McColo Briefly Returns, Hands Off Botnet Control

A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."

Uncongested Relief!

I gotta say the past week without so much SPAM has been like having a 10 year head cold where I've become more and more congested...and just lived with it. To suddenly have the congestion stop for just a week....I almost forgot what life is SUPPOSED to be like without a clogged sinus of an Inbox. Damn spammers! I wish I could have one pointed out and slap them up side the head....and then let the other million of people get to slap them. Then after that slapfest.....find a person that bought something from a spammer and slap them. If there were ever a time for authorities to get involved...it would be now! Raid that ISP and you know they'd catch some guilty folks...some of which could flip.

Re:Uncongested Relief!

While we're having wild fantasies, I wish I had a time machine to go slap the idealistic hippies who originally designed the fledgeling network with practically no verification or security ON PURPOSE.

Speaking of wild fantasies about idealist notions... Ever wanted to be paid for work that wasn't asked for or justified at the time?

Alas...

This is an example of the old saying "The Internet treats censorship as damage and routes around it".

Unfortunately, this is happening for the bad guys as well as us.

Re:Alas...

The Internet could route around McColo too, if say, it were burned to the ground in the middle of the night. Or barring that, some 'hard pipe-hittin' thugs' somehow gained access to the building and went on a smashing spree. Anyone want to set up a donation box to hire somee thugs?

After all, what's this doing for us? It sounds almost like..well..treason! A foreign power is accessing systems in the United States and is using those systems to infect/enslave other systems. I wouldn't shed a tear if a black ops detachment traced the stuff back to its source and C4ed the offending equipment/operators in Russia or wherever they're coming from.

This just in!

After whacking down a mole, they continue to pop up!

this is great news

My penis thanks them, my very very large penis which is located in a recently refinanced home, that is.

Now as soon as my good friend MR AUSTINE OWOH is able to complete the transfer of my long lost uncle's estate from probate in Nigeria to my onshore checking account, I will be perfect, perfect with a very very large penis, that is.

Russian C&C is Actually Less Desirable

The use of a server located in Russia for C&C of the botnet is probably not as desirable as a US based host because of the large numbers of companies and ISPs which either black hole China and Russia entirely or subject traffic coming from and going to those parts of the Internet to much greater firewall scrutiny. I can see why they wanted the US server hosting in the first place while keeping the Russian datacenter as the backup plan.

Re:Let's turn TeliaSonera into a smoking crater ne

I don't see why. 15MB/sec for 12 hours is rougly 650 gigs - a lot, but a single external hard drive could have pulled it off. At most they shaved a week off their time to get the botnets back up and running at full capacity.

It's not the data, it's the cooperation.

This pretty much shows how certain ISP's help spammers. Particularly since they did not IMMEDIATELY bring up their backup link. Instead they waited until the weekend.

Re:Let's turn TeliaSonera into a smoking crater ne

Er, you can't communicate with a botnet with a harddrive, you know.

Re:Let's turn TeliaSonera into a smoking crater ne

Apparently TeliaSonera shut down the link as soon as they realised what was happening - the contract was through a proxy company.

See the Register [theregister.co.uk] article for more details.

So we can't really blame TeliaSonera.

Why the spamming bastards didn't just courier a hard drive to Russia instead is a mystery, though.

Re:Let's turn TeliaSonera into a smoking crater ne

The article said they had to update the command & control data for the botnets. The 'nets won't let just any computer control them, and this Russian server probably wasn't on the master list, so they needed to get back online with their old DNS hostname first.

Re:Epic Fail.

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?

Re:Epic Fail.

I would get a camcorder and record the activity. I would then turn that over to the police and wait for the wheels of justice to smash the dealer into hamburger.

And if the police do nothing?

Re:Epic Fail.

If you have "malware" on your computer, your private data is already being exposed. It could just as well be a bot net operator whose combing through your data. Who'd you rather have digging through your infected computer?

Besides, the guys used possibly ill-gotten information that was true to convince the upstream provider to shut down the ISP. The experts didn't run into the data center, pulling plugs in a rage...though that might make a neat comic book. In truth, you should blame the upstream providers. Seriously, this isn't Governments running around meting out justice. This is companies listening to private organizations.

Re:Epic Fail.

What are you smoking? Or rather, are you someone arguing a point without a clue.

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Whether they had any legit customers is suspect. If they did, I'm sure they would have come to light very quickly.

Will my internet connection go down because someone uses my ISP for spam?

No, your ISP will be notified about spam originating from its networks and they'll either deal with the user who is undoubtedly violating their TOS or the ISP's IP range will be entered into mail blackhole lists. Nothing new there.

If my computer becomes infected with malware, how long before I have 'researchers' digging through my private data?

Unlikely, and sadly you probably won't get punted off the net like you should. Instead, your computer will continue to be abused for the purposes of these criminals.

Your efforts to compare this to the drug war are completely irrational, as their causes and symptoms are wildly different. On top of that, there was no government involvement here.

Re:Epic Fail.

wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous. Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam?

Well, frankly, yes. An ISP that turns a blind eye to such activities as accused, is just as good as helping the bad guys. And guess what... this is a war where almost anyone is willing to take casualties to end it. Now the innocent bystanders know they were dealing with shit for an ISP and have a big sign in front of their face to move to someone more reputable. It is a win for everyone, except the nefarious spammers/botnet operators that were put out by it. There is no sympathy for these folks.

Re:So what's YOUR solution?

1. I don't have a solution, I'm just considering the ethical aspect.

What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider? The ISP has a duty to obey the terms they agreed to, and if it can't or won't it gets cut off. Just like you or I would get cut off by our upstream for violating whatever agreement we may have in place.

2. I'd rather deal with spam, malware, and con artists clogging the internet than vigilantes blowing holes in it.

Considering the sheer cost of cleaning up this bullshit, I doubt many share the same opinion. And the intenet was designed to route around holes in it. Theoretically at least.

3. As to who's protecting them -- it's not a question of who but what. In this case, economics.

No. There are definately quite a few "who"s in this mix. Like the greedy bastards who look the other way while their customers commit felonies. They are accessories to the crimes of their clients if they don't cut them off for their criminal bullshit.

4. It has taken this long because until now people were restrained by ethical considerations prevalent within the community. However, a certain moral flexibility seems to be developing now out of frustration. This can only end badly.

Are you kidding? People have been black-holed for decades on the internet for stuff like this.

WHERE IS THE ETHICAL ISSUE WITH TELLING A PROVIDER THAT THEIR CLIENTS ARE IN GROSS VIOLATION OF THEIR ACCEPTABLE USE POLICY????

Or worse.

Either they need to act on it when its pointed out or they will find themselves having to screen their traffic for content because of some cockamamy law passed because they were KNOWINGLY looking the other way while the sold space to kiddy-porn traders after numerous people pointed it out.

Re:So what's YOUR solution?

> Are you kidding? People have been black-holed for decades on the internet for stuff like this.

Citation needed.

Canter and Siegel were kicked off their ISPs in decently short order 14 years ago (1994) after starting to spam. See:
https://secure.wikimedia.org/wikipedia/en/wiki/Canter_and_siegel

Anyone familiar with the history of spamfighting will be able to point to numerous examples every year since then, of escalating size and complexity.

Look, the solution here is laws not vigilantism... Because the simple truth is no matter how good you are sooner or later you're going to fuck it up. The law ensures that when this happens, there's recourse. A vigilante will just disappear into the night with the words "I'm sorry" on his/her lips. And not only that, but the entire tone of your response rather underscores the need to get emotion out of this situation and the justice system is far better suited to this than your "Let's get a posse together and ride" solution.

Vigilantism is acting extrajudicially AND illegally as a community group to right a wrong or combat a criminal. It's an inappropriate model here - the response was entirely legal. It was done by people who, contrary to your assertion, were openly identified and stood and stand by their information.

If people were assassinating botnet operators or burning McColo datacenters down, THAT would be vigilantism. This is just community response.

Re:So what's YOUR solution?

Actually, its my PROFESSIONAL duty. Good luck suing me for pointing out that you are committing a felony to your provider. I have the feds computer crimes department on speed-dial.

If a shit-ton of malicious crap and SPAM/malware are coming into MY client's network (causing ME and MY CLIENTS a material loss), or if my client's systems have been infected with a botnet controlled from YOUR IP space(a felony), it is your responsibility to address that when I tell you about it. If you don't I'll talk to YOUR provider. Or would you rather I call the FBI and tell them you're systematically attacking my client?

I don't even have to be involved actually, I can just tell MY client's providers (some of which are backbone providers) what I see coming from YOUR network and they have entire departments to deal with that type of shit. So you can fight Level 3 and Verizon for all I care. Your customers are attacking their customers, they can cut you off just as easily.

Re:Epic Fail.

What's to prevent them from doing this every few months and leaving a trail of dead service providers in the wake of our new definition of "justice" as the botnet owners simply hop from one provider to the next?

That's simple - ISPs that value their continued existence will enforce their anti-spam/botnet policies rather than look the other way and take money from anyone who can pay. This isn't vigilantism, it's the upstream ISP dropping connectivity for contract violations when informed of the situation at one of their downstreams.

Re:Epic Fail.

Sigh

Way to ignore the obvious facts here.

The ISP had the option of blocking off the spammers.

They did not. Eventually, ISP who do not stop spam will be disconnected. The ISP that supported this botnet SHOULD be a shambles, they became that when they decided not to stop their clients spamming.

What will prevent them from going to new ISP is that ISP probably dont like being put out of business completely.

This should be a salutory lesson for the next ISP that is told they are sending spam.

I see no ethical issues, unless you are a spammer.

But I suspect troll is closer to the mark.

Re:Epic Fail.

The problem is, once you give the government jurisdiction to decide who can and cannot use the Internet, they will use that power to further their own interests rather than yours.

No politician will ever vote to decrease his own power.

Re:Epic Fail.

if spam wasn't profitable nobody would be doing it

Not necessarily. Spam may not be profitable, spamming may be. If you convince someone to pay you to spam for them, whether or not the spam itself generates any profit, you hustled them out of the money.

Re:Can they hear me now?

Please, dont do this.
These servers were plugged off on early monday (local moscow time), as soon we got contact with podolsk-mo. The networks of bad guys were:
62.176.16.0/22 (they got from local ISP)
91.200.144.0/22 (client's network)