Feeds

Spammers look east after McColo shutdown

Zombie networks likely to resurface in two weeks

5 things you didn’t know about cloud backup

Analysis One week after rogue ISP McColo was shut down spam levels have yet to return to normality. But security experts are under no illusions that this represents anything more than a temporary reprieve, which will probably come accompanied by a change in tactics by spammers.

The volume of spam in circulation fell by as much as two thirds after upstream providers pulled the plug on McColo, which harboured many of the command and control servers that controlled the world's spam distribution. Immediately prior to McColo’s shut down, these three botnets were ranked first, second and fifth the world’s most prolific sources of spam, altogether responsible for nearly 70 per cent of junk mail, according to net security firm Marshal8e6.

McColo hosted the command and control infrastructure for three of the world’s most prolific spam botnets: Srizbi, Mega-D and Rustock. IT systems were also used to peddle porn, support credit card fraud and other nefarious cybercrime activities.

These operations were too profitable to be abandoned, so its no surprise that backup connectivity systems were used over the following weekend to hand over control of compromised systems to servers in Russia. Security watchers reckon that the shutdown of McColo - which follows clampdowns against EstDomains and Intercage, other ISPs criticised for hosting dubious customers - will encourage cybercrooks to look east.

"I suspect that these botherds will now move offshore to 'safer' bulletproof hosting in China or Russia. Though this might be a problem for their bandwidth requirements into the US," said Matt Sergeant, senior antispam technologist for MessageLabs, referring to the relative lack of bandwidth available from Chinese servers.

Command and control servers play an important role in managing compromised (zombie) clients. Infected machines contact control servers periodically to get updated instructions and spamming templates. Decentralised P2P control systems were used by the Storm worm, for example, and the closure of command and control systems for more centrally controlled botnets may spur a more decentralised approach in future.

The industralisation of spam distribution has meant that junk mail distribution is no longer the cottage garage industry it might have been five or 10 years ago. This has meant that targeted action by the law enforcement and IT security communities can have a palpable effect on spam.

A few security firms dispute the consensus that the shutdown of McColo had a huge effect on spam volumes.

Cloudmark, which provides spam filtering services to some of the world's largest service providers, said the McColo shutdown hit small-fry spam distributors while leaving the Mr Bigs of junk mail largely unaffected.

The filtering firm saw a reduction in the number of IP connections when McColo was removed but not much change in spam volumes. "The mediocre, easy to target spammers have less traffic trying to break into the large ISPs but the really nasty spammers who make millions of dollars are the ones that the high-profile ISPs receive the bulk of their spam from. It is these spammers that were unaffected by the disconnection of McColo," it said.

Displacement effect

So does shutting down the likes of McColo, EstDomains and Intercage just a game of "whack-a-mole" does it have an effect on the amount of spam hitting users' inboxes?

"The real aim here is to increase the cost of operating a spam economy so that spammers get out of the game. If we can keep spammers off low-cost, high-bandwidth US colo providers and force them offshore this will increase their costs and hopefully make it much harder for them to spam," said MessageLabs' Sergeant.

Jose Nazario, a security analyst at Arbor Networks, pointed out that an effect on spam distribution, even if it's short-lived, is "useful as a sign to law enforcement that these guys really do hang out in one or two places, and maybe it's worth going after them".

Nazario agreed that unscrupulous hosts were likely to step into the gap vacated by McColo but this didn't make enforcement efforts any less worthwhile. "Any gains are, so far, temporary. So we begin anew, tracking badness and hotbeds of nefarious activity," Nazario told El Reg.

The shutdown of the McColo spam control systems meant, for the first time this year, that China eclipsed the US as the primary source of spam, according to managed security firm, Network Box. China now produces more spam than any other country in the world.

Simon Heron, internet security analyst at Network Box, added that malware levels have also dropped since the McColo shutdown. "We’ve also seen a significant drop in emails containing viruses and phishing attacks. This indicates that McColo’s servers were also used to distribute malicious emails containing viruses, and not just the usual junk marketing mail," he said.

Heron agrees with other observers that the spam operators who used McColo are likely to reappear in a matter of weeks on the other side of the world. “McColo came back online briefly over last weekend, most likely uploading all the command and control software required to run the botnets. So we’d expect spam to be back to usual levels in a couple of weeks using servers based in Russia," he said. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.