McColo Briefly Returns, Hands Off Botnet Control

A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."

Re:Epic Fail.

[rossz]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?

So what's YOUR solution?

[SIGBUS]

Just let the spammers, malware pushers, and con artists clog up the net?

The real question is, who's protecting these scumbags and why? Why has it taken so long to do anything about them?

Re:So what's YOUR solution?

[girlintraining]

> What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider?

Nothing at all. The problem comes when the upstream provider violated their contract with the customers that may have been using the service in accordance with the TOS but lost their service due to being in the wrong place at the wrong time. Which, if you want to split hairs, is principally the fault of the provider and possibly to a lesser extent the person reporting the problem because they provided false information. I say possibly because I don't know what information was provided.

> Considering the sheer cost of cleaning up this bullshit, I doubt many share the same opinion. And the intenet was designed to route around holes in it. Theoretically at least.

I am glad, then, that the decision is not theirs to make. Besides, most people think they're above average drivers too...

> No. There are definately quite a few "who"s in this mix. Like the greedy bastards who look the other way while their customers commit felonies. They are accessories to the crimes of their clients if they don't cut them off for their criminal bullshit.

You can't say they shouldn't help RIAA enforce their copyright by booting you off your connection for P2P, then turn around and say they should police people for spam. They're common carriers; It means they're not responsible, nor should they be. If we start down this road, the internet as we know it ends.

> Are you kidding? People have been black-holed for decades on the internet for stuff like this.

Citation needed.

Look, the solution here is laws not vigilantism... Because the simple truth is no matter how good you are sooner or later you're going to fuck it up. The law ensures that when this happens, there's recourse. A vigilante will just disappear into the night with the words "I'm sorry" on his/her lips. And not only that, but the entire tone of your response rather underscores the need to get emotion out of this situation and the justice system is far better suited to this than your "Let's get a posse together and ride" solution.

Re:So what's YOUR solution?

[st0rmshad0w]

Actually, its my PROFESSIONAL duty. Good luck suing me for pointing out that you are committing a felony to your provider. I have the feds computer crimes department on speed-dial.

If a shit-ton of malicious crap and SPAM/malware are coming into MY client's network (causing ME and MY CLIENTS a material loss), or if my client's systems have been infected with a botnet controlled from YOUR IP space(a felony), it is your responsibility to address that when I tell you about it. If you don't I'll talk to YOUR provider. Or would you rather I call the FBI and tell them you're systematically attacking my client?

I don't even have to be involved actually, I can just tell MY client's providers (some of which are backbone providers) what I see coming from YOUR network and they have entire departments to deal with that type of shit. So you can fight Level 3 and Verizon for all I care. Your customers are attacking their customers, they can cut you off just as easily.

Re:How to stop internet crime

How many times has web-based direct democracy failed?

On the contrary, aren't open source projects an example of the success of leaderless democracy?

It's not the data, it's the cooperation.

[khasim]

This pretty much shows how certain ISP's help spammers. Particularly since they did not IMMEDIATELY bring up their backup link. Instead they waited until the weekend.

Re:It's not the data, it's the cooperation.

[xenobyte]

Well, the issue is that as long as the spam doesn't originate from the ISP or the spamvertised sites isn't hosted on the ISP, it can be really hard in certain countries to get rid of a malicious customer.

Sure, in this case there's no doubt the ISP was very much a part of the evil operation, but some ISPs find themselves between a rock and a hard place if their customers only host nameservers or what turns out to be C&C servers because they might not be able to terminate the hosting contract prematurely due to the activities not being illegal according to local law, nor is it listed in the law regarding spamming and similar rogue advertising. And it might be that you cannot enforce a contract termination based on perceived damage unless some law is broken.

I've worked at such an ISP and we found ourselves unable to get rid of a client (a subsidiary of a corporation that had another porn spamming subsidiary) who only hosted nameservers on our networks. As a nameserver is pretty innocent in itself, we could not terminate them. The only damage they were causing was the blacklisting provided by the vigilantes in SPEWS and that just wasn't enough for an early termination.

Re:Epic Fail.

[girlintraining]

> Drugs are a demand driven problem; attacking supply centers simply leads to more supply popping up.

But if there wasn't a supply in the first place, there wouldn't be a demand problem... or so goes the logic. Attacking supply centers leads to higher costs as supply has diminished. Because the price is now higher, there's now more incentive for an agent to enter the market who can produce at a lower price. There's a few extra steps in this that make calling it either a supply or a demand problem a meaningless distinction; It's a self-balancing system.

E-mail is cheaper than a millionth of a penny in actual costs, so I don't see any way to resolve the issue. If there's even one person who would reply and buy $40 worth of penis enlargement pills, that one person has just paid for about 20 billion e-mails to try to find the next person. Attacking the suppliers doesn't remove the economic incentive, which was the entire point of my original post!

It's a self-correcting system... At best they'll reduce supply to the point that new players enter the market who might be better prepared and vested in evading detection to protect their profits. This, of course, makes them even more difficult to detect and then turn over to the authorities to face prosecution. Taking away their means of production accomplishes nothing because the cost of re-entering the market is effectively zero.

The only long-term strategy that will have any impact is to use the criminal justice system to tag and bag these people. And at that, it's not a solution but a band-aid, but it will help more than vigilantism.

Re:Let's turn TeliaSonera into a smoking crater ne

[Nimey]

The article said they had to update the command & control data for the botnets. The 'nets won't let just any computer control them, and this Russian server probably wasn't on the master list, so they needed to get back online with their old DNS hostname first.

Re:Epic Fail.

[girlintraining]

The facts do not support the conclusions here! Fundamentally, the argument that people keep siding with is "it's okay to nuke an ISP that harbors spammers." This argument is made on emotion -- the frustration we all share about receiving spam and it's negative impact. Those emotions don't consider the unintended consequences, which is that innocent people can be harmed when this course of action is taken. The legal system in this country is heavily slanted towards keeping the innocents out of the line of fire at whatever cost; An ethical principle I happen to agree with.

The ISPs need to be held legally accountable for harboring spammers, which means using legal methods to make the cost of doing so high enough that they comply. By going through the backdoor and shutting off their connections, this weakens the entire market and the infrastructure of the internet at large -- because we are implying then that our personal ethics are more important than our legal obligations. What we're saying here is that agents in the market of providing internet services are free to excercise their own judgement -- which also means now they are liable for things like copyright infringement, or people passing child porn through their network, etc. It opens the door to accusations of selective enforcement, discrimination, and worse.

And calling me a troll, or saying that I support spammers, or that I am a spammer... Is a cheap way of ducking an uncomfortable truth.

Re:Which Federal Wirefraud Law Did McColo Just Bre

[cmholm]

I realize that there are others who are already more than knowledgeable about McColo. I just wanted to add an observation from a look at McColo's "about" page archived on the wayback machine: the site designer links back to a Russian domain, and the corporate address is a drop box in Delaware. It wouldn't surprise me if the only US-based "employees" were a handful of independent contractors swapping equipment out at the San Jose data center.

Re:Can they hear me now?

[demiurgie]

Please, dont do this.
These servers were plugged off on early monday (local moscow time), as soon we got contact with podolsk-mo. The networks of bad guys were:
62.176.16.0/22 (they got from local ISP)
91.200.144.0/22 (client's network)