Who Is Responsible For Malware On U.S.-based Servers

Jeffrey Carr at IntelFusion has an interesting article "Imagine if Russia or China announced a formal policy of using non-state actors in cyber deterrence"

He notes that, "Many other nations in the world community see the U.S. in a more negative way already because 20 of the world’s top 50 worst ISPs for serving malware operate in the United States. This creates the illusion that the US is responsible when in fact foreign actors use US servers to mask attribution and, as a side benefit to them, feed anti-US sentiment. This strategy seems to be working according to the McAfee report “In the Crossfire” (.pdf), which surveyed “600 IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries”. According to the report, the U.S. is seen as the “most worrisome potential aggressor”."

This concern regarding U.S.-based malware can be seen in this chart.

Carr observes, "Ironically, China will surely use this document against us as they continue to accuse the U.S. of launching cyber attacks against .cn websites. China, PRC officials will say, is busy shutting down bad ISPs and enforcing its own anti-hacking laws (which they are doing, by the way), while the U.S. does nothing about its own infected computers and badware."

This prompted me to examine malware infections at The Planet during 2010 as reported by malwaredomainlist.com. The purpose was to determine what percenatge of the malware served was attributable to foreign actors (non-U.S. citizens or organizations).
In order to show only the most recent data trends, I limited the examination only to new instances of malware (i.e. ignoring the malware that existed at The Planet prior to January 1st). Those of you who investigate malware have a pretty good idea where this is going, however I was surprised by the numbers.

Malwaredomainlist.com lists 83 infection methods across 58 unique IP addresses and 40 unique domains at The Planet (AS21844) for January 1, 2010 through March 6, 2010. In the three charts below, the numbers are broken out by the nationality of those responsible for the malware.







As you can see, Russian and Ukrainian criminals are overwhelmingly responsible for the distribution of malware at The Planet. While this sample is not statistically significant, my guess is that such numbers are likely to hold in a wider sampling. In order to gauge ill will and damage by nationality I created a simple index; it is scored by multiplying infection methods by unique malware IPs by unique malware domains. As you can see in the chart below, the damage imposed by Russian and Ukrainian criminals far supercedes that of all other countries combined.



There are a variety of reasons contributing to this situation, including the failure of U.S. hosting firms to be held accountable under law for the actions of their clients, a failure by the hosting firms to vet their clients, a lack of civil liability for their business hosting operations, and a lack of Federal regulation on the industry. In short, aside from the potentially negative effect of appearing on one of the many blacklists published by independent researchers, U.S. based hosting firms have no incentive whatsoever to clean up their IP space. I should hasten to note that The Planet is comparatively clean as compared to the dedicated criminal hosts, and operations like Demand Media. One can also point to the inability of the U.S. to extradite criminals from the former Soviet Union as well as, the extremely weak criminal justice systems in Russia and the Ukraine.

In the end, this will have national security implications because a foreign enemy could easily debilitate commerce in the United States using our own computers against us.

At the recent RSA conference, a number of good ideas were floated on how to clean up the Internet. These included levying a tax, and so forth. In my view, only a comprehensive approach will be effective in ending the current intolerable state of affairs. Simply blaming end users and/or Microsoft won't do.

James McQuaid
3-6-2010

OSS arrives

Let friend and foe alike know that the OSS has arrived in Georgia.

Russian Cyberattack on Georgia

In line with its information warfare doctrine, the opening salvos of Russia's invasion of Georgia consisted of attacks on Georgia's communications infrastructure. The goal of this activity was to deny Georgia the opportunity to provide its perspective to the international press, and give Russia a corresponding advantage in shaping world opinion.

As documented at http://rbnexploit.blogspot.com, this cyberattack has been systematic and thorough. It's coordinated timing with the Russian conventional attack suggests that the criminal RBN is a military intelligence asset of the Russian government.

Many of Georgia's web servers are now under "unauthorized external control", and some web sites have been defaced. In addition, other Georgian servers are inaccessible due to disruptions by Russia and the RBN in the Internet's routing infrastructure. It should be noted that "AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian government."

As noted in the August 8th editorial by The Washington Post, "Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people."

The Russian government's use of murder, extortion and blackmail in pursuit of political and economic policy goals has been well documented in the past several years. Europe, the United States, and the world at large will proceed from this point wary of the Russian mafia state.

For the purpose of circumventing the Russian cyber blockade of Georgia, I am reproducing below an official statement of the government of Georgia:



"Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –

The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.

Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.

In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.

The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence. Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.

Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital."

Stop the Russian Mafia state

Both Senator Barack Obama and Senator John McCain have demanded that Russia withdraw from Georgia. The Washington Post has just published an editorial calling on the West to stop Russia. If we fail to do so, we can expect more predatory violence from the Russian Mafia state.

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/08/AR2008080802741.html

"Stopping Russia
The U.S. and its allies must unite against Moscow's war on Georgia.

THE OUTBREAK of fighting between Russia and the former Soviet republic of Georgia was sudden but not surprising. Conflict has been brewing between Moscow and its tiny, pro-Western neighbor for months. The flashpoints are two breakaway Georgian provinces, Abkhazia and South Ossetia -- the latter being the scene of the latest fighting. The skirmishing and shelling around Georgian villages that prompted Georgian President Mikheil Saakashvilito launch an offensive against the South Ossetian capital, Tskhinvali, may or may not have been a deliberate Russian provocation, to which Russia's tank and air assault was the inevitable follow-up. Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the
mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people.

At its summit in Bucharest, Romania, in April, NATO offered Georgia eventual membership. This was not the more concrete promise that Georgia, and the Bush administration, had wanted. But Tbilisi and Washington settled for less in deference to European NATO members who wanted to avoid inflaming Russia. It didn't work, because Moscow responded by increasing its ties to Abkhazia and South Ossetia, including by beefing up the "peacekeeping" forces it maintains in both regions under the settlement that concluded Moscow-backed secessionist wars in the early 1990s. Even before these latest maneuvers, Russia had issued passports to most inhabitants of the two breakaway regions, which is why it claims to be defending its own people now.

It's doubtful, though not unthinkable, that Russia actually plans to conquer all of Georgia. But its objectives are no less cynical for that. Simply by keeping the country in a constant state of territorial division and conflict, it hopes to show NATO that Georgia is too unstable for membership -- thus giving Georgia no choice but to submit to Moscow's "influence." Probably Russia intends to administer a quick military "punishment" (as Russian President Dmitry Medvedev described Moscow's war aim) to Mr. Saakashvili, and then restore some version of the unstable status quo ante.

This is a grave challenge to the United States and Europe. Ideally, the U.N. Security Council would step in, authorizing a genuine peacekeeping force to replace the Russian one that has turned into a de facto occupation of Abkhazia and South Ossetia. But a Russian veto rules that out. Thus, the United States and its NATO allies must together impose a price on Russia if it does not promptly change course. The principles at stake, including sovereignty and territorial integrity, apply well beyond the Caucasus. To abandon Georgia and its fragile democratic Rose Revolution would send a terrible signal to other former Soviet and Warsaw Pact republics that to Moscow's dismay have achieved or are working toward democracy and fully independent foreign policies. The West has made that sort of mistake before and must not do so again."