• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Fighting malware on two ends

2008-11-21 [Malware discussion, Protection projects, Trends & predictions]

Security Information Week 47, 2008

Introduction

Recently we have seen that some of the major players on "the dark side" of the Internet community have been removed from the Internet. Malicious activity dropped instantly - and by an amazingly significant quantity. Interestingly the authorities were not involved in this clean-up - at least not directly.

What can be learned by this?

Two examples

1. EstDomains

It has been well known in the security industry that registrar EstDomains were "responsible" for several domains from which malicious activity were carried out.

In a letter from the Internet Corporattion for Assigned Names and Numbers (ICANN) the register agreement with EstDomains was terminated. ICANN is the organization that is responsible on the highest level to assign domain names and IP ranges.

The termination letter states that the reason why the agreement was terminated is because the president of EstDomains was convicted for felonies (in Estonian courts).

Interestingly EstDomains had registered no less than 281 000 domain names, which should account for quite a potential for malicious activity.

The initiative to take down EstDomains came from some articles in Washington Post - see

• A Superlative Scam and Spam Site Registrar
• EstDomains: A Sordid History and a Storied CEO

2. McColo

McColo is said to be the originator of 75% of all spam in the world, and soon after the company's Internet presence was terminated (11 November), the spam volume dropped significantly.

This image from Norman's online spam filtering shows how the spam volume decreased:

(If you are interested in observing the spam volume in real time you can check our live statistics.)

Reports from other systems that supervise the spam volume show similar major drops in the total spam volume after McColo's Internet connections were terminated.

The initiative to take down McColo also came from the Washington Post, according to the newspaper's SecurityFix:

• Major Source of Online Scams and Spams Knocked Offline
• Spam Volumes Drop by Two-Thirds After Firm Goes Offline
• So Much Spam From One Place?

There are numerous other examples of malicious web sites and other computers that are taken down as a result of initiatives from security organizations. Antivirus vendors are e.g. major player in shutting down botnets as a consequence of their analysis of malicious software that utilizes botnets.

Attacking malware from two ends

The traditional approach to get rid of malware has been to block it on the receiving end - by installing antivirus, antispyware, antispam and firewalls by the end-users. This in itself of course does not stop the problem, unless the mechanisms set up are so efficient that no malware at all gets through, and the malware creators give up their profitable activity. So far we have seen no proof that this succeeds, malware activity has been rising exponentially in recent years.

The two examples above show that another point of attach may complement the traditional one - to focus on the distributors of malware. This is very effective when it succeeds.

It seems safe to assume that the organizations and individuals that utilized the two players mentioned above, will find alternatives eventually. Nevertheless these two cases obviously have given a serious blow to those who use the Internet for their criminal activity.

It is food for thought that no national or international authorities seem to have been involved in the termination of the two organizations that are discussed in this article.  [It may be argued that ICANN is not totally beyond governmental control due to its relationship with the US Department of Commerce, but it is no reason to believe that this relationship at all was involved in ICANN's decision mentioned above.]

One may wonder if the reason for this missing governmental involvement is insufficient priority, lack of efficient laws and other regulations to use - particularly when several countries are involved, or other reasons. 

The two cases that are the topic of this article clearly show that the benefit of focusing on the point of origin involved in distributing malware (as opposed to creating malware), has substantial impact on the activity of malicious software. This approach is difficult, expensive both regarding manpower and other resources, and in some cases almost impossible. However, the result may be extremely beneficial for the Internet community when successful.

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA