Forgot your password?
typodupeerror
Security Spam The Internet

McColo Briefly Returns, Hands Off Botnet Control 242

Posted by kdawson
from the should-have-used-a-stake-through-the-heart dept.
A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."
This discussion has been archived. No new comments can be posted.

McColo Briefly Returns, Hands Off Botnet Control

Comments Filter:
  • by Anonymous Coward on Tuesday November 18, 2008 @07:49PM (#25810349)

    Sesame seed bun is on two all spam patties, special sauce, lettuce, cheese, pickles and onions.

  • they should have terminated their contract with these assholes immediately instead of letting them back up.

  • Uncongested Relief! (Score:5, Informative)

    by IgnacioB (687913) <matt_c_watkins@yahoo.com> on Tuesday November 18, 2008 @07:53PM (#25810407) Homepage
    I gotta say the past week without so much SPAM has been like having a 10 year head cold where I've become more and more congested...and just lived with it. To suddenly have the congestion stop for just a week....I almost forgot what life is SUPPOSED to be like without a clogged sinus of an Inbox. Damn spammers! I wish I could have one pointed out and slap them up side the head....and then let the other million of people get to slap them. Then after that slapfest.....find a person that bought something from a spammer and slap them. If there were ever a time for authorities to get involved...it would be now! Raid that ISP and you know they'd catch some guilty folks...some of which could flip.
    • Re: (Score:3, Insightful)

      by magarity (164372)

      I wish I could have one pointed out and slap them up side the head
       
      While we're having wild fantasies, I wish I had a time machine to go slap the idealistic hippies who originally designed the fledgeling network with practically no verification or security ON PURPOSE.

      • by statemachine (840641) on Tuesday November 18, 2008 @09:15PM (#25811245)

        While we're having wild fantasies, I wish I had a time machine to go slap the idealistic hippies who originally designed the fledgeling network with practically no verification or security ON PURPOSE.

        Speaking of wild fantasies about idealist notions... Ever wanted to be paid for work that wasn't asked for or justified at the time?

    • Re: (Score:3, Insightful)

      > I almost forgot what life is SUPPOSED to be
      > like without a clogged sinus of an Inbox. Damn
      > spammers!

      Why are you blaming the spammers?

      Spammers will exist and profit until everyone on the Internet starts treating their e-mail addresses with the same privacy and regard that they extend to their home telephone numbers.

      If you were to walk around town posting your phone number in every corner shop window with a demographic profile of yourself attached, would you then blame sales drones who called you

  • Alas... (Score:5, Insightful)

    by Amazing Quantum Man (458715) on Tuesday November 18, 2008 @07:54PM (#25810417) Homepage

    This is an example of the old saying "The Internet treats censorship as damage and routes around it".

    Unfortunately, this is happening for the bad guys as well as us.

    • Re:Alas... (Score:5, Funny)

      by Renraku (518261) on Tuesday November 18, 2008 @09:02PM (#25811141) Homepage

      The Internet could route around McColo too, if say, it were burned to the ground in the middle of the night. Or barring that, some 'hard pipe-hittin' thugs' somehow gained access to the building and went on a smashing spree. Anyone want to set up a donation box to hire somee thugs?

      After all, what's this doing for us? It sounds almost like..well..treason! A foreign power is accessing systems in the United States and is using those systems to infect/enslave other systems. I wouldn't shed a tear if a black ops detachment traced the stuff back to its source and C4ed the offending equipment/operators in Russia or wherever they're coming from.

  • by LockeOnLogic (723968) on Tuesday November 18, 2008 @07:56PM (#25810437)
    After whacking down a mole, they continue to pop up!
  • by Anonymous Coward on Tuesday November 18, 2008 @08:00PM (#25810493)

    My penis thanks them, my very very large penis which is located in a recently refinanced home, that is.

    Now as soon as my good friend MR AUSTINE OWOH is able to complete the transfer of my long lost uncle's estate from probate in Nigeria to my onshore checking account, I will be perfect, perfect with a very very large penis, that is.

  • Final Solution: (Score:4, Insightful)

    by Duncan Blackthorne (1095849) on Tuesday November 18, 2008 @08:04PM (#25810539)
    Kill them with FIRE. NOW. Before they spread AGAIN.
    • by Nimey (114278)

      I'd settle for a Grand Slam-sized bomb casing filled with a fuel-air explosive or cluster bomblets.

      Nice use of Godwin, there. ;-)

  • who let them back up ? Contracts be damned.
  • If most of internet spam is sent by very few people, and all this movement of information enables to track them better and maybe, finally, get them, the people source of most spam could end offline (and with a bit of luck, in guantanamo/siberia/wherever waterboarded 24/7)
  • by CodeBuster (516420) on Tuesday November 18, 2008 @08:57PM (#25811073)
    The use of a server located in Russia for C&C of the botnet is probably not as desirable as a US based host because of the large numbers of companies and ISPs which either black hole China and Russia entirely or subject traffic coming from and going to those parts of the Internet to much greater firewall scrutiny. I can see why they wanted the US server hosting in the first place while keeping the Russian datacenter as the backup plan.
  • by LackThereof (916566) on Tuesday November 18, 2008 @09:28PM (#25811315)

    It appears that the new C&C server listed in the article, 62.176.17.200, has been blackholed by my ISP's routers. I'm on a Qwest "business/office" ADSL line. Any similar reports from other ISP's?

    Or is it actually down?

    If most American ISPs are blocking it, Rustock is dead, or at least in a coma. TFA implied that the IP address was being distributed to the bot, not the domain name.

    • by gad_zuki! (70830)

      The traceroute shows the connection dying before it even hits the trans continental cable. If it was down it would at least get to russia. I think ISPs are blocking it, and rightly so. AT&T DSL btw.

      • Re: (Score:3, Informative)

        by CoolQ (31072)

        Dies for me at my ISP's border router; I've never seen a traceroute die so fast. Only 2 hops before it goes dead. It makes me think that the global BGP tables are blackholing the subnet.

        I checked a bunch of BGP looking glasses and they all report "Network not in table", as in there are no global routes for that IP address.

        --Quentin

  • So, the dickheads at McColo went out of their way to reopen a link, just in time for their Russian Mafia buddies to rehost their shit. Thinking of research topics off the top of my head, I wonder if I could match the actions at McColo to 1) Wire Fraud, or 2) RICO. A conviction on either leads one straight to a Federal Pound-You-In-The-Ass prison, and no parole.

  • Nuke the entire site from orbit. It's the only way to be sure.
  • That's the sound of rejoicing from all the people who make their living from selling anti spyware/malware/spam software/hardware...

    (I was going to write "solutions" instead of software/hardware but they haven't actually solved anything, people are still and will forever be infected/bombarded)
  • How did they get back online? Even if it was for just a short time, being able to re-activate their botnet this way?

    I am rather "done" with the question about whether or not it is immoral to go vigilante on their asses. It is immoral to let things go on without doing anything about it and so you're damned if you do and damned if you don't... but if you do, at least a problem will have been fought and maybe some useful difference made.

  • by Animats (122034) on Wednesday November 19, 2008 @12:41AM (#25812923) Homepage

    McColo doesn't seem to have been a real ISP. Or even a real company. They don't have a valid corporate registration in California or New Jersey. They were apparently a front for the spam operation, buying services from Hurricane Electric.

    Their web site was designed by Vane [www.vane.ru], in Russia. They still have some connection to McColo. Go to the Vane site (preferably not using IE on Windows) and look at the icons of the various companies with which they are affiliated. Go to the row of vertical bars at the center right, second row. Mouse over the blank area just above the bars. You'll get some Cyrillic with "McColo" in Latin text. Click on the hidden link. This will take you to an animation which brings up an image of the McColo site. Items within that animation are clickable. A bit of work will get you to the number of McColo's "sales manager". But there's no way to order hosting on line; they were never really selling ordinary hosting services.

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...