McColo Briefly Returns, Hands Off Botnet Control

A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."

Let's turn TeliaSonera into a smoking crater next

[Nimey]

they should have terminated their contract with these assholes immediately instead of letting them back up.

Uncongested Relief!

[IgnacioB]

I gotta say the past week without so much SPAM has been like having a 10 year head cold where I've become more and more congested...and just lived with it. To suddenly have the congestion stop for just a week....I almost forgot what life is SUPPOSED to be like without a clogged sinus of an Inbox. Damn spammers! I wish I could have one pointed out and slap them up side the head....and then let the other million of people get to slap them. Then after that slapfest.....find a person that bought something from a spammer and slap them. If there were ever a time for authorities to get involved...it would be now! Raid that ISP and you know they'd catch some guilty folks...some of which could flip.

Re:Let's turn TeliaSonera into a smoking crater ne

[moderatorrater]

I don't see why. 15MB/sec for 12 hours is rougly 650 gigs - a lot, but a single external hard drive could have pulled it off. At most they shaved a week off their time to get the botnets back up and running at full capacity.

Re:So what's YOUR solution?

[Anonymous Coward]

1. We guessed that.

2. I would not

3. Not any longer

4.This is not the first ISP to be cut off for spamming.

5. you have no point.

6. When you finish your training, god knowa you might have clue.

Re:Let's turn TeliaSonera into a smoking crater ne

[aproposofwhat]

Apparently TeliaSonera shut down the link as soon as they realised what was happening - the contract was through a proxy company.

See the Register [theregister.co.uk] article for more details.

So we can't really blame TeliaSonera.

Why the spamming bastards didn't just courier a hard drive to Russia instead is a mystery, though.

Re:The solution is anarchy

[DarkOx]

Do you remember just a few years ago the "MS Blaster" fiasco?

Do you remember "Welchia" I think it was called. It was just that it removed Blaster and then tried to spread itself the same way. In the end Welchia was a troublesome for network operators as "MS Blaster" itself. It was terrible.

C&C server blocked by ISPs?

[LackThereof]

It appears that the new C&C server listed in the article, 62.176.17.200, has been blackholed by my ISP's routers. I'm on a Qwest "business/office" ADSL line. Any similar reports from other ISP's?

Or is it actually down?

If most American ISPs are blocking it, Rustock is dead, or at least in a coma. TFA implied that the IP address was being distributed to the bot, not the domain name.

McColo isn't a real ISP

[Animats]

McColo doesn't seem to have been a real ISP. Or even a real company. They don't have a valid corporate registration in California or New Jersey. They were apparently a front for the spam operation, buying services from Hurricane Electric.

Their web site was designed by Vane [www.vane.ru], in Russia. They still have some connection to McColo. Go to the Vane site (preferably not using IE on Windows) and look at the icons of the various companies with which they are affiliated. Go to the row of vertical bars at the center right, second row. Mouse over the blank area just above the bars. You'll get some Cyrillic with "McColo" in Latin text. Click on the hidden link. This will take you to an animation which brings up an image of the McColo site. Items within that animation are clickable. A bit of work will get you to the number of McColo's "sales manager". But there's no way to order hosting on line; they were never really selling ordinary hosting services.

Re:C&C server blocked by ISPs?

[CoolQ]

Dies for me at my ISP's border router; I've never seen a traceroute die so fast. Only 2 hops before it goes dead. It makes me think that the global BGP tables are blackholing the subnet.

I checked a bunch of BGP looking glasses and they all report "Network not in table", as in there are no global routes for that IP address.

--Quentin

Re:C&C server blocked by ISPs?

[iocc]

It simply doesnt exist in the global routing table right now.

# sh ip b 62.176.17.200
% Network not in table
# sh ip b 62.176.0.0/19
% Network not in table