Feeds

Spammers look east after McColo shutdown

Zombie networks likely to resurface in two weeks

Seven Steps to Software Security

Analysis One week after rogue ISP McColo was shut down spam levels have yet to return to normality. But security experts are under no illusions that this represents anything more than a temporary reprieve, which will probably come accompanied by a change in tactics by spammers.

The volume of spam in circulation fell by as much as two thirds after upstream providers pulled the plug on McColo, which harboured many of the command and control servers that controlled the world's spam distribution. Immediately prior to McColo’s shut down, these three botnets were ranked first, second and fifth the world’s most prolific sources of spam, altogether responsible for nearly 70 per cent of junk mail, according to net security firm Marshal8e6.

McColo hosted the command and control infrastructure for three of the world’s most prolific spam botnets: Srizbi, Mega-D and Rustock. IT systems were also used to peddle porn, support credit card fraud and other nefarious cybercrime activities.

These operations were too profitable to be abandoned, so its no surprise that backup connectivity systems were used over the following weekend to hand over control of compromised systems to servers in Russia. Security watchers reckon that the shutdown of McColo - which follows clampdowns against EstDomains and Intercage, other ISPs criticised for hosting dubious customers - will encourage cybercrooks to look east.

"I suspect that these botherds will now move offshore to 'safer' bulletproof hosting in China or Russia. Though this might be a problem for their bandwidth requirements into the US," said Matt Sergeant, senior antispam technologist for MessageLabs, referring to the relative lack of bandwidth available from Chinese servers.

Command and control servers play an important role in managing compromised (zombie) clients. Infected machines contact control servers periodically to get updated instructions and spamming templates. Decentralised P2P control systems were used by the Storm worm, for example, and the closure of command and control systems for more centrally controlled botnets may spur a more decentralised approach in future.

The industralisation of spam distribution has meant that junk mail distribution is no longer the cottage garage industry it might have been five or 10 years ago. This has meant that targeted action by the law enforcement and IT security communities can have a palpable effect on spam.

A few security firms dispute the consensus that the shutdown of McColo had a huge effect on spam volumes.

Cloudmark, which provides spam filtering services to some of the world's largest service providers, said the McColo shutdown hit small-fry spam distributors while leaving the Mr Bigs of junk mail largely unaffected.

The filtering firm saw a reduction in the number of IP connections when McColo was removed but not much change in spam volumes. "The mediocre, easy to target spammers have less traffic trying to break into the large ISPs but the really nasty spammers who make millions of dollars are the ones that the high-profile ISPs receive the bulk of their spam from. It is these spammers that were unaffected by the disconnection of McColo," it said.

Displacement effect

So does shutting down the likes of McColo, EstDomains and Intercage just a game of "whack-a-mole" does it have an effect on the amount of spam hitting users' inboxes?

"The real aim here is to increase the cost of operating a spam economy so that spammers get out of the game. If we can keep spammers off low-cost, high-bandwidth US colo providers and force them offshore this will increase their costs and hopefully make it much harder for them to spam," said MessageLabs' Sergeant.

Jose Nazario, a security analyst at Arbor Networks, pointed out that an effect on spam distribution, even if it's short-lived, is "useful as a sign to law enforcement that these guys really do hang out in one or two places, and maybe it's worth going after them".

Nazario agreed that unscrupulous hosts were likely to step into the gap vacated by McColo but this didn't make enforcement efforts any less worthwhile. "Any gains are, so far, temporary. So we begin anew, tracking badness and hotbeds of nefarious activity," Nazario told El Reg.

The shutdown of the McColo spam control systems meant, for the first time this year, that China eclipsed the US as the primary source of spam, according to managed security firm, Network Box. China now produces more spam than any other country in the world.

Simon Heron, internet security analyst at Network Box, added that malware levels have also dropped since the McColo shutdown. "We’ve also seen a significant drop in emails containing viruses and phishing attacks. This indicates that McColo’s servers were also used to distribute malicious emails containing viruses, and not just the usual junk marketing mail," he said.

Heron agrees with other observers that the spam operators who used McColo are likely to reappear in a matter of weeks on the other side of the world. “McColo came back online briefly over last weekend, most likely uploading all the command and control software required to run the botnets. So we’d expect spam to be back to usual levels in a couple of weeks using servers based in Russia," he said. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.