Allied action knocks out spam kingpin, but the war continues
The big news last month in the security and spam worlds was the shutdown of one of the world’s largest spamming networks. McColo Corp, a notorious web-hosting firm from California, was shut down after numerous reports of suspicious activity originating from its networks.
Shortly after McColo was effectively removed from the internet, email security firms around the world started reporting a dramatic reduction in spam and botnet activity. Numerous security researchers had been notifying McColo’s upstream providers about the activities being carried out from its network, primarily what are known as command and control (C&C) servers. These C&C servers command and control the vast networks of infected PCs on the internet, collectively know as botnets.
While the McColo shutdown has had an immediate impact on the amount of spam out on the internet right now, if it’s anything like the previous shutdowns we’ve seen, the spammers won’t be down for long.
We’ve seen at least two large providers taken down in recent months: the infamous Atrivo/Intercage incident and the demise of Esthost. Both of these providers were well known in the security industry as havens for cyber criminals.
Atrivo/Intercage’s networks in particular had been the source of a whole range of nefarious activities for years, including serving and hosting botnet infrastructure, spamming, malware hosting and illegal content. In the end the demise of these organisations was brought about, not by law enforcement officials, but through the hard work and tireless dedication of individuals in the network operations fields.
These individuals had been working for years to gather information on the activities of Atrivo/Intercage and Esthost, but decided to act themselves after years of inaction from the authorities. The end result was better than expected. McColo’s upstream providers de-peered from their networks, effectively removing McColo from the internet and rendering its servers unable to command and control the botnets. While I don’t think this situation is going to last, it does demonstrate the power the internet community at large can exert when one of their number goes rogue. Admittedly Atrivo/intercage and McColo were able to operate for years with impunity, but I think this latest incident has set a precedent and providers hoping to carry on similar activities, at least in the US, will probably now think twice.
As I said, I don’t think this is going to last. These recent shutdowns haven’t actually solved the problem: unpatched, insecure PCs are still getting infected with Trojans and are still being turned into spam bots. There is still a demand for these kinds of networks from black marketers looking to flog their copy watches or Viagra pills. And with the holiday season upon us shortly, spammers know that people will be in the buying mood.
With the holiday season also comes the likelihood that IT personnel will be away, and the chances of spam getting past spam filters is higher.
Now is the time to be thinking about protecting your company’s email and site security, particularly if IT staff numbers will be down.
You can read more information on the McColo evidence and resulting takedown at:
http://hostexploit.com/downloads/Hostexploit Cyber Crime USA v 2.0 1108.pdf