Hosting firm takedown bags 500,000 bots
The shutdown of McColo knocks out a record number of bots, says researcher
Computerworld - The shutdown last week of a U.S.-based Web hosting company crippled more than 500,000 bots, or compromised computers, which are no longer able to receive commands from criminals, a security researcher said today.
Although the infected PCs are still operational, the previously-planted malware that tells them what to do can't receive instructions because of the shutdown last week of McColo Corp.
McColo was disconnected from the Internet by its upstream service providers at the urging of researchers who believed the company's servers hosted a staggering amount of cybercriminal activity, including the command-and-control servers of some of the planet's biggest botnets. Those collections of infected PCs were responsible for as much as 75% of the spam sent worldwide. When McColo went dark, spam volumes dropped by more than 40% in a matter of hours.
The McColo takedown resulted in a record number of bots being severed from their hacker controllers by any single event, Stewart said. He compared it to last September, when Microsoft Corp.'s anti-malware utility, the Malicious Software Removal Tool (MSRT), purged nearly 300,000 infected PCs of the infamous Storm Trojan horse.
"That had a good impact, but it didn't stop the flow of spam globally," Stewart said of the MSRT takedown. "It didn't make a difference to other botnets that were still spamming away."
Knocking McColo offline, on the other hand, disrupted at least two major botnets -- "Rustock" and "Srizbi" -- and caused spam to plummet around the globe, said Stewart.
Stewart, a leading authority on botnets, estimated the strength of the top 11 botnets last April. Srizbi, at 315,000 bots, was No. 1 in his census, while Rustock, at 150,000, was in the No. 3 spot.
Rustock's handlers may never recover control of their bots, said Stewart. "It does look like they're lost to them," he said, noting that those bots lack a fail-safe for reconnecting with a command-and-control server if it does dark, as happened when McColo's plug was pulled.
But while Rustock's bots may be orphaned, there's a chance the Srizbi's bots can be brought back under control. "When Srizbi bots can't connect, as a backup, they're coded to try other domain names," to search for new command-and-control servers, said Stewart. Those domains, however, were recently registered, perhaps pre-emptively by a security researcher who had rooted through the Srizbi code.
"They're not receiving new instructions," Stewart said. That would indicate that a third party -- someone who didn't have the Srizbi source code, and thus a way to figure out the protocols for sending new orders to the disconnected bots -- may have snatched up the domain names.
- Massive botnet returns from the dead, starts spamming
- Spam levels fluctuate as crooks try to revive botnets
- Spam is silenced, but where are the feds?
- Dodgy ISP McColo briefly comes online, updates botnet
- McColo shutdown forces botnets to relocate
- Hosting firm takedown bags 500,000 bots
- Spam plummets after Calif. hosting service shuttered
- McColo takedown: Internet vigilantism or online Neighborhood Watch?
- IT Blogwatch: McColo is McShut McDown
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts