The Spamhaus Project

news

Another one bytes the dust

by The Spamhaus TeamNovember 17, 20084 minutes reading time

Following the October 2008 shut down of the largest US based host of trojan malware, botnet command and control systems (C&Cs) and DNS changer hosts (pharming), Intercage/Atrivo, another US based network specializing in hosting similar cybercrime has been taken off the Internet.

McColo is a bit different from Intercage/Atrivo in that although the IP addresses were from the North American registry ARIN, were routed in the US, and the company used US postal addresses, the person or persons controlling the operation are based in Moscow, Russia.

After a report by the Washington Post, with evidence from Hostexploit, SecureWorks and other top botnet researchers, McColo's two "upstream" networks Hurricane Electric and Global Crossing shut off all routing on Wednesday, 12 November 2008. McColo quickly tried to get re-connected and on Saturday, 15 November 2008, found a bandwidth reseller (giglinx.com, who we assume amazingly had not heard the news) to connect them to a US node of the European-based Telia network (San Jose, California, where McColo's servers are located). This routing did not last for more than a few hours before the routing was canceled by Telia. During this uptime, the bots controlled by the McColo C&Cs were once again seen sending spam.

A major drop in global spam was seen immediately on Wednesday, 12 November 2008, when McColo and the C&C servers there dropped off the Internet. There have been widely different levels of spam decline reported since McColo went down. The reported declines vary from 5% all the way up to 90%. There can be variations in spam rates from one ISP or anti-spam vendor to another, but not this wide a range. Spamhaus saw about 60% decline in raw spam delivery attempts. Lower percentage numbers probably came from places which measured after spam volume after SMTP connection filtering such as Spamhaus' XBL and/or PBL blocklists at their email server gateways. These Spamhaus blocklists stop the majority of botnet spam all of the time, so any significant drop in botnet spam won't show up in post-filtering statistics. One must measure every blocked connection, too, to calculate the real percentage drop.

We recommend anyone who saw more than a 30% reduction in delivered spam should look into employing some sort of SMTP connection filtering as this drop in botnet spam, nice as it is, will not last. Investigators report that many of the C&C servers at McColo were originally hosted at Intercage/Atrivo. Even now, several of the C&C functions are migrating to hosting closer to the homes of the botmasters: Russia.

Are there any dark linings to this silver cloud? Yes. The first is that the cybercrime botnet and spam gangs will need to infect many more computers with new virus and trojan malware that will not try and connect to C&C servers in the McColo IP address space. This will mean a ramp up in spamming of malware and hacking of websites to insert "drive by" infection code. A second downside, that can only be assumed, is that any law enforcement investigations into the McColo hosted criminals will have been sidelined. Lastly, Spamhaus and others have been waving red flags about McColo for several years, but they were kept online. Only a large concerted effort by multiple players including the press seems to be able to dislodge these pariahs of the internet.


Additional reading: