Feeds

Spammers look east after McColo shutdown

Zombie networks likely to resurface in two weeks

Using blade systems to cut costs and sharpen efficiencies

Analysis One week after rogue ISP McColo was shut down spam levels have yet to return to normality. But security experts are under no illusions that this represents anything more than a temporary reprieve, which will probably come accompanied by a change in tactics by spammers.

The volume of spam in circulation fell by as much as two thirds after upstream providers pulled the plug on McColo, which harboured many of the command and control servers that controlled the world's spam distribution. Immediately prior to McColo’s shut down, these three botnets were ranked first, second and fifth the world’s most prolific sources of spam, altogether responsible for nearly 70 per cent of junk mail, according to net security firm Marshal8e6.

McColo hosted the command and control infrastructure for three of the world’s most prolific spam botnets: Srizbi, Mega-D and Rustock. IT systems were also used to peddle porn, support credit card fraud and other nefarious cybercrime activities.

These operations were too profitable to be abandoned, so its no surprise that backup connectivity systems were used over the following weekend to hand over control of compromised systems to servers in Russia. Security watchers reckon that the shutdown of McColo - which follows clampdowns against EstDomains and Intercage, other ISPs criticised for hosting dubious customers - will encourage cybercrooks to look east.

"I suspect that these botherds will now move offshore to 'safer' bulletproof hosting in China or Russia. Though this might be a problem for their bandwidth requirements into the US," said Matt Sergeant, senior antispam technologist for MessageLabs, referring to the relative lack of bandwidth available from Chinese servers.

Command and control servers play an important role in managing compromised (zombie) clients. Infected machines contact control servers periodically to get updated instructions and spamming templates. Decentralised P2P control systems were used by the Storm worm, for example, and the closure of command and control systems for more centrally controlled botnets may spur a more decentralised approach in future.

The industralisation of spam distribution has meant that junk mail distribution is no longer the cottage garage industry it might have been five or 10 years ago. This has meant that targeted action by the law enforcement and IT security communities can have a palpable effect on spam.

A few security firms dispute the consensus that the shutdown of McColo had a huge effect on spam volumes.

Cloudmark, which provides spam filtering services to some of the world's largest service providers, said the McColo shutdown hit small-fry spam distributors while leaving the Mr Bigs of junk mail largely unaffected.

The filtering firm saw a reduction in the number of IP connections when McColo was removed but not much change in spam volumes. "The mediocre, easy to target spammers have less traffic trying to break into the large ISPs but the really nasty spammers who make millions of dollars are the ones that the high-profile ISPs receive the bulk of their spam from. It is these spammers that were unaffected by the disconnection of McColo," it said.

Displacement effect

So does shutting down the likes of McColo, EstDomains and Intercage just a game of "whack-a-mole" does it have an effect on the amount of spam hitting users' inboxes?

"The real aim here is to increase the cost of operating a spam economy so that spammers get out of the game. If we can keep spammers off low-cost, high-bandwidth US colo providers and force them offshore this will increase their costs and hopefully make it much harder for them to spam," said MessageLabs' Sergeant.

Jose Nazario, a security analyst at Arbor Networks, pointed out that an effect on spam distribution, even if it's short-lived, is "useful as a sign to law enforcement that these guys really do hang out in one or two places, and maybe it's worth going after them".

Nazario agreed that unscrupulous hosts were likely to step into the gap vacated by McColo but this didn't make enforcement efforts any less worthwhile. "Any gains are, so far, temporary. So we begin anew, tracking badness and hotbeds of nefarious activity," Nazario told El Reg.

The shutdown of the McColo spam control systems meant, for the first time this year, that China eclipsed the US as the primary source of spam, according to managed security firm, Network Box. China now produces more spam than any other country in the world.

Simon Heron, internet security analyst at Network Box, added that malware levels have also dropped since the McColo shutdown. "We’ve also seen a significant drop in emails containing viruses and phishing attacks. This indicates that McColo’s servers were also used to distribute malicious emails containing viruses, and not just the usual junk marketing mail," he said.

Heron agrees with other observers that the spam operators who used McColo are likely to reappear in a matter of weeks on the other side of the world. “McColo came back online briefly over last weekend, most likely uploading all the command and control software required to run the botnets. So we’d expect spam to be back to usual levels in a couple of weeks using servers based in Russia," he said. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.