Networking

Botnets: Web-hosting site closed down and spam drops 50 percent

Two contracted ISPs stopped providing Web hosting firm McColo with Internet access, which immediately quieted several major botnets responsible for almost half of all delivered spam. Learning how and why this was done is worth your time.

How does the total amount of spam drop by 50 percent in one fell swoop? To help explain, I refer you to Brian Krebs' (Washington Post) article "Host of Internet Spam Groups Is Cut Off," where he gives a high-level account of what caused the dramatic decrease in delivered spam. Krebs wrote a follow-up piece, "A Closer Look at McColo," that goes into specific details, and needless to say it's pretty amazing.

McColo reportedly just a conduit

Several sources have stated that McColo Corp is the major North American host for international firms that control millions of subverted computers. Reportedly, these botnets are used to deliver spam focused on selling pharmaceuticals, designer goods, fake security documents, and worse things.

Krebs even gets specific about the activity at McColo by quoting security expert Joe Stewart (whom I have a great deal of respect for) of SecureWorks in his second article:

"The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that were used by some of the most active and notorious spam-spewing botnets--agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day. In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo."

The above quote refers to the following diagram (courtesy of Brian Krebs and the Washington Post)

mccolo2.JPG

Details of McColo's involvement

Security experts aren't surprised, because they have known about McColo's involvement with botnets and spam for years. In fact, McColo has quite a solid reputation for reliably supporting command-and-control servers for several of the most prolific botnets in history. Once again, Brian Krebs brings this into perspective:

"Multiple security researchers have recently published data, naming McColo as the host for all of the top robot networks or "botnets," These include SecureWorks, FireEye and ThreatExpert.

Joe Stewart (SecureWorks) said that these known botnets: Mega-D, Srizbi, Pushdo, Rustock and Warezov, have their master servers hosted at McColo."

What happened?

In what I would consider unique circumstances, Global Crossing and Hurricane Electric, the two ISPs providing Internet access for McColo, took it upon themselves to sever all connections to the facility. What happened after that was dramatic to say the least. Check out the following graph (courtesy of SpamCop); I'll let you decide if this graph is more dramatic than those depicting Wall Street's performance over the past few months:

mccolo3.gif

What makes this situation rather unique is the response by the ISPs. It wasn't motivated by legal action, but due largely to Brian Krebs and other experts bringing it to the attention of businesses and the general public. Along with Krebs' articles, many credit Hostexploits.com's second annual Cyber Crime report (focused heavily on the activities at McColo) as incentive enough for the ISPs to shut down McColo. One of the ISPs, Global Crossing, declined to discuss the matter, but Krebs was able to get the following quote from Benny Ng, director of marketing for Hurricane Electric:

"We shut them down. We looked into it a bit, saw the size and scope of the problem the Washingtonpost.com was reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them."

No legal involvement

As I pointed out earlier, there's no legal activity being publicly acknowledged at this time. One can sense the lack of precedence, and Krebs makes mention of this fact as well:

"Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C., said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography."

Simply amazed

This is my first encounter with what it actually means to shut down a command-and-control center for several high-volume spam botnets. It feels like a victory for the good guys. Yet it's actually just a drop in the bucket, when one looks at the overall picture. I'll let Nilesh Bhandari, product manager with IronPort explain:

"IronPort sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday (when McColo was shut down), IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages."

Gee, only 112 billion spam messages a day.

Final thoughts

Most experts agreed that this victory was going to be a short-lived one. Prophetically, as of Nov. 15, 2008, McColo was back on-line. Ironically, experts are divided about this. Some were concerned that shutting McColo down would force the bot-masters to locate the command-and-control servers at multiple hosting sites, making them harder to track. It sounds like the experts know about Sun Tzu and his quote "Keep your friends close and your enemies closer."

Finally, I'm still trying to comprehend the fact that shutting down one command-and-control facility eliminated 78 billion spam messages per day.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

61 comments
PraveenBhalla
PraveenBhalla

You have a good site. Here a best service provider in India. Last week i have register 6domains from this service provider. It have a dedicated team to serve their clients. If you need any help to webhosting solutions and domain name registration. Log on to the website. http://www.tiainterweb.net/

harrylal
harrylal

Spamming has been around for a long time, even before the internet (e.g. junk mail). I have always thought that the way to control it, is to bill per each email sent. After all, the postal service has been doing it long before the internet. Junk mailers have gone to the internet because it's so cheap (and easy to abuse). Perhaps those who are in a position of control should consider a way for those who are currently abusing it, to pay for their mass electronic junk mail or at least pay more for it. I'm not against commerce, I am against abuse that borders on the criminal...

bigjude
bigjude

I've been wondering for several days what had happened to my SPAM. Seriously, with an email address showing at a website that is now a year old, I have been getting (as expected)a steadily increasing stream of SPAM. In the middle of last week it suddenly stopped. I would have received less than 10 pieces since then. The story demonstrates to me the extent to which a single decisive act of this type can impact on the life of an unknown individual like myself.

luenib
luenib

NOOOOOOOOOOOOOOOOOOO!!

rainmaker_68
rainmaker_68

dam great that means yahoo chat will be less bugged ..and i will have less worries when making remote connections.. not to say that there is not treats around the place. but 50% crap not to deal with is just fantastic

ben
ben

I have to ask some questions: 1. What if the experts were wrong, and the hosting company in question was a small business, effectively put out of business based on a news report? Benny Ng, director of marketing for Hurricane Electric, suggested it the washington post was his source, which of course has nevern been mistaken. But what if they were? 2. What provisions of the service agreements between bandwidth providers and the hosting service allowed for this action? Were those contracts honored? 3. Are legal contracts (such as service agreements) to be ignored when the "greater good" is involved? And if so, who should make that call? 4. The FCC recently has made significant rulings suggesting a particular bandwidth service provider (ComCast) can NOT filter internet traffic. Yet here is an extreme example of a provider doing just that. Does the ideal of "net neutrality" have limits? Again, if so, who decides what should be filtered? I fear there are greater things to fear than spam.

chris
chris

so how much money do these guys actually make from all this spam? Do people actually click the link and buy (or try to buy) stuff from these guys?

Dumphrey
Dumphrey

Ive been crazy busy here at work and haven't had time to peruse my usual news.

jmcgachey
jmcgachey

Amazing. As small company we were getting anywhere from 120,000 to 150,000 emails bounced off of our spam firewall daily. Last Wednesday it dropped by 100,000. I didn't think too much about it until the second day...same thing. I went to far as to email our ISP and ask them if they'd put something new in place but they were as puzzled as I. Thanks for the article...I finally got my answer.

Jaqui
Jaqui

When the fine print in internet access service agreements allows them to take anyone offline for being part of a botnet and for spamming? why?

Michael Kassner
Michael Kassner

That one location can have that kind of impact and control. Still it's just the command servers, the bot army is is placed throughout the world.

Editor's Picks