Current Events

We are pleased to report that the #1 Bad Host and crime server from last quarter's report - AS29106 VolgaHost, has been taken off-line, as from January 17th 2011.

This has occurred on the back of the recent de-peering of several major bulletproof hosts - so called for their support of known centers of cybercrime.

VolgaHost is well known to HostExploit. It topped our ranking of ‘Bad Hosts’ for the 4th quarter of 2010, having been ranked #3 in the two previous quarters.

As the following chart shows, it earned its placing due to the number of botnet Command & Control (C&C) servers it was hosting, as well as significant levels of malicious URLs, Zeus and exploit servers:

Click image to view full size.

S-1 registration...

In a month where the spotlight has been on Demand Media for reasons other than they had planned, a rapid risk reassessment has resulted in an amended S-1 registration and, more importantly, a significant reduction in malicious website activity.

It must have been a busy time in eNom’s security department since the announcement of Demand Media’s S-1 in mid-August and the adverse publicity that followed HostExploit’s report naming Demand Media as #1 ‘Bad Host’ in the world. Swift action appears to have been taken as eNom - Demand Media’s domain registrar arm - has shown signs of a dramatic reduction in the number of malicious activities hosted. HostExploit is pleased to report that in the past 7 days, well-known botnet command & control (C&C) servers present on eNom-hosted sites have finally been taken offline.

In a hard-hitting report, ‘Review of Illicit Registrar 2010’, KnujOn has revealed alleged illicit practices of at least 162 Registrars who could be benefiting from significant financial returns from their complicity. Particular attention has rested on eNom:

"... they sponsor more illicit pharmacy than the next 'top five' pharmacy-sponsoring Registrars combined".

There are roughly 4,000 rogue Internet pharmacies violating the criminal laws specified above that are utilizing ‘eNom’s’ registration services, more than any other Registrar by a factor of seven, KnujOn claim. eNom is aware of the illegal nature of these domains. eNom has been notified by the organization that represents pharmacy regulatory authorities about this problem, and has been requested to work with LegitScript, as other U.S.-based Registrars do, and non-U.S. Registrars who do business in the United States, to identify clearly illegal websites and suspend them in accordance with the RAA, UDRP and their own Terms and Conditions. eNom has failed to act’.

In recognition of the serious concerns with vulnerability of the DNS system as a whole Rod Beckstrom (ICANN’s CEO) chaired the panel himself with virtually all 1,200 or so ICANN meeting attendees present. Also on the panel was Whit Diffie; one of the fathers of public key encryption, Paul Mockapetris designer of the original DNS, Steve Crocker chairman of the Security and Stability Advisory Committee of ICANN, and Dan Kaminsky famous for unearthing the exploitation of DNS.

Primarily this session centered on DNSSEC (short for DNS Security Extensions), which is intended to add security to the Domain Name System. DNSSEC was designed to protect the Internet from certain attacks, such

Do-it-yourself cyber-crime kits have emerged for the average PC user, with built-in anti-virus protection and complete online security avoidance features.

Once upon a time, professional hackers needed the skills of willing script kiddies to exploit your PC or enterprise. Then along came the exploit kit, such as the “MPack,” courtesy of the RBN (Russian Business Network), and a new business enterprise was born.

Today, a new generation of exploits is available in off-the-peg kits requiring no more operational skill than that of a competent user.

One of the latest headline victims of an exploit kit was the US Treasury Website. Panda Security detailed how it happened -- and how a new generation of kits or packs can identify security vulnerabilities, select the preferred method of intrusion, and carry out the exploit, whether that be by PDF, an embedded iframe, or any other chosen method of exploitation.