December 1, 2008 (Computerworld) Few tears were shed when McColo Corp., a San Jose-based company that allegedly hosted systems for prolific purveyors of spam, malware and child pornography, was suddenly taken offline by its upstream service providers on Nov. 11.
The September takedown of another hosting firm with a similarly dodgy reputation -- Intercage Inc. -- also evoked little sympathy from an Internet community that clearly is fed up with the massive volumes of spam and crimeware flowing across the Web.
What's notable about the McColo and Intercage shutdowns is that they weren't initiated by law enforcement officials or the upstream ISPs themselves. Instead, the upstream providers disconnected the companies, and their customers, from the Internet based on information that was provided by security researchers.
The two cases are shining a spotlight on the ferocious struggle taking place between malware distributors and loosely aligned but highly committed groups of security researchers who are out to neutralize them.
Those who support these self-appointed Net police -- and many do -- liken their efforts to Neighborhood Watch programs designed to keep city streets safe. Backers claim that the effort to shut down miscreant ISPs is needed because of the inability of law enforcement agencies to deal with such a global problem, as well as a lack of applicable laws.
A few people, though, are questioning whether there is a hint of vigilantism behind the takedowns -- even as they acknowledge that there may not be any other viable options for dealing with the problem at this point.
Soon after Intercage was forced offline, for instance, Earl Zmijewski, vice president and general manager at Internet monitoring company Renesys Corp., asked in a blog post why law enforcement officials hadn't been involved. "While I'm not a big fan of cybercrime or the providers who knowingly host these activities, I can't help but wonder where law enforcement is in this story," Zmijewski wrote. "We still have laws, right?"
Maxim Weinstein, manager of the anti-malware group StopBadware.org, had a similar the Internet's biggest botnets reaction to McColo's shutdown. In a Nov. 13 blog post, Weinstein applauded the work done by security researchers. But he also voiced concern about innocent companies and individuals who might have been affected.
"What happened to those users," he wrote, "when their providers and their sites suddenly became unavailable?"
McColo hosted a staggering variety of cybercrime activity, according to a group of researchers who said they had documented the company's practices for more than two years. In addition to hosting Web sites that spewed out huge quantities of spam, McColo is alleged to have hosted child pornography and counterfeit pharmaceutical sites, as well as command-and-control servers for some of the Internet's biggest botnets.
McColo was kicked offline after The Washington Post gave the company's upstream service providers information about its alleged hosting activities that the Post had gathered from the security researchers.
Benny Ng, director of infrastructure at Hurricane Electric, a Fremont, Calif.-based ISP that was one of McColo's service providers, said his company's decision to pull the plug was based solely on what it was given by the Post. According to Ng, the decision was straightforward because what McColo was doing was against Hurricane Electric's terms of service.
The fear of ending up on an Internet blacklist is also a powerful motivator in such cases. The blacklists maintained by StopBadware.org and other groups are used by many security vendors and corporate IT departments as part of their efforts to block spam and malware. As a result, ending up on the lists can have drastic consequences for an ISP or Web site.
Blacklist groups "basically have you over a barrel," said an executive at a hosting firm who asked not to be named. "So yes, we do pay attention to them."
However, in both the McColo and Intercage cases, the only role the security community played was to collect evidence showing that the two companies were hosting clients involved in all sorts of criminal activity, said Garth Bruen, founder of the antispam group KnujOn.
The decisions to pull the plug on the hosting firms were made solely by the upstream service providers, Bruen noted. "That was their choice to do it," he said. "We just gave them the information to help them make up their mind."
What's going on is "a little closer to vigilance than it is to vigilantism," StopBadware.org's Weinstein said in an interview. The security researchers who track alleged bad apples "are not inciting specific action against any company," he added. "What they're doing is publishing data and putting it in front of people who are making these decisions."
Often, though, it's hard to know for sure if a hosting company is complicit in the illegal activities taking place on its networks, or the extent of its culpability if it is aware of them, Weinstein acknowledged. "That's definitely a concern," he said. "But I don't think there's an easy answer to it."
Similar doubts were expressed even in the Post's story about the McColo takedown that the newspaper itself had helped trigger. According to the Post, the extent to which McColo could be held legally responsible for the activities of its hosted clients is unclear. There also is no evidence that McColo has ever been charged with any crimes, the newspaper reported.
Renesys' Zmijewski said he's surprised by the apparent lack of action on the part of U.S. law enforcement agencies to curb either McColo or Intercage. "It's not like these companies were in the middle of nowhere," he said, adding that many of the activities carried out on their systems were clearly illegal.
Invoking the rule of law would be preferable to having private groups initiate their own policing efforts, Zmijewski said. But he noted that with law enforcement not getting involved, it's no surprise that people have begun "taking matters into their own hands." For now, he said, "this perhaps is the only option."
This version of this story originally appeared in Computerworld's print edition.