Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Networking Security The Internet

Legitimate ISP a Cover-up For a Cybercrime Network 68

ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."
This discussion has been archived. No new comments can be posted.

Legitimate ISP a Cover-up For a Cybercrime Network

Comments Filter:
  • This is new? (Score:3, Insightful)

    by R2.0 ( 532027 ) on Wednesday August 26, 2009 @12:05PM (#29204133)

    Look up the mafia and trash collection.

  • by Timothy Brownawell ( 627747 ) <tbrownaw@prjek.net> on Wednesday August 26, 2009 @12:07PM (#29204179) Homepage Journal

    ...and DNS hijacking .... The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies?

    DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed. Then there's not really much the can do, besides just dropping all your connections.

    • by Krneki ( 1192201 )
      Damn, I'm out of mod points. One question tho. If you use OpenDNS can they redirect your DNS queries?
      • If the packet goes through somebody else' hardware and isn't cryptographically signed, their ability to fuck with it is constrained only by their computational capacity and knowhow. It'll be trickier if they have to rewrite packets on the fly, rather than just maliciously reconfigure their DNS server; but I'm sure Sandvine or one of their ilk could manage it.

        However, while OpenDNS is unaccountably popular with many, it does a lot of DNS meddling of its own, including breaking NXdomain(it also uses false
        • by Krneki ( 1192201 )
          I know OpenDNS abuse when you mistype a domain, but I'm not interested in that. My concern is redirection of correct names and DNS blocking.
          • Answer on that is, in principle, "yes". Albeit, in practice, probably less likely than if you were using their DNS servers, since they'd have to modify the packets in transit, rather than just reconfigure their DNS server(or, less subtly, drop all traffic to/from known 3rd party DNS servers, and wait for you to give up and use theirs).
            • by Krneki ( 1192201 )
              Ok, so I'll take it as a "Not seen yet". I guess I'll worry about it when the time comes.
      • Since they redirect your DNS queries through a trojan, I don't see how they couldn't.

        • by Krneki ( 1192201 )
          One thing is a virus changing your DNS setting, another is DNS traffic hijacking.

          I know about the first and how it works, but I never saw the 2nd.
    • by jroysdon ( 201893 ) on Wednesday August 26, 2009 @01:09PM (#29205151)

      DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

      DNSSEC isn't hardly deployed either. Not even in the .GOV TLD domains, which has a mandate that all domains be signed by the end of this year.

      Query Comcast's test DNSSEC resolver:
      dig +adflag +dnssec gov @68.87.69.154

      You get back NSEC3 keys and RRSIGs, and the "ad" flag will be set (meaning it is authenticated data). Try it again with just about any domain:
      dig +adflag +dnssec whitehouse.gov @68.87.69.154
      dig +adflag +dnssec fbi.gov @68.87.69.154
      dig +adflag +dnssec cia.gov @68.87.69.154
      dig +adflag +dnssec nsa.gov @68.87.69.154

      Nah, none of them have deployed DNSSEC. Less than 3 months to go and they'll all slip past the mandate.

      DNSSEC is a good step in the right direction, but it's not a magic bullet. Perhaps if there were some client apps that act as DNS resolvers and verify all DNSSEC keys and sigs (the same as resolvers do), but that's going to slow down the user experience with many queries before even requesting content. Further, how are end-user apps like this going to be kept up to date with new signatures that have to roll (yearly, I believe)? No magic bullet, that is for sure.

      • Re: (Score:3, Interesting)

        by tialaramex ( 61643 )

        Also, while I'm here, it's a lot harder to MitM the link between a user and their ISP in most cases. Both addresses are inside the ISP's range, so it should and probably does have border rules that prevent such packets traversing the border. That means to attack user X at ISP A, you need to be able to mess with packets inside ISP A. Whereas today, by doing MitM on some poor .com site's DNS servers, you get every user visiting the site. So "does nothing to protect" isn't really true.

        If you're going to say "W

      • Re: (Score:3, Informative)

        DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

        No, you can demand that the ISP's resolver forward all the records you need in order to verify the signatures yourself. The first thing google comes back with is this, from 2007 [circleid.com]:

        The current DNSSEC standards define a security-aware (stub) resolver that would be located at the users PC and which can indicate to a security-aware intermediate nameserver that it will perform its own DNSSEC validation by setting the Checking Disabled (CD) flag in the DNS query Header. This has the effect of inhibiting DNSSEC at t

        • Ah, very nice. Then the only problem is getting/keeping the signatures on the stubs updated. You have a bootstrapping problem that is a chicken-in-the-egg problem if you want to auto-update a host that has been offline for some time, or after a fresh install that contains old signatures.

    • DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed.

      Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised. We don't really have a security model to deal with man-in-the-endpoint attacks, other than things like two-factor (or n-factor) authentication which work because one of the two (or n) c

      • Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised.

        Sure, but a cursory reading of the summary/headline seemed to imply that they were using their position as ISP to cause trouble, rather than just being generic malware vendors.

  • Use common sense!
    • by TimSSG ( 1068536 )

      Use common sense!

      You must have never heard of "Peak common sense". The idea that there is a finite amount of common sense that can be used in any given year. And, the the amount will peak and then will decline steady to zero. Note: Second cause is common sense per individual is declining because of population growth. Tim S. PS: You think my theory is a joke? Good, then make it funny.

  • Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...

    Anywho, this is kind of scary, but not in an internet-scary kind of way, but instead in a crime can be all around you kind of way. Imagine if a restaurant was a front for a crime hub, i.e. skimming credit card and checking info, they would have access to people's financials, but in a much more limited sense. Although it would be interestin
    • by stokessd ( 89903 )

      Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...
       

      Careful there! You are giving Comcast WAY too much credit. I would chalk that up to incompetence rather than malice. The latter is way harder, and the clowns at Comcast don't have the chops to do it well.

      Sheldon

    • by jd2112 ( 1535857 )

      Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...

      That's not fraud, that's sales. Otherwise every salesperson in the world would be guilty of fraud. Always assume that if someone is selling you something they are exaggerating the capabilities of their product/service.

      • by porl ( 932021 )

        not necessarily true. i have had many cases where i have purchased something from someone who has been completely open with describing any limitations etc of a product. i actually find i repeat buy off that type of salesperson far more than i would someone who has talked something up and failed to deliver. usually if you show that you know what you are talking about and you will see through any attempts at deception, and that you are not an arrogant prick then they will open up and be much more down to eart

  • Solution (Score:4, Interesting)

    by girlintraining ( 1395911 ) on Wednesday August 26, 2009 @12:13PM (#29204267)

    Man in the middle attacks have a classic solution: Encryption and non-repudiation in the authentication protocols. Encrypt everything between the client and server (as IPv6 allows for) and the amount of damage a rogue ISP can do (or any peer point) is greatly reduced.

  • Network neutrality (Score:5, Interesting)

    by MobyDisk ( 75490 ) on Wednesday August 26, 2009 @12:36PM (#29204603) Homepage

    From a US perspective: without network neutrality, this is all legal.

    Page 8 of the PDF shows CNN.COM with an advertisement replaced. What stops them from replacing the content of the articles? Page 10 shows how they hacked Google results. What keeps them from changing those results to filter articles on politics, religion, gender issues, laws...

  • I though "legitimate business" and "front for crime syndicate" were mutually exclusive.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Funny I never could tell the two apart.

  • First: I'm estonian and maybe not objective. But, in my opinion, this "research" are little bit inflammatory. I don't count, but if every third word is "Estonian" or "Estonia" or "Tartu", then this looks like "oww, look those foreign, maybe russian, cybercriminals!". Anyway, this is old and dead horse, what gets beaten, this infamous estdomains a.k.a Rove Digital (if anybody want proof, look Figure 1 in pdf and compare rovedigital.com). This article tries make impression, how in estonia this ISP is legal or
  • I for one welcome our new Cybercriminal Tartu Overlords ...

    (Especially since they have to within a 3 mile radius from me, being in Tartu as well)

  • What security measures should be taken to prevent normal users from falling victim to such malicious bodies?

    I think a massive DOS attack will teach these Estonian bastards! Oh wait..

  • Comcast (Score:1, Funny)

    by Anonymous Coward

    I totally came in here expecting this to be about Comcast. I feel like I'm being robbed every month when I pay my bill.

  • i run a p3 700mhz,512mb ram box with dnsmasq and a proper hosts [mvps.org] file on said server. I have a comcast connection, but i believe comcast isn't filtering nx records in florida yet?
    • P.S. Server box uses 4.2.2.1-3 for it's own dns lookups. I believe dnsmasq is capable of fixing 'fixed' nx records with this route. at least, i believe that was talked about last time i was reading up on it.
  • For those interrested check out some info about the RBN (Russian Business Network) which was organized around an ISP in St. Petersburg, this was a really big operation.

    This report lacks some detailled information about the ISP, eg which AS are involved, etc, so one can just react and put them into a DROP List or do an AS-Path finltering. If its an ISP with known AS, you (your ISP) can react.

  • I was just wondering in Figure 6 of the PDF where is step 5?

Keep up the good work! But please don't ask me to help.

Working...