McColo Briefly Returns, Hands Off Botnet Control 242
A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."
Let's turn TeliaSonera into a smoking crater next (Score:2, Informative)
they should have terminated their contract with these assholes immediately instead of letting them back up.
Uncongested Relief! (Score:5, Informative)
Re:Let's turn TeliaSonera into a smoking crater ne (Score:5, Informative)
Re:So what's YOUR solution? (Score:1, Informative)
1. We guessed that.
2. I would not
3. Not any longer
4.This is not the first ISP to be cut off for spamming.
5. you have no point.
6. When you finish your training, god knowa you might have clue.
Re:Let's turn TeliaSonera into a smoking crater ne (Score:5, Informative)
Apparently TeliaSonera shut down the link as soon as they realised what was happening - the contract was through a proxy company.
See the Register [theregister.co.uk] article for more details.
So we can't really blame TeliaSonera.
Why the spamming bastards didn't just courier a hard drive to Russia instead is a mystery, though.
Re:The solution is anarchy (Score:4, Informative)
Do you remember just a few years ago the "MS Blaster" fiasco?
Do you remember "Welchia" I think it was called. It was just that it removed Blaster and then tried to spread itself the same way. In the end Welchia was a troublesome for network operators as "MS Blaster" itself. It was terrible.
C&C server blocked by ISPs? (Score:4, Informative)
It appears that the new C&C server listed in the article, 62.176.17.200, has been blackholed by my ISP's routers. I'm on a Qwest "business/office" ADSL line. Any similar reports from other ISP's?
Or is it actually down?
If most American ISPs are blocking it, Rustock is dead, or at least in a coma. TFA implied that the IP address was being distributed to the bot, not the domain name.
McColo isn't a real ISP (Score:4, Informative)
McColo doesn't seem to have been a real ISP. Or even a real company. They don't have a valid corporate registration in California or New Jersey. They were apparently a front for the spam operation, buying services from Hurricane Electric.
Their web site was designed by Vane [www.vane.ru], in Russia. They still have some connection to McColo. Go to the Vane site (preferably not using IE on Windows) and look at the icons of the various companies with which they are affiliated. Go to the row of vertical bars at the center right, second row. Mouse over the blank area just above the bars. You'll get some Cyrillic with "McColo" in Latin text. Click on the hidden link. This will take you to an animation which brings up an image of the McColo site. Items within that animation are clickable. A bit of work will get you to the number of McColo's "sales manager". But there's no way to order hosting on line; they were never really selling ordinary hosting services.
Re:C&C server blocked by ISPs? (Score:3, Informative)
Dies for me at my ISP's border router; I've never seen a traceroute die so fast. Only 2 hops before it goes dead. It makes me think that the global BGP tables are blackholing the subnet.
I checked a bunch of BGP looking glasses and they all report "Network not in table", as in there are no global routes for that IP address.
--Quentin
Re:C&C server blocked by ISPs? (Score:2, Informative)
It simply doesnt exist in the global routing table right now.
# sh ip b 62.176.17.200
% Network not in table
# sh ip b 62.176.0.0/19
% Network not in table