McSpammers fixing broken McBotnet?

In Wednesday's IT Blogwatch, Richi Jennings watches bloggers watch spammers foiled by the McColo takedown try to get back on the net. Not to mention the JavaScript drum machine...

Jeremy "T." Kirk reports:

An ISP associated with online crime and child pornography briefly came back online over the weekend before being cut off again, according to security vendors.

McColo, whose servers are in San Jose, was cut off from the Internet last week by its upstream providers after an investigation by computer security analysts and The Washington Post.

But McColo came back online on Saturday, after connecting with Swedish ISP TeliaSonera, which has a router in San Jose ... the brief renewal in connectivity did allow cybercriminals running botnets out of McColo's networks to take steps to preserve their operations.

Dan Goodin adds:

The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia.


The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware ... PCs infected by the Rustock botnet [were] updated so they'd report to a new server located at for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last.


The IP address used to reconnect McColo had been allocated to the "CWIE Holding Company," which claimed to process credit cards. Telia quickly pulled the plug once researchers learned it was linked to McColo.

But Ross Thomas isn't sympathetic:

Apparently those responsible for hooking up new customers at TeliaSonera don’t read security blogs. That said, the company does deserve props for its rapid response to complaints ... It’s great to see such a rapid result from a complaint to an ISP!


We should expect spam volumes to increase again soon (Rustock is estimated to be capable of sending 30 billion spams per day), though how big an increase we’ll see depends largely on the number of zombie PCs the botnet’s controller was able to reach during McColo’s temporary resurrection. For now, though, volume on our spamtraps is still hovering around a quarter of what it was before the take-down.

Edward Falk muses:

In a nutshell, McColo was one of the prime bad-guys of the internet. Child porn, phishing, credit-card processing for criminals, you name it. We're talking the Dr. Moriarty of the internet here. As part of all that, they were knowingly hosting the command-and-control centers for major botnets.


Here's what's significant: The shutdown of McColo resulted in a 60-70% drop in spam worldwide overnight. Let me say that again: A 60-70% drop in spam overnight. Worldwide. From disconnecting just one bad actor.


I don't have any illusions that this drop is permanent. The spammers and bot-herders will be looking to rebuild their networks almost immediately.

Brian Krebs blames the RIAA (kinda):

Botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature.


Botnets that have their control servers at a single hosting provider are at constant risk of being shut down, because that host or the host's Internet providers can always pull the plug. But Storm lacked this single point of failure in part because information relayed by the bot masters about new spam runs to execute or malicious software updates to install could be passed from one bot to the next, without the need for the bots to check in at a central server.


The development and public adoption of P2P technology first took off after the recording industry took on music swapping service Napster. Soon after legal pressure from the Recording Industry Association of America (RIAA) forced Napster offline in 2001, a host of P2P software titles and networks sprang up to fill the void, allowing users to share music, movies and files online without ever having to connect to a central server ... The Storm worm used the "Overnet" protocol, a P2P communications medium that powered the popular Overnet and eDonkey music and file-trading networks.

Renraku thinks lateral:

Anyone want to set up a donation box to hire some thugs?

After all, what's this doing for us? It sounds almost like..well..treason! A foreign power is accessing systems in the United States and is using those systems to infect/enslave other systems. I wouldn't shed a tear if a black ops detachment traced the stuff back to its source and C4ed the offending equipment/operators in Russia.

But girlintraining trolls mightily:

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous.

Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam?.

So TheRealMindChild feeds the troll with insight:

Well, frankly, yes. An ISP that turns a blind eye to such activities as accused, is just as good as helping the bad guys. And guess what... this is a war where almost anyone is willing to take casualties to end it.

Now the innocent bystanders know they were dealing with **** for an ISP and have a big sign in front of their face to move to someone more reputable. It is a win for everyone, except the nefarious spammers/botnet operators that were put out by it. There is no sympathy for these folks.

And finally...

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email:

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon