Slashdot Mirror

← Back to Stories (view on slashdot.org)

McColo Briefly Returns, Hands Off Botnet Control

Posted by kdawson on from the should-have-used-a-stake-through-the-heart dept.

A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."

3 of 242 comments (clear)

  1. Re:Epic Fail. by rossz · · Score: 5, Interesting

    I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

    Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?

    --
    -- Will program for bandwidth
  2. Re:Let's turn TeliaSonera into a smoking crater ne by Nimey · · Score: 5, Interesting

    The article said they had to update the command & control data for the botnets. The 'nets won't let just any computer control them, and this Russian server probably wasn't on the master list, so they needed to get back online with their old DNS hostname first.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  3. Re:Can they hear me now? by demiurgie · · Score: 5, Interesting

    Please, dont do this.
    These servers were plugged off on early monday (local moscow time), as soon we got contact with podolsk-mo. The networks of bad guys were:
    62.176.16.0/22 (they got from local ISP)
    91.200.144.0/22 (client's network)