The Federal Trade Commission shut down an Internet Service Provider Thursday for engaging with cybercriminals in a slew of intentionally malicious activities.
To get security news and tips delivered to your inbox,
The ISP is alleged to have hosted botnet command and control servers that run massive spam campaigns and denial of service attacks, and also websites that serve up malware, child pornography and other explicit content.
A district court judge approved an FTC request shutting down Web hosting provider Triple Fiber Network (3FN.net), operated by Pricewert LLC, who is suspected of hosting thousands of malicious sites tied to phishing, spyware and malware campaigns and botnet command and control servers.
"The ISP's upstream providers and data centers have disconnected its servers from the Internet," the FTC said in a statement issued Thursday.
The action may be only a temporary setback for cybercriminals, who are already finding alternative places to host their activities, according to security experts.
The FTC complaint alleges that 3FN.net advertised its services on Internet forums used by hackers, established to allow cybercriminals to discuss strategies, share information and buy and sell stolen data and automated attack tools. Investigators uncovered more than 3,440 messages advertising 3FN.net services. The FTC said that the site also shielded its criminal clientele by ignoring take-down requests issued by security researchers and by using other Internet protocol addresses that it controlled to evade detection.
The ISP is also suspected of deploying and operating botnets used to send out massive spam campaigns and denial of service attacks. 3FN.net allegedly recruited bot herders and hosted the command-and-control servers used to communicate with the zombied computers.
According to the FTC court documents filed in the U.S. District Court for the Northern District of California, San Jose Division:
All of 3FN.net employees are suspected to be located in the Ukraine or Estonia.
The FTC obtained several Internet ICQ chat logs showing Pricewert's senior staff, including its head of programming and sales director allegedly directly participating in the creation and configuration of a botnet with bot herders.
3FN.net is suspected of hosting websites involved in 22 separate attacks on NASA computers, including five attacks in 2009 and one as recently as April of 2009. The attacks were estimated to cost NASA more than $14,000 to repair the damage.
Investigators discovered the ISP hosted websites engaged in the hijacking of users' Web browsers; websites in search engine optimization (SEO) ploys to artificially inflate their ranking and illegal online pharmacies. Command and control servers were discovered that controlled more than 4,500 malicious software programs; intellectual property theft (MP3 and movie filesharing and downloads); sites featuring investment and currency trading scams; hacking-related sites; rogue anti-virus products; and sites distributing trojan horses.
- More than 40 websites hosted by 3FN.net are suspected of hosting child pornography. The National Center for Exploited and Missing Children received more than 700 reports of child pornography hosted at 3FN.net and confirmed 500 different cases.
The court issued a temporary restraining order and froze all of Pricewert's assets until a preliminary injunction hearing is held on June 15.
The 3FN.net shutdown is the first of its kind sought by the FTC. It represents the second time in less than a year that a major ISP was terminated by upstream providers. Global Crossing and Hurricane Electric shut down San Jose-based Web hosting service provider McColo late last year for hosting the command and control of the Srizbi botnet. The action had an immediate impact on spam volume since McColo played host to Srizbi, which at the time was responsible for 50% of all spam globally. In 2008, ICANN, which governs the use of top-level domains and accredits domain registrars, took the action to de-accredit the registrar EstDomains, which is based in Estonia.
Don't expect a major impact from the 3FN.net shutdown, said Vincent Weafer, vice president of Symantec security response. Weafer said Symantec helped the FTC by providing statistics about the amount of malicious activity that came from domains hosted by 3FN.net. One of the known botnets associated with 3FN.net is Cutwail, which represents about 8% of known spam volume globally. It is tied to Russian spam touting pharmaceuticals, Weafer said. Symantec uncovered more than 600 IP addresses controlled by 3FN.net that were launching a variety of attacks capable of taking over a victims' machine and 17 different 3FN.net IP addresses that housed botnet command and control servers.
"This will be more of a blip in terms of a significant decrease in any malicious activity," Weafer said. "Our belief is that the people using this service will move to other locations and many will move faster this time around because they've learned from the past and already have backup plans."
The United States is typically the first choice of cybercriminals to host botnets, since IP address space is considered to have a good reputation, helping them avoid reputation black lists. Weafer said increased U.S. law enforcement action is forcing cybercriminals to move offshore to Russia and Asia.
Researchers at security firms have been frustrated trying to get some ISPs to shut down malicious domains, said Mary Landesman, senior security researcher at Web security services vendor ScanSafe Inc. In many cases, the same host will allow malicious domains to come back online, she said. Landesman called the FTC effort and President Obama's cybersecurity initiative a good sign that authorities are going to seriously crack down on those who host cybercriminals.
"When the cost of doing business with criminals is higher than the cost of doing business legitimately then they'll start doing business legitimately," Landesman said. "Until then, we're going to continue to play this cat and mouse game."
In addition to Symantec, the FTC said it received assistance from NASA's Office of Inspector General, Computer Crime Division; Gary Warner, director of research in computer forensics, University of Alabama at Birmingham; The National Center for Missing and Exploited Children; The Shadowserver Foundation and The Spamhaus Project.