CybersecurityU.S. Internet hosts are essential for criminal botnets

Published 15 November 2010

Cybercrime is often associated with Russia and China, and rightly so — but many of the servers vital to their activities are located elsewhere; facilities provided by Internet companies in the United States and Europe are crucial to these criminal gangs’ activities

Criminal gangs in Russia and China are responsible for much of the world’s cybercrime, but many of the servers vital to their activities are located elsewhere. An investigation commissioned by New Scientist has highlighted how facilities provided by Internet companies in the United States and Europe are crucial to these gangs’ activities.

Researchers at Team Cymru, a non-profit Internet security company based in Burr Ridge, Illinois, delved into the world of botnets — networks of computers that are infected with malicious software. Millions of machines can be infected, and their owners are rarely aware that their computers have been compromised or are being used to send spam or steal passwords.

New Scientist’s Jim Giles writes that several botnets have been linked to gangs based in Russia, where police have a poor record on tackling the problem. To manage their botnets, however, these gangs often seem to prefer to use computers, known as command-and-control (C&C) servers, in Western countries. More than 40 percent of the 1,500 or so web-based C&C servers Team Cymru has tracked this year were in the United States. When it comes to hosting C&C servers, “the U.S. is significantly ahead of anyone else”, says Steve Santorelli, Team Cymru’s director of global outreach in San Diego.

Santorelli and his colleagues also detected a daily average of 226 C&C servers in China and 92 in Russia. European countries not usually linked with cybercrime, however, were in a similar range, with an average of 120 C&C servers based in Germany and 64 in the Netherlands.

Internet hosts in Western countries appeal to criminals for the same reasons that regular computer users like them, says Santorelli: the machines are extremely reliable and enjoy high-bandwidth connections. Team Cymru’s research did not identify which companies are hosting botnet servers, but Santorelli says the list would include well-known service providers.

The use of U.S.-based C&C servers to control botnets is a source of frustration to security specialists, who have long been aware of the problem. It is happening even though most hosting companies shut down C&C servers as soon as they receive details of botnet activity from law enforcement agencies and security firms. “When we see an AT&T address serving as a botnet control point, we take it very seriously,” says Michael Singer, an executive director at AT&T.

Giles notes that despite these efforts, the criminals can quickly re-establish control by setting up a new C&C server with a different company, often using falsified registration information and stolen credit card details.

Hosting companies deal with botnets on a voluntary basis at present. They might be more vigilant if required to act by law, but that would create its own regulatory problems, Santorelli says. “The cops don’t run or govern the internet after all, and neither do they want to,” he says. For legal controls to work, it would be necessary to define who has the authority to decide whether a server is part of a botnet, and how requests from authorities abroad are dealt with.

Jeffrey Carr of security firm Taia Global, based in Washington, D.C., says that some less well-known providers have been warned about botnet activity on many occasions, but drag their heels when asked to shut down the criminals’ servers.

The problem arises partly because web hosting can be a big earner for some firms. “They’re generating millions of dollars in income,” says Carr.

Giles writes that improvements in security, such as requiring service providers to verify the details of people who rent server facilities, could well hurt these firms’ bottom line.