Hosting firm shutdown forces botnets to relocate
Criminals affected by plug-pulling already shifting operations, says researcher
Computerworld - The shutdown Tuesday of a California-based hosting company not only knocked down spam volumes but has also put a dent in malware-spreading botnets and other criminal activity, researchers said today.
While cybercriminals will face some short-term difficulties as they are forced to relocate their operations, the relief will be only temporary for the world's Internet users, the researchers added.
McColo Corp., the San Jose-based company that was cut off from the Web by its upstream Internet providers two days ago, hosted a staggering variety of cybercriminal activity, according to researchers familiar with its operation. Other than spewing out huge quantities of spam -- by some estimates, at times up to 75% of all spam -- McColo hosted the command-and-control servers of some of the biggest botnets, hosted child pornographic sites and domains that hustled users for money by scaring them into thinking that their PCs were infected with massive amounts of malware.
Among the world's largest botnets controlled from servers hosted by McColo, researchers have counted the Sinowal, Srizbi and Rustock networks.
The hosting service even harbored the server that RSA Security Inc. found that contained more than 500,000 stolen online bank and credit card accounts.
Paul Ferguson, a network architect at Trend Micro Inc., was one of 10 security researchers who put years of work into investigating McColo and documenting its criminal activities. "The work goes back two years," said Ferguson. "We did our due diligence and went through legitimate channels" in an attempt to get McColo to change its spots. "But they just played a shell game when they did respond, maybe change an IP address on one domain. They weren't serious. So we decided it was time to shine a light on the darkness."
Ferguson joined nine other researchers to publish a paper Wednesday called "McColo: Cyber Crime USA" that detailed their findings. The paper is available on the HostExploit.com site (download PDF).
Spam levels remained significantly lower today than before McColo's shutdown -- according to IronPort, spam volumes are down about 58% Thursday from Monday's numbers.
Although the shutdown may stymie online criminal activity for a time, Ferguson and others were only cautiously optimistic.
"I completely expect the criminal operators that were 'pulling the strings' in McColo to redeploy their operations elsewhere," said Ferguson. "That's almost a given." He added that there are signs the criminals are already shifting their servers and domains to other hosting companies.
Ben Feinstein, director of operations for the counterthreat unit of SecureWorks Inc., an Atlanta-based security company, echoed Ferguson. "In the short term, this may have a positive effect in reducing online crime, but in the medium- and long-term, they'll reorganize and move to other hosting providers."
- Massive botnet returns from the dead, starts spamming
- Spam levels fluctuate as crooks try to revive botnets
- Spam is silenced, but where are the feds?
- Dodgy ISP McColo briefly comes online, updates botnet
- McColo shutdown forces botnets to relocate
- Hosting firm takedown bags 500,000 bots
- Spam plummets after Calif. hosting service shuttered
- McColo takedown: Internet vigilantism or online Neighborhood Watch?
- IT Blogwatch: McColo is McShut McDown
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts