14 DAY TRIAL // McColo has succeeded to strike a deal with an unsuspecting uplink provider, and got back online for a short period of time. Even if it lasted only a few hours, the uptime allowed botnet herders to push updates and relocate some of their control servers.
The sudden takedown of the McColo hosting provider last week took online criminal organizations by surprise and seriously hindered their illegal operations. According to security researchers, the company was responsible for hosting many of the control servers of major botnets such as Srizbi, Rustock, Pushdo, Mega-D and others.
Such armies of zombie PCs are responsible for the vast majority of junk e-mail sent daily and, since the notorious provider was cut off from the Internet, many spam monitoring organizations have reported very low distribution levels. IronPort, an e-mail security vendor, reported a decrease of 2/3 in spam activity, while the Spamcop service registered a 3/4 decline.
A few days later, security researchers got an alarm that McColo was back online. The company succeeded in securing an uplink with a Swedish Internet provider, TeliaSonera AB, which has a router located in San Jose, where McColo's headquarters are. “Apparently those responsible for hooking up new customers at TeliaSonera don’t read security blogs,” wrote Ross Thomas, security analyst at SophosLabs Canada.
The Swedish ISP was quick to act though after Thomas, as well as others, sent e-mails to their security department informing them of the badness they were now routing. The ISP responded in a matter of hours through Jimmy Arvidsson, the head of the Security Department, who announced that depeering procedures had been started.
Unfortunately, even if McColo's new peering was eventually revoked by TeliaSonera, the short uptime period was sufficient for the cybercriminal groups to start moving their infrastructure. According to Sopho's Thomas, the owners of the Rustock botnet, which is responsible for as much as 30 billion daily spam messages, have successfully relocated some of the control servers in Russia. The researcher warns that “we should expect spam volumes to increase again soon [...], though how big an increase we’ll see depends largely on the number of zombie PCs the botnet’s controller was able to reach.”
We can only hope that McColo will remain offline for good and will not get picked up by another internet service provider. If the servers of the infamous company register longer uptimes, like it happened with Intercage/Atrivo when it was knocked offline in a similar fashion, the crooks will be able to take their business elsewhere, maybe outside the reach of responsible ISPs.