/> <w:snaptogridincell/> <w:wraptextwithpunct/> <w:useasianbreakrules/> <w:dontgrowautofit/> <w:splitpgbreakandparamark/> <w:dontvertaligncellwithsp/> <w:dontbreakconstrainedforcedtables/> <w:dontvertalignintxbx/> <w:word11kerningpairs/> <w:cachedcolbalance/> </w:Compatibility> <w:browserlevel>MicrosoftInternetExplorer4</w:BrowserLevel> <m:mathpr> <m:mathfont val="Cambria Math"> <m:brkbin val="before"> <m:brkbinsub val="--"> <m:smallfrac val="off"> <m:dispdef/> <m:lmargin val="0"> <m:rmargin val="0"> <m:defjc val="centerGroup"> <m:wrapindent val="1440"> <m:intlim val="subSup"> <m:narylim val="undOvr"> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:latentstyles deflockedstate="false" defunhidewhenused="true" defsemihidden="true" defqformat="false" defpriority="99" latentstylecount="267"> <w:lsdexception locked="false" priority="0" semihidden="false" unhidewhenused="false" qformat="true" name="Normal"> <w:lsdexception locked="false" priority="9" semihidden="false" unhidewhenused="false" qformat="true" name="heading 1"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 2"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 3"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 4"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 5"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 6"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 7"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 8"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 9"> <w:lsdexception locked="false" priority="39" name="toc 1"> <w:lsdexception locked="false" priority="39" name="toc 2"> <w:lsdexception locked="false" priority="39" name="toc 3"> <w:lsdexception locked="false" priority="39" name="toc 4"> <w:lsdexception locked="false" priority="39" name="toc 5"> <w:lsdexception locked="false" priority="39" name="toc 6"> <w:lsdexception locked="false" priority="39" name="toc 7"> <w:lsdexception locked="false" priority="39" name="toc 8"> <w:lsdexception locked="false" priority="39" name="toc 9"> <w:lsdexception locked="false" priority="35" qformat="true" name="caption"> <w:lsdexception locked="false" priority="10" semihidden="false" unhidewhenused="false" qformat="true" name="Title"> <w:lsdexception locked="false" priority="1" name="Default Paragraph Font"> <w:lsdexception locked="false" priority="11" semihidden="false" unhidewhenused="false" qformat="true" name="Subtitle"> <w:lsdexception locked="false" priority="22" semihidden="false" unhidewhenused="false" qformat="true" name="Strong"> <w:lsdexception locked="false" priority="20" semihidden="false" unhidewhenused="false" qformat="true" name="Emphasis"> <w:lsdexception locked="false" priority="59" semihidden="false" unhidewhenused="false" name="Table Grid"> <w:lsdexception locked="false" unhidewhenused="false" name="Placeholder Text"> <w:lsdexception locked="false" priority="1" semihidden="false" unhidewhenused="false" qformat="true" name="No Spacing"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 1"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 1"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 1"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 1"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 1"> <w:lsdexception locked="false" unhidewhenused="false" name="Revision"> <w:lsdexception locked="false" priority="34" semihidden="false" unhidewhenused="false" qformat="true" name="List Paragraph"> <w:lsdexception locked="false" priority="29" semihidden="false" unhidewhenused="false" qformat="true" name="Quote"> <w:lsdexception locked="false" priority="30" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Quote"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 1"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 1"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 1"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 1"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 1"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 1"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 1"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 2"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 2"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 2"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 2"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 2"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 2"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 2"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 2"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 2"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 2"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 2"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 3"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 3"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 3"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 3"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 3"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 3"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 3"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 3"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 3"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 3"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 3"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 3"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 3"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 4"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 4"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 4"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 4"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 4"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 4"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 4"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 4"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 4"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 4"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 4"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 4"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 4"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 4"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 5"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 5"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 5"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 5"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 5"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 5"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 5"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 5"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 5"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 5"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 5"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 5"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 5"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 5"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 6"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 6"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 6"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 6"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 6"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 6"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 6"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 6"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 6"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 6"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 6"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 6"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 6"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 6"> <w:lsdexception locked="false" priority="19" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Emphasis"> <w:lsdexception locked="false" priority="21" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Emphasis"> <w:lsdexception locked="false" priority="31" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Reference"> <w:lsdexception locked="false" priority="32" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Reference"> <w:lsdexception locked="false" priority="33" semihidden="false" unhidewhenused="false" qformat="true" name="Book Title"> <w:lsdexception locked="false" priority="37" name="Bibliography"> <w:lsdexception locked="false" priority="39" qformat="true" name="TOC Heading"> </w:LatentStyles> </xml><![endif]--><style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-fareast-font-family:Calibri; mso-bidi-font-family:"Times New Roman";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; mso-themecolor:followedhyperlink; text-decoration:underline; text-underline:single;} p {mso-style-priority:99; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; mso-ascii-font-family:Calibri; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--> <p class="MsoNormal" style="text-align: justify;font-family:trebuchet ms;"><span style="font-size:100%;">We demonstrated a limited number of examples of badware websites with Directi providing some form of Internet connectivity with data confirmation on Sept 04 08, and historical third party sources. Below we show the welcome results of actions taken by Directi as of Saturday 090608. - Click on the graphics to enlarge.<br /></span></p><p class="MsoNormal" style="text-align: justify;font-family:trebuchet ms;"><span style="font-size:100%;"><br /></span></p> <p style="margin: 0in 0in 0.0001pt; text-align: justify;"><span style=";font-family:trebuchet ms;font-size:100%;" ><b><u><span style="font-size:11;">xpantivirussecurity.com</span></u></b></span><span style=";font-family:";font-size:11;" ><span style=";font-family:trebuchet ms;font-size:100%;" > – rogue anti-virus – was with connectivity by Atrivo and Directi (OpticalJungle), registrar Directi (PublicDomainRegistry), registrant, obviously false data March 08 courtesy Sunbelt Software </span><o:p></o:p></span></p><br /><br /><br /><br /><div style="text-align: center; font-weight: bold;">Graphics of internet connectivity 9/4/08<br /></div><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgIdg4UZVj6rQRP3S4A-txKHaZrDFP9HB0WorIgXOxy5ZUjiqq9nN87V36MrzHieAiw86DMkFQGitRTLMVjV9mPb60HlwO1jtdOBAFSWrNj6VjhDBxKzkgIn-HzP3uMgs7CFDGU3T8yJ0/s1600-h/xpantivirussecurity+directi+090408.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgIdg4UZVj6rQRP3S4A-txKHaZrDFP9HB0WorIgXOxy5ZUjiqq9nN87V36MrzHieAiw86DMkFQGitRTLMVjV9mPb60HlwO1jtdOBAFSWrNj6VjhDBxKzkgIn-HzP3uMgs7CFDGU3T8yJ0/s400/xpantivirussecurity+directi+090408.jpg" alt="" id="BLOGGER_PHOTO_ID_5242849233491212146" border="0" /></a><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsjecaXyPylD73BXIdwkL5XBtmQ1wzZ4V6zVeyAoxhSwKc9CsIEN5MWXobAa_qq4snqIJhsoprjA_uCWH4thoXhG9Zb8mX2h25orsDyhV9rBSymGjswfwb8n5Tq0kwF2UtCYC4-7Bib_k/s1600-h/xpantivirussecurity+directi+b+090408.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsjecaXyPylD73BXIdwkL5XBtmQ1wzZ4V6zVeyAoxhSwKc9CsIEN5MWXobAa_qq4snqIJhsoprjA_uCWH4thoXhG9Zb8mX2h25orsDyhV9rBSymGjswfwb8n5Tq0kwF2UtCYC4-7Bib_k/s400/xpantivirussecurity+directi+b+090408.jpg" alt="" id="BLOGGER_PHOTO_ID_5242849074695071234" border="0" /></a><br /><br /><br /><br /><br /><div style="text-align: center; font-weight: bold;">Graphics of Internet connectivity Sat 9/6/08<br /></div><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjSyHdmmNHcaAFRXzoA3CDhDYrUCUD4xFCaS8Uwv6Jwelv1Izm5OHSMzd47yVSFT7hFh9BluQhxeY1DpKtB7zIUCmb2fQFDmOfvdFBCGGCyPPyzwWavo8e31oX43LKQWlr25ZILaGoON4/s1600-h/xpantivirussecurity+directi+090608.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjSyHdmmNHcaAFRXzoA3CDhDYrUCUD4xFCaS8Uwv6Jwelv1Izm5OHSMzd47yVSFT7hFh9BluQhxeY1DpKtB7zIUCmb2fQFDmOfvdFBCGGCyPPyzwWavo8e31oX43LKQWlr25ZILaGoON4/s400/xpantivirussecurity+directi+090608.jpg" alt="" id="BLOGGER_PHOTO_ID_5242848811253076610" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSAWsWOVuzJjXx3CYU9n8-ugbnr8-v6grS64Ad1YTh_RM8mN3Rca75binE2odSPix6rGHEWRCUrooqt-heyGKcNDfzsMMbgY5GmYnjTyOVcKW83Pylheh0ZxfZU2Cx0nmCY19-B68Itnc/s1600-h/xpantivirussecurity+directi+b+090608.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSAWsWOVuzJjXx3CYU9n8-ugbnr8-v6grS64Ad1YTh_RM8mN3Rca75binE2odSPix6rGHEWRCUrooqt-heyGKcNDfzsMMbgY5GmYnjTyOVcKW83Pylheh0ZxfZU2Cx0nmCY19-B68Itnc/s400/xpantivirussecurity+directi+b+090608.jpg" alt="" id="BLOGGER_PHOTO_ID_5242848635239977682" border="0" /></a><br /><br /><br /><span style="font-size:100%;"><span style="font-family:trebuchet ms;"><span style="font-weight: bold;font-size:130%;" >Loads.cc</span> – botnet and DDos for hire service – was with connectivity by Directi (OpticalJungle), registrar Directi (PublicDomainRegistry) registrant, obviously false data Cited Nov 2007 </span></span><br /><br /><div style="text-align: center; font-weight: bold;">Graphics of internet connectivity 9/4/08<br /></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdFL0JO7LInTp1ez9FG62G7AdT7TbaWanekaLV95WlQa7DbtHyeKA-dRG3POgyAaLuKyEmP8GEUPXNAz_knAlxVhFxR8J4_WJ2KssAf8kFn2j2UCnTFzjYvW4KSSndtFKNtD11KJ63mM8/s1600-h/loads+cc+090408.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdFL0JO7LInTp1ez9FG62G7AdT7TbaWanekaLV95WlQa7DbtHyeKA-dRG3POgyAaLuKyEmP8GEUPXNAz_knAlxVhFxR8J4_WJ2KssAf8kFn2j2UCnTFzjYvW4KSSndtFKNtD11KJ63mM8/s400/loads+cc+090408.jpg" alt="" id="BLOGGER_PHOTO_ID_5242847255516246066" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXYeI-5hnvBlXDwHQ7nT6oSnt6ZzSvMDPekWYHoOPF3fRirv1X4Ia6RJmHp6SiK9jbJ7i5Zl1S4pfooJ99Y82H-oBhYXyqSToHPuzDlP2jRVI8xibxTtYlhtJV1NxIeLL4LwoHgP4MXuM/s1600-h/loads+cc+b+090408.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXYeI-5hnvBlXDwHQ7nT6oSnt6ZzSvMDPekWYHoOPF3fRirv1X4Ia6RJmHp6SiK9jbJ7i5Zl1S4pfooJ99Y82H-oBhYXyqSToHPuzDlP2jRVI8xibxTtYlhtJV1NxIeLL4LwoHgP4MXuM/s400/loads+cc+b+090408.jpg" alt="" id="BLOGGER_PHOTO_ID_5242846996807115858" border="0" /></a><br /><br /><br /><div style="text-align: center; font-weight: bold;">Graphics of Internet connectivity Sat 9/6/08<br /></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-3o4lasaLKre20nKMcbC6V5xYzq1p6Leu0r3QgANsRDehUpObuUcTtiMaBztS6laVNlaPm-3m9bMGIXuSibPkiVuSPBAzRcZwyC1Jyh3hrv2cqISaxxvOce6YfyF6jica-kXT_tWq-8/s1600-h/loads+cc+090608.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-3o4lasaLKre20nKMcbC6V5xYzq1p6Leu0r3QgANsRDehUpObuUcTtiMaBztS6laVNlaPm-3m9bMGIXuSibPkiVuSPBAzRcZwyC1Jyh3hrv2cqISaxxvOce6YfyF6jica-kXT_tWq-8/s400/loads+cc+090608.jpg" alt="" id="BLOGGER_PHOTO_ID_5242846419901422482" border="0" /></a><br /><br /><div style="text-align: center;">No Internet Connectivity!<br /></div><br /><br /><br /><span style="font-size:100%;"><span style="font-weight: bold;font-family:trebuchet ms;" >Comment:</span><br /><br /><br /><span style="font-family:trebuchet ms;">“That's one small step for Directi, one giant leap for a safer Internet”.</span><br /><br /><br /><br /></span><div style="text-align: justify;font-family:trebuchet ms;"><span style="font-size:100%;">On behalf of the online community we thank Bhavin Turakhia, CEO and Directi, for their prompt actions, to our findings. These examples are perhaps only a small in comparison to the overall problem we face, but are still significant victories in the fight against cyber crime and the head on approach of HostExploit's 'Atrivo - Cyber Crime USA' report.<br /></span></div><span style="font-size:100%;"><br /><br /><span style="font-family:trebuchet ms;">We all hope this leads to even greater actions and security focus by the Hosting and Registrar community?</span><br /><br /><br /><br /><br /><br /><span style="font-family:trebuchet ms;">Jart Armin<br /><br /></span><span style="font-family:trebuchet ms;">HostExploit.com</span></span>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-34883321974219838912008-08-28T18:10:00.000-07:002008-09-09T00:04:38.529-07:00Report Slams U.S. Host as Major Source of Badware<div style="text-align: justify;"><a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnOtmo4MURGZ-yuV_QZ2NMzsoTFpwhdZF9omusgXBfUFnlqScOjJg_-j5qbnXYbx7tcxRurLx-_BQ9Gbohy0YRLVcrwhqcw5-Z1jFBSxJoLrqL3zVPmuFhq8fGcu-DWGUw_nF9H0P0mGw/s1600-h/atrivo_fig+3.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnOtmo4MURGZ-yuV_QZ2NMzsoTFpwhdZF9omusgXBfUFnlqScOjJg_-j5qbnXYbx7tcxRurLx-_BQ9Gbohy0YRLVcrwhqcw5-Z1jFBSxJoLrqL3zVPmuFhq8fGcu-DWGUw_nF9H0P0mGw/s320/atrivo_fig+3.jpg" alt="" id="BLOGGER_PHOTO_ID_5239742692067438914" border="0" /></a><span style="font-size:100%;"><span style="font-family:trebuchet ms;">I<span style="font-family:verdana;">n a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.</span></span></span><br /></div><div style="text-align: justify;"><span style="font-size:100%;"><br /> </span><span style=";font-family:verdana;font-size:100%;" >Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.</span><span style="font-size:100%;"> </span><br /><span style="font-size:100%;"><br /></span><span style=";font-family:verdana;font-size:100%;" >In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.<br /><br /></span><p class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center; line-height: normal; font-family: trebuchet ms;" align="center"><span lang="EN-GB" style="font-size:100%;">Document available for download from </span><a href="http://hostexploit.com/"><span style="font-size:100%;"><span lang="EN-GB"><span style="">hostexploit.com</span></span></span></a></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center; line-height: normal;font-family:trebuchet ms;" align="center"><span style="font-size:100%;"><br /></span></p><div style="text-align: center;"><span style="font-size:100%;"><span style="font-family:trebuchet ms;">Video of the Exploitation of a PC User - </span><a style="font-family: trebuchet ms;" href="http://www.youtube.com/watch?v=pTlbV6zJ1XU">YouTube</a></span><br /></div><span style=";font-family:verdana;font-size:100%;" ><br /></span><div style="text-align: center;"><span style=";font-family:verdana;font-size:100%;" >Press reviews: </span><br /></div><span style=";font-family:verdana;font-size:100%;" ><br /></span><div style="text-align: center;"><a href="http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html#more"><span style=";font-family:verdana;font-size:100%;" >Washington Post - Review</span></a><br /></div></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-53906722901659044362008-04-17T15:40:00.000-07:002008-04-17T16:29:24.083-07:00The Top 25 World's Exploit Hosts and Servers - Issue 1: The Base<p style="margin: 0in; text-align: justify;font-family:Calibri;font-size:11pt;" lang="en-GB"><span style="font-size:100%;">The Top 25 World's Exploit Hosts and Servers, deals with a holistic problem, requiring a holistic solution, "HostExploit.com" will attempt to be part of the solution.<br /></span></p><p style="margin: 0in; text-align: justify;font-family:Calibri;font-size:11pt;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><br /><p style="margin: 0in; text-align: justify;font-family:Calibri;font-size:11pt;" lang="en-GB"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnBEasH-xeoF7fPGtS5Mger4FUICM2aHLKXmp4xmhU6-9jrkvlgkYmNjeexbWzRwr7vGl1hJHgyXDkcefMCnkAYMuc0GvN_RnMaFtPF8C43vsMbyxfFs67Bnc87iYdbJKtftU7VtEf28E/s1600-h/hostexploit_chara2.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 303px; height: 260px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnBEasH-xeoF7fPGtS5Mger4FUICM2aHLKXmp4xmhU6-9jrkvlgkYmNjeexbWzRwr7vGl1hJHgyXDkcefMCnkAYMuc0GvN_RnMaFtPF8C43vsMbyxfFs67Bnc87iYdbJKtftU7VtEf28E/s320/hostexploit_chara2.jpg" alt="" id="BLOGGER_PHOTO_ID_5190348331365734706" border="0" /></a></p><p style="margin: 0in; text-align: justify;font-family:Calibri;font-size:11pt;" lang="en-GB"><span style="font-size:100%;">With the increasing subversion of the DNS (Domain Name System) by the now widespread automated domain generation in the 100’s to 1,000’s per week by the exploiters.</span><span style="font-size:100%;"> </span><span style="font-size:100%;">This combined with the usage of armies of </span><span style="font-size:100%;">virtually untraceable P2P (Peer to Peer) directed botnets</span><span style="font-size:100%;"> </span><span style="font-size:100%;">and undetectable polymorphic viruses and malware. It may appear increasingly dif</span><span style="font-size:100%;">ficult for the community to even block such threats let alone reduce them. This involves the whole area of internet security and network security.</span></p><p size="11pt" face="Calibri" style="margin: 0in; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; text-align: center;font-family:Calibri;font-size:11pt;" lang="en-GB"><span style="font-size:85%;">Table 1. - The Top25 World's Exploit Hosts and Servers</span></p><p style="margin: 0in; text-align: justify; font-family: trebuchet ms;font-family:Calibri;font-size:11pt;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjubMOKGtrW69EXw1h-MjzjpLndDujKmIGBK-GrAJJKNpGA1xEnLSXlX1ZJLQP3qjJJpqEtu0tcTy22hrhQsmgeNAybzhnx78OGr02kap0eZTzNhvAsdsTpWvd4ksIjUrMOTJzhzZaxpsw/s1600-h/hostexploit_top25_001_0408.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjubMOKGtrW69EXw1h-MjzjpLndDujKmIGBK-GrAJJKNpGA1xEnLSXlX1ZJLQP3qjJJpqEtu0tcTy22hrhQsmgeNAybzhnx78OGr02kap0eZTzNhvAsdsTpWvd4ksIjUrMOTJzhzZaxpsw/s400/hostexploit_top25_001_0408.jpg" alt="" id="BLOGGER_PHOTO_ID_5190348773747366210" border="0" /></a><p style="margin: 0in; text-align: justify;font-family:Calibri;font-size:11pt;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><p face="Calibri" size="11pt" style="margin: 0in; text-align: justify;" lang="en-GB"><span style="font-size:100%;"><br /></span> </p><div style="text-align: justify;"> </div><p face="Calibri" size="11pt" style="margin: 0in; text-align: justify;" lang="en-GB"> </p><div style="text-align: justify;"> </div><div style="text-align: justify;"><span style="font-size:100%;"><span style="font-family:trebuchet ms;">However, this route is controversial and hitherto a taboo subject; i.e. the hosts, registrars, and servers. Whether it is; spam, exploits, malware, spyware or even botnet control, the domains are registered, the web sites are hosted or served by an organization, i.e. the 'web host' and are assigned an AS # (Autonomous System) by ICANN. To commence we begin exposing the 'Top 25 World's Exploit Hosts and Servers' these alone serve and provide an estimated 80%+ of all the bad stuff on the Internet, infect; good servers, good websites, and overall are a scourge to the average internet user .</span></span><br /></div><p style="margin: 0in;font-family:Calibri;font-size:11pt;" lang="en-GB"><br /></p><p face="Calibri" size="11pt" style="margin: 0in;" lang="en-GB"><br /></p> <p face="Calibri" size="11pt" style="margin: 0in;" lang="en-GB"> </p> <p face="Calibri" size="11pt" style="margin: 0in;" lang="en-GB"><span style="font-size:100%;">Why controversial or taboo?</span></p><p style="margin: 0in; text-align: justify; font-family: Calibri; font-size: 11pt;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><div face="trebuchet ms" style="text-align: justify;"> </div><p face="Calibri" size="11pt" style="margin: 0in; font-family: trebuchet ms; text-align: justify;" lang="en-GB"> </p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"><span style="font-size:100%;">- It is complex - Yes it is, however through already man years worth of detailed research and even more community references we will</span><span style="font-size:100%;"> </span><span style="font-size:100%;">partition into manageable chunks. So will add downloadable lists, rules, block information, and educational explanation where possible . Commencing as we do here with a top down 'peeling the onion' approach.</span></p><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"> </p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"><span style="font-size:100%;">- It involves big money, in most cases many $millions - As we unfold this subject</span><span style="font-size:100%;"> </span><span style="font-size:100%;">we will provide focused details on a particular 'Exploiting Host'</span><span style="font-size:100%;"> </span><span style="font-size:100%;">with the economics involved, where possible.</span><span style="font-size:100%;"> </span><span style="font-size:100%;">It is our view that because an organization makes a great deal of money and exploits or spams the average user, whether 'intentional exploiters'</span><span style="font-size:100%;"> </span><span style="font-size:100%;">e.g. Atrivo or 'allowed themselves to be highly infected' e.g. The Planet, does not exclude it from exposure.</span></p><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"><span style="font-size:100%;"><br /></span><span style="font-size:100%;"> </span></p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"> </p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p style="margin: 0in; text-align: justify;font-family:trebuchet ms;font-size:11pt;" lang="en-GB"><span style="font-size:100%;">- Many innocent or grey web sites may suffer due to the few - this will undoubtedly be the case . A major technique for the exploiters is to hide the needle in the haystack , however we and most Internet users would argue, this is not our problem. It is the problem for the host or server, if they are legitimate they will or should move heaven and earth to clean up their act for the benefit of the legitimate webmasters, and more importantly the .</span><span style="font-size:100%;"> </span><span style="font-size:100%;">For the innocent webmasters, why are you still hosting your web site with these hosts and servers anyway?</span></p><div style="text-align: justify; font-family: trebuchet ms;"><span style="font-size:100%;"><br /></span></div><p face="trebuchet ms" size="11pt" style="margin: 0in; text-align: justify;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p face="trebuchet ms" size="11pt" style="margin: 0in; text-align: justify;" lang="en-GB"> </p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p face="trebuchet ms" size="11pt" style="margin: 0in; text-align: justify;" lang="en-GB"> </p><div style="text-align: justify; font-family: trebuchet ms;"> </div><p face="trebuchet ms" size="11pt" style="margin: 0in; text-align: justify;" lang="en-GB"><span style="font-size:100%;">In the final analysis this is about choice. Choice for the average PC user to reduce the threat of being exploited, the ISP (Internet Service Provider) to assist in 'prevention' for their users, the hosts, servers, and DNS registrars, to not just take an anonymous client and probably stolen credit card.</span><span style="font-size:100%;"> </span><span style="font-size:100%;">Authorities such as ICANN are well aware of this increasing problem, perhaps this helps create the groundswell for them to act on behalf of the 99% of Internet users.</span></p><br /><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB">Useful Article Links:</p><br /><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB">Article Downloads - <a href="http://hostexploit.googlepages.com/home">Top 25 csv, IP block lists</a><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><span style="font-size:100%;">SecureWorks - <a href="http://www.secureworks.com/research/threats/topbotnets">Top Spam Botnets</a></span></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><span style="font-size:100%;">ICANN - <a href="http://www.icann.org/committees/security/sac025.pdf">Advisory on Fast Flux Hosting and DNS</a></span></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><span style="font-size:100%;">DNS Education - <a href="http://www.howstuffworks.com/dns.htm">How Domain Servers Work</a></span></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><br /></p><p style="margin: 0in; font-family: trebuchet ms; font-size: 11pt; text-align: justify;" lang="en-GB"><span style="font-size:100%;"><br /></span></p><p style="margin: 0in; font-family: Calibri; font-size: 11pt;" lang="en-GB"><br /></p>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.comtag:blogger.com,1999:blog-6306300545035702820.post-17053960411398723932008-03-24T13:40:00.000-07:002008-04-19T07:29:37.559-07:00HostExploit - What? Why? Who?<div style="text-align: justify;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6d51mNw1tvfIn9FtDMuwtdt1-lRHBFaL_wc5wQZUp77XSo6gnudlFGPAJOWAR6bILpavwbKZ0IaodNUGZc07Q9EW2NaH7A2YO6UPjslzzklSVRb1YTy7AC-3KvfgopymzweR_z_0eok4/s1600-h/hostexploitchara.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 218px; height: 348px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6d51mNw1tvfIn9FtDMuwtdt1-lRHBFaL_wc5wQZUp77XSo6gnudlFGPAJOWAR6bILpavwbKZ0IaodNUGZc07Q9EW2NaH7A2YO6UPjslzzklSVRb1YTy7AC-3KvfgopymzweR_z_0eok4/s320/hostexploitchara.jpg" alt="" id="BLOGGER_PHOTO_ID_5181411935794578674" border="0" /></a><span style="font-size:100%;"><span style="font-family:trebuchet ms;"><span style="font-weight: bold;">HostExploit</span> – ‘A call to arms’- Why another Internet security blog and more ‘black hole’ lists?</span> - It's the <span style="font-weight: bold;">HOSTS</span>!<span style="font-family:trebuchet ms;"> </span> <span style="font-family:trebuchet ms;"><br /><br />It has become increasingly apparent the malware, spam, phishing and other BadWare distributors are now engaged in automated domain generation, 100’s to 1,000’s per week, which is proving a serious difficulty for major domain / IP ‘blocklist’ and ‘blacklist’ providers to simply keep up .<br /><br />Added to this we now have; iFrame attacks via web portals, several major international web hosts with 1,000’s of their innocent and money paying clients having hacked and infectious (to web surfers) web sites, DDos (distributed denial of service), polymorphic malware that many anti-virus / spyware / malware solutions are unable to detect, and millions of PC users being directed to rogue and fake web sites.<br /><br />Finally we have the rise of the Botnets, anonymously managed fast and double-flux (ever changing IP addresses) control of 1,000’s of infected zombie PCs. </span> <span style="font-family:trebuchet ms;"><br /><br />We now believe the general situation on the Internet calls for an alternative and added open source approach to deal with this head on, i.e. the web hosts and Internet carriers. Every one of the IP’s, web sites or domains are hosted or carried by someone, we feel it is time to break the taboo and name, list and expose the ones that host the malware that infects us all. This approach is not to replace existing methods, but we hope it will add to the security community’s and PC user’s array of possible tools to reduce the threat. <span style="font-weight: bold;"><br /><br /><br /></span></span><span style="font-family:trebuchet ms;"><span style="font-weight: bold;">HostExploit – Who? </span> </span> <span style="font-family:trebuchet ms;">This blog and associated list(s) is edited by Jart Armin and James McQuaid, however the research is provided by a wider volunteer group, some of whom would rather remain anonymous, due to their other professional Internet activities. All those involved are web professionals within; web hosting, server management, DNS (Domain Name System), Internet security, and IDS (Intrusion Detection Systems). </span> <span style="font-weight: bold;font-family:trebuchet ms;" ><br /><br /><br />HostExploit – Who is this for?</span> <span style="font-family:trebuchet ms;">You, i.e. any PC user, webmaster, ISP (Internet Service Provider) or web host, who wants to reduce the threat of infection or exploitation. Where necessary or possible all topics and articles will contain added information to illuminate and educate. </span> <span style="font-family:trebuchet ms;"><span style="font-weight: bold;"><br /><br /><br />HostExploit – What to expect? </span> </span> <span style="font-family:trebuchet ms;"><br />• Bad Host Lists – these will be in several formats for users to apply for themselves or distribute freely. These lists will initially focus on the (b) and (c) categories (see below) can be used to black hole, block or just for general awareness - <a href="http://hostexploit.googlepages.com/home">click here</a>.</span><br /><br /><span style="font-family:trebuchet ms;">• Specific bad host exposures – On a regular basis there will be articles exposing a specific host and providing detailed and where possible quantification with a historical background. </span> <span style="font-family:trebuchet ms;"><br /><br />• Bad Host categorization – host or AS (autonomous server) issue comes down to a certain level of semantics and initially crude differentiation – so we will commence with an ‘a b c’ method:<br /><br /></span><span style="font-family:trebuchet ms;">(a) Hosts / Servers / AS of 'infected sites' = - i.e. infected or hacked sites / domains which have bad exploit code, infected iFrame, SQL injections, XSS exploits, etc. to exploit visitors.<br /><br /></span><span style="font-family:trebuchet ms;">(b) Hosts / Servers / AS of 'user infector sites' = i.e. where the malware and rogues are located and more often than not, users are directed to from infections on sites within (a)</span> <span style="font-family:trebuchet ms;"><br /><br />(c) Hosts / Servers / AS of 'user receptor sites' = The ultimately very bad = including the so called "the bullet proof servers" masked by the botnets to; receive, trade, pay affiliates, warez, etc. etc. - from (b); stolen IDs, credit cards, bank phishing info, for (a) to pay partners and affiliates to infect the web sites. Also for DDos Botnet C&C (command and control) actions. </span><span style="font-family:trebuchet ms;"><br /><br /><span style="font-weight: bold;">HostExploit - To Inform and educate</span> – Articles that attempt to help explain the processes and terminology involved. </span> <span style="font-weight: bold;font-family:trebuchet ms;" ><br /><br />HostExploit – Want to help or have your say? </span> <span style="font-family:trebuchet ms;">This is an open source ‘non-profit’ volunteer group and we welcome help, input or feedback. However for security reasons there is no allowance for onsite comments so email HostExploit (at) gmail.com.<br /><br />It is likely input would be within the following: </span> <span style="font-family:trebuchet ms;"><br /><br />• To keep informed or pass on the information? – sign up for a ‘Feedburner’ feed and then you will be informed about new articles. Feel free to pass on articles and the list(s), publish in your blog or magazine or newspaper, under a ‘Creative Commons License’, obviously it is courteous to show hostexploit.com as a reference.</span><br /><br /><span style="font-family:trebuchet ms;"> </span> <span style="font-family:trebuchet ms;">• Have information we may have missed or a new exposure? – email us.</span><br /><br /><span style="font-family:trebuchet ms;">• Web Host / Server / AS, and feel any information or inclusion within the list(s) is in error? – Please email us and say where we are wrong, our objective is to reduce such a list and we will be delighted to explain the error or demonstrate you have cleaned up your act.</span></span></div>HostExploithttp://www.blogger.com/profile/15380343022241343709noreply@blogger.com