A rogue ISP that housed the backbone of a number of cybercriminal operations, including botnet command and control servers, malware and child pornography, has been permanently shut down by a court order Wednesday.
U.S. District Court Judge Ronald M. Whyte ordered all operations of Web hosting provider Triple Fiber Network (3FN.net), operated by Pricewert LLC, permanently halted and said the rogue ISP's servers, facilities and other equipment would be sold by a court-appointed receiver in 120 days. In addition Whyte ordered the ISP to turn over $1.08 million in revenue it made as a result of the operations to the Federal Trade Commission.
The FTC sought more than $2 million in revenue from the ISP, but Judge Whyte said it failed to show the relative percentage of illegal versus legal activities of 3FN/Pricewert. Whyte noted that some of the ISP's activity was legitimate.
"There seems to be little doubt from the information provided that Pricewert functioned primarily as an Internet service provider for illegal activity. Nevertheless, there was a relatively small number of apparently legitimate customers who used Pricewert as their service provider. This came to the court's attention when some of those customers contacted the court after the Pricewert servers were shut down. Therefore, it seems clear that a portion of the monthly profits of $30,000 reportedly realized by Pricewert were realized from legitimate business activity," Whyte noted in his court order.
FTC shutters rogue ISP for hosting malicious content, botnets: Executives at Triple Fiber Network are suspected of recruiting bot herders and hosting botnet command and control servers.
3FN.net ISP shutdown interrupts spam campaigns: The shutdown of 3FN.net disrupted the Cutwail Botnet and may have reduced global spam volumes by 15%. But spam levels are expected to increase to pre-shutdown levels, experts say.
Last June, the FTC won a court order requiring 3FN.net's upstream Internet providers to stop servicing the ISP, temporarily . The ISP deployed and operated botnets used to send out massive spam campaigns and denial-of-service (DoS) attacks and was notorious for ignoring requests by security researchers to shut down attack websites it hosted.
The FTC also provided evidence that those working for 3FN.net recruited bot herders to host command-and-control servers used to communicate with hoards of zombie computers. The command-and-control servers infected machines with thousands of pieces of malware, including keystroke loggers and password stealing Trojans with hidden backdoor remote control activity, the FTC said.
The 3FN.net shutdown is the first of its kind sought by the FTC.Global Crossing and Hurricane Electric shut down San Jose-based Web hosting service provider McColo late last year for hosting the command and control of the Srizbi botnet. The action had an immediate impact on spam volume since McColo played host to Srizbi, which at the time was responsible for 50% of all spam globally. In 2008, ICANN, which governs the use of top-level domains and accredits domain registrars, took the action to de-accredit the registrar EstDomains, which is based in Estonia.
3FN.net was linked to about 17 botnet command-and-control servers used to send out spam. It temporarily disrupted the Cutwail botnet, which was responsible for 35% of the global spam volume. Experts said the spammers behind Cutwail turned to alternative command and control servers and the spam volume turned to normal levels.