Saturday, March 6, 2010

Who Is Responsible For Malware On U.S.-based Servers

Jeffrey Carr at IntelFusion has an interesting article "Imagine if Russia or China announced a formal policy of using non-state actors in cyber deterrence"

He notes that, "Many other nations in the world community see the U.S. in a more negative way already because 20 of the world’s top 50 worst ISPs for serving malware operate in the United States. This creates the illusion that the US is responsible when in fact foreign actors use US servers to mask attribution and, as a side benefit to them, feed anti-US sentiment. This strategy seems to be working according to the McAfee report “In the Crossfire” (.pdf), which surveyed “600 IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries”. According to the report, the U.S. is seen as the “most worrisome potential aggressor”."
This concern regarding U.S.-based malware can be seen in this chart.
Carr observes, "Ironically, China will surely use this document against us as they continue to accuse the U.S. of launching cyber attacks against .cn websites. China, PRC officials will say, is busy shutting down bad ISPs and enforcing its own anti-hacking laws (which they are doing, by the way), while the U.S. does nothing about its own infected computers and badware."

This prompted me to examine malware infections at The Planet during 2010 as reported by The purpose was to determine what percenatge of the malware served was attributable to foreign actors (non-U.S. citizens or organizations).
In order to show only the most recent data trends, I limited the examination only to new instances of malware (i.e. ignoring the malware that existed at The Planet prior to January 1st). Those of you who investigate malware have a pretty good idea where this is going, however I was surprised by the numbers. lists 83 infection methods across 58 unique IP addresses and 40 unique domains at The Planet (AS21844) for January 1, 2010 through March 6, 2010. In the three charts below, the numbers are broken out by the nationality of those responsible for the malware.

Malware Attribution at The Planet in 2010 by Infection Method

Malware Attribution at The Planet in 2010 By IP Address

Malware Attribution at The Planet in 2010 By Domain

As you can see, Russian and Ukrainian criminals are overwhelmingly responsible for the distribution of malware at The Planet. While this sample is not statistically significant, my guess is that such numbers are likely to hold in a wider sampling. In order to gauge ill will and damage by nationality I created a simple index; it is scored by multiplying infection methods by unique malware IPs by unique malware domains. As you can see in the chart below, the damage imposed by Russian and Ukrainian criminals far supercedes that of all other countries combined.

Damage Index by Actor Nationality

There are a variety of reasons contributing to this situation, including the failure of U.S. hosting firms to be held accountable under law for the actions of their clients, a failure by the hosting firms to vet their clients, a lack of civil liability for their business hosting operations, and a lack of Federal regulation on the industry. In short, aside from the potentially negative effect of appearing on one of the many blacklists published by independent researchers, U.S. based hosting firms have no incentive whatsoever to clean up their IP space. I should hasten to note that The Planet is comparatively clean as compared to the dedicated criminal hosts, and operations like Demand Media. One can also point to the inability of the U.S. to extradite criminals from the former Soviet Union as well as, the extremely weak criminal justice systems in Russia and the Ukraine.

In the end, this will have national security implications because a foreign enemy could easily debilitate commerce in the United States using our own computers against us.

At the recent RSA conference, a number of good ideas were floated on how to clean up the Internet. These included levying a tax, and so forth. In my view, only a comprehensive approach will be effective in ending the current intolerable state of affairs. Simply blaming end users and/or Microsoft won't do.

James McQuaid