Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.
But experts say Troyak’s apparent hopscotching is expected behavior from what is in fact a carefully architected, round-robin network of backup and redundant carriers, all designed to keep a massive organized criminal operation online should a disaster like the Troyak disconnection strike.
Security firm RSA believes Troyak is but one of five upstream providers that encircle a nest of eight so-called “bulletproof networks” – Web hosting providers considered impervious to takedown by local law enforcement (pictured in red in the graphic below). RSA said this group of eight hosts some of the Internet’s largest concentrations of malicious software, including password stealing banking Trojans like ZeuS and Gozi, as well as huge repositories of personal and financial data stolen by these Trojans and a notorious Russian phishing operation known as RockPhish.
According to a report RSA issued today, these eight networks connect directly to Troyak and four other upstream providers that “surround the malicious core,” and help to “mask the true malware-hosting armada and provide solid uptime to the malware servers.” In addition, Troyak and the other four upstream providers (shown in orange in the diagram above) all share connections amongst themselves, and individually connect to one or more legitimate, regional ISPs (the green circles in the picture above) that can provide connections to the global Internet.
In fact, RSA said, when Troyak was initially knocked offline on March 9, it was because several regional ISPs (green networks on the left side of the graphic) simultaneously denied it service. Presumably, these ISPs cut the cord to Troyak due to pressure from security researchers who enumerated and explained to those ISPs the criminal networks they were supporting.
The trouble was, the four other providers in Troyak’s hub also had their own connections to regional ISPs, and so the entire network of bulletproof hosts that largely depended on Troyak to reach the larger Internet could suddenly shift gears and connect to the Web through these peers. The regional ISPs are depicted in the green circles in the map above, and RSA calls them legitimate ISPs, although anti-spam outfit Spamhaus on Tuesday listed one of Troyak’s main regional connection — Russia-based NLINE — on its spam blacklist for “repeatedly hosting cybercriminal spam gangs.”
“It is important to understand that although part of this infrastructure may lose connectivity, these bulletproof networks are still able to resume online activity through other upstream providers they have access to; most are back online having accessed alternate connections within that same cybercrime infrastructure,” RSA stated in its report on the Troyak takedown. “This redundancy mechanism is at the core of keeping malicious servers up and running over time, as observed through the past week’s events.”
RSA isn’t alone in trying to map badness and ISP reputation on the Web. In an excellently timed-paper, a trio of university researchers released a study this week at the IEEE Infocom conference in San Diego that used data from at least a dozen spam, malware, bot and phishing blacklists to identify malicious networks. The researchers, from the Oak Ridge National Laboratory and Indiana Unversity at Bloomington, identified several dense clusters of ISPs – particularly in Ukraine and Turkey – that appeared to be overly tolerant of activity emanating from their networks.
For example, the researchers also sought to identify ISPs and hosting providers that had a disproportionate number of network peers that were malicious. For this measurement, they focused on ISPs with at least three such partner networks. They found 22 networks that had 100 percent of their customers classified as malicious, while some 194 networks had at least 50 percent of their customers fall into that category.
A story I wrote on that study can be found in today’s online edition of MIT Technology Review, at this link here.
I’ll be writing more about other data-driven efforts to identify problem ISPs and hosting providers over the next few days. Stay tuned.