Feeds

Spammers look east after McColo shutdown

Zombie networks likely to resurface in two weeks

Providing a secure and efficient Helpdesk

Analysis One week after rogue ISP McColo was shut down spam levels have yet to return to normality. But security experts are under no illusions that this represents anything more than a temporary reprieve, which will probably come accompanied by a change in tactics by spammers.

The volume of spam in circulation fell by as much as two thirds after upstream providers pulled the plug on McColo, which harboured many of the command and control servers that controlled the world's spam distribution. Immediately prior to McColo’s shut down, these three botnets were ranked first, second and fifth the world’s most prolific sources of spam, altogether responsible for nearly 70 per cent of junk mail, according to net security firm Marshal8e6.

McColo hosted the command and control infrastructure for three of the world’s most prolific spam botnets: Srizbi, Mega-D and Rustock. IT systems were also used to peddle porn, support credit card fraud and other nefarious cybercrime activities.

These operations were too profitable to be abandoned, so its no surprise that backup connectivity systems were used over the following weekend to hand over control of compromised systems to servers in Russia. Security watchers reckon that the shutdown of McColo - which follows clampdowns against EstDomains and Intercage, other ISPs criticised for hosting dubious customers - will encourage cybercrooks to look east.

"I suspect that these botherds will now move offshore to 'safer' bulletproof hosting in China or Russia. Though this might be a problem for their bandwidth requirements into the US," said Matt Sergeant, senior antispam technologist for MessageLabs, referring to the relative lack of bandwidth available from Chinese servers.

Command and control servers play an important role in managing compromised (zombie) clients. Infected machines contact control servers periodically to get updated instructions and spamming templates. Decentralised P2P control systems were used by the Storm worm, for example, and the closure of command and control systems for more centrally controlled botnets may spur a more decentralised approach in future.

The industralisation of spam distribution has meant that junk mail distribution is no longer the cottage garage industry it might have been five or 10 years ago. This has meant that targeted action by the law enforcement and IT security communities can have a palpable effect on spam.

A few security firms dispute the consensus that the shutdown of McColo had a huge effect on spam volumes.

Cloudmark, which provides spam filtering services to some of the world's largest service providers, said the McColo shutdown hit small-fry spam distributors while leaving the Mr Bigs of junk mail largely unaffected.

The filtering firm saw a reduction in the number of IP connections when McColo was removed but not much change in spam volumes. "The mediocre, easy to target spammers have less traffic trying to break into the large ISPs but the really nasty spammers who make millions of dollars are the ones that the high-profile ISPs receive the bulk of their spam from. It is these spammers that were unaffected by the disconnection of McColo," it said.

Displacement effect

So does shutting down the likes of McColo, EstDomains and Intercage just a game of "whack-a-mole" does it have an effect on the amount of spam hitting users' inboxes?

"The real aim here is to increase the cost of operating a spam economy so that spammers get out of the game. If we can keep spammers off low-cost, high-bandwidth US colo providers and force them offshore this will increase their costs and hopefully make it much harder for them to spam," said MessageLabs' Sergeant.

Jose Nazario, a security analyst at Arbor Networks, pointed out that an effect on spam distribution, even if it's short-lived, is "useful as a sign to law enforcement that these guys really do hang out in one or two places, and maybe it's worth going after them".

Nazario agreed that unscrupulous hosts were likely to step into the gap vacated by McColo but this didn't make enforcement efforts any less worthwhile. "Any gains are, so far, temporary. So we begin anew, tracking badness and hotbeds of nefarious activity," Nazario told El Reg.

The shutdown of the McColo spam control systems meant, for the first time this year, that China eclipsed the US as the primary source of spam, according to managed security firm, Network Box. China now produces more spam than any other country in the world.

Simon Heron, internet security analyst at Network Box, added that malware levels have also dropped since the McColo shutdown. "We’ve also seen a significant drop in emails containing viruses and phishing attacks. This indicates that McColo’s servers were also used to distribute malicious emails containing viruses, and not just the usual junk marketing mail," he said.

Heron agrees with other observers that the spam operators who used McColo are likely to reappear in a matter of weeks on the other side of the world. “McColo came back online briefly over last weekend, most likely uploading all the command and control software required to run the botnets. So we’d expect spam to be back to usual levels in a couple of weeks using servers based in Russia," he said. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.