Homepage tabWindows tabGames tabDrivers tabMac tabLinux tabScripts buttonMobile tabHandheld tabGadgets tabNews tab


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home / News / Security / Incidents

Incidents

Cybercriminals Move Fast as McColo Takes a Short Breath of Air

A few hours of uptime were enough for the online crooks to move some of their infrastructure

By Lucian Constantin, Web News Editor

17th of November 2008, 11:16 GMT

Adjust text size:


Botnet owners relocate control servers as McColo gets a few hours of uptime
Enlarge picture
McColo has succeeded to strike a deal with an unsuspecting uplink provider, and got back online for a short period of time. Even if it lasted only a few hours, the uptime allowed botnet herders to push updates and relocate some of their control servers.

The sudden takedown of the McColo hosting provider last week took online criminal organizations by surprise and seriously hindered their illegal operations. According to security researchers, the company was responsible for hosting many of the control servers of major botnets such as Srizbi, Rustock, Pushdo, Mega-D and others.

Such armies of zombie PCs are responsible for the vast majority of junk e-mail sent daily and, since the notorious provider was cut off from the Internet, many spam monitoring organizations have reported very low distribution levels. IronPort, an e-mail security vendor, reported a decrease of 2/3 in spam activity, while the Spamcop service registered a 3/4 decline.

A few days later, security researchers got an alarm that McColo was back online. The company succeeded in securing an uplink with a Swedish Internet provider, TeliaSonera AB, which has a router located in San Jose, where McColo's headquarters are. “Apparently those responsible for hooking up new customers at TeliaSonera don’t read security blogs,” wrote Ross Thomas, security analyst at SophosLabs Canada.

The Swedish ISP was quick to act though after Thomas, as well as others, sent e-mails to their security department informing them of the badness they were now routing. The ISP responded in a matter of hours through Jimmy Arvidsson, the head of the Security Department, who announced that depeering procedures had been started.

Unfortunately, even if McColo's new peering was eventually revoked by TeliaSonera, the short uptime period was sufficient for the cybercriminal groups to start moving their infrastructure. According to Sopho's Thomas, the owners of the Rustock botnet, which is responsible for as much as 30 billion daily spam messages, have successfully relocated some of the control servers in Russia. The researcher warns that “we should expect spam volumes to increase again soon [...], though how big an increase we’ll see depends largely on the number of zombie PCs the botnet’s controller was able to reach.”

We can only hope that McColo will remain offline for good and will not get picked up by another internet service provider. If the servers of the infamous company register longer uptimes, like it happened with Intercage/Atrivo when it was knocked offline in a similar fashion, the crooks will be able to take their business elsewhere, maybe outside the reach of responsible ISPs.

TAGS:

 McColo | peering | botnet | TeliaSonera | Rustock
Read by 1,377 user(s) | Add comment | Link to this article TWEET THIS


Article rating:
Good (3.5/5) 4 vote(s)    

Subscribe to news | Print article | Send to friend

© Copyright 2001-2009 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


Severe Decrease in Spam Activity

ICANN Signs EstDomains Death Sentence

The World's Biggest Spam Network Shut Down

Lights Out at Intercage - Atrivo, Again

Intercage Alive Again, but Not Without Losses

Malware Hosting Company Intercage (Atrivo) Went Dead

Recent Atrivo Related Security Reports Do Not Remain Unheard

Spam at the Highest Levels

User opinions:


Comment #1 by: james junior on 20 Nov 2008, 03:00 GMT reply to this comment

Filtering is not enough. It is time to police the internet and stop cyber criminals cold. Every computer must be given an electronic identification in a security patch that is more then a simple IP address but a secure and unique electronic signal that can not be reproduced, changed, or blocked without proper authority from the Operating System manufacturer. The ID signal would allow access to the net. A series of central policing servers run by Microsoft and other selective sources can be given authority to monitor and deny any rogue machine access to the general internet simply by shutting down its patched access signal. The rogue machine would be taken off the net until they are cleaned and allowed to return after a scan by the operating system manufacturer. Unpatched machines would be denied access to the general internet until they accept their own unique electronic identification which gives them access to the net..
Spamcop, Sopholabs, and other selected spam monitoring organizations can be given authority to report illegal spam sending machines to the policing servers. Email must be able to be traced by the signal to its original point of origin and clearly identify the machine it came from not just the location.
In the case of criminal activity, law enforcement would be given all pertinent information that would lead to the offending machines. Criminals who operate out of reach of the law would forever lose their access to the internet. They could buy a new OS but then it would be shut down the minute it becomes rogue.

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 




Windows tabGames tabDrivers tabMac tabLinux tabScripts tabMobile tabHandheld tabGadgets tabNews tab

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive