Slashdot Mirror
McColo Briefly Returns, Hands Off Botnet Control
A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."
I gotta say the past week without so much SPAM has been like having a 10 year head cold where I've become more and more congested...and just lived with it. To suddenly have the congestion stop for just a week....I almost forgot what life is SUPPOSED to be like without a clogged sinus of an Inbox. Damn spammers! I wish I could have one pointed out and slap them up side the head....and then let the other million of people get to slap them. Then after that slapfest.....find a person that bought something from a spammer and slap them. If there were ever a time for authorities to get involved...it would be now! Raid that ISP and you know they'd catch some guilty folks...some of which could flip.
This is an example of the old saying "The Internet treats censorship as damage and routes around it".
Unfortunately, this is happening for the bad guys as well as us.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
After whacking down a mole, they continue to pop up!
I don't see why. 15MB/sec for 12 hours is rougly 650 gigs - a lot, but a single external hard drive could have pulled it off. At most they shaved a week off their time to get the botnets back up and running at full capacity.
My penis thanks them, my very very large penis which is located in a recently refinanced home, that is.
Now as soon as my good friend MR AUSTINE OWOH is able to complete the transfer of my long lost uncle's estate from probate in Nigeria to my onshore checking account, I will be perfect, perfect with a very very large penis, that is.
Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?
-- Will program for bandwidth
If you have "malware" on your computer, your private data is already being exposed. It could just as well be a bot net operator whose combing through your data. Who'd you rather have digging through your infected computer?
Besides, the guys used possibly ill-gotten information that was true to convince the upstream provider to shut down the ISP. The experts didn't run into the data center, pulling plugs in a rage...though that might make a neat comic book. In truth, you should blame the upstream providers. Seriously, this isn't Governments running around meting out justice. This is companies listening to private organizations.
import system.cool.Sig;
What are you smoking? Or rather, are you someone arguing a point without a clue.
Whether they had any legit customers is suspect. If they did, I'm sure they would have come to light very quickly.
No, your ISP will be notified about spam originating from its networks and they'll either deal with the user who is undoubtedly violating their TOS or the ISP's IP range will be entered into mail blackhole lists. Nothing new there.
Unlikely, and sadly you probably won't get punted off the net like you should. Instead, your computer will continue to be abused for the purposes of these criminals.
Your efforts to compare this to the drug war are completely irrational, as their causes and symptoms are wildly different. On top of that, there was no government involvement here.
wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous. Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam?
Well, frankly, yes. An ISP that turns a blind eye to such activities as accused, is just as good as helping the bad guys. And guess what... this is a war where almost anyone is willing to take casualties to end it. Now the innocent bystanders know they were dealing with shit for an ISP and have a big sign in front of their face to move to someone more reputable. It is a win for everyone, except the nefarious spammers/botnet operators that were put out by it. There is no sympathy for these folks.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
This pretty much shows how certain ISP's help spammers. Particularly since they did not IMMEDIATELY bring up their backup link. Instead they waited until the weekend.
And if the police do nothing?
"Believe me!" -- Donald Trump
Er, you can't communicate with a botnet with a harddrive, you know.
That's why your comparison doesn't make any sense. Drugs are a demand driven problem; attacking supply centers simply leads to more supply popping up. Spam is a supply driven problem; attacking supply centers leads to less spam.
If you really think that ISPs will continue to operate with gray customers, I guess you might think this is wack-a-mole, but ISPs have plenty of legitimate business and will have no problem ceasing doing business with spammers. This ISP didn't do that and learned a hard lesson. They were not a good-actor here.
Nerd rage is the funniest rage.
1. I don't have a solution, I'm just considering the ethical aspect.
What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider? The ISP has a duty to obey the terms they agreed to, and if it can't or won't it gets cut off. Just like you or I would get cut off by our upstream for violating whatever agreement we may have in place.
2. I'd rather deal with spam, malware, and con artists clogging the internet than vigilantes blowing holes in it.
Considering the sheer cost of cleaning up this bullshit, I doubt many share the same opinion. And the intenet was designed to route around holes in it. Theoretically at least.
3. As to who's protecting them -- it's not a question of who but what. In this case, economics.
No. There are definately quite a few "who"s in this mix. Like the greedy bastards who look the other way while their customers commit felonies. They are accessories to the crimes of their clients if they don't cut them off for their criminal bullshit.
4. It has taken this long because until now people were restrained by ethical considerations prevalent within the community. However, a certain moral flexibility seems to be developing now out of frustration. This can only end badly.
Are you kidding? People have been black-holed for decades on the internet for stuff like this.
WHERE IS THE ETHICAL ISSUE WITH TELLING A PROVIDER THAT THEIR CLIENTS ARE IN GROSS VIOLATION OF THEIR ACCEPTABLE USE POLICY????
Or worse.
Either they need to act on it when its pointed out or they will find themselves having to screen their traffic for content because of some cockamamy law passed because they were KNOWINGLY looking the other way while the sold space to kiddy-porn traders after numerous people pointed it out.
What's to prevent them from doing this every few months and leaving a trail of dead service providers in the wake of our new definition of "justice" as the botnet owners simply hop from one provider to the next?
That's simple - ISPs that value their continued existence will enforce their anti-spam/botnet policies rather than look the other way and take money from anyone who can pay. This isn't vigilantism, it's the upstream ISP dropping connectivity for contract violations when informed of the situation at one of their downstreams.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Sigh
Way to ignore the obvious facts here.
The ISP had the option of blocking off the spammers.
They did not. Eventually, ISP who do not stop spam will be disconnected. The ISP that supported this botnet SHOULD be a shambles, they became that when they decided not to stop their clients spamming.
What will prevent them from going to new ISP is that ISP probably dont like being put out of business completely.
This should be a salutory lesson for the next ISP that is told they are sending spam.
I see no ethical issues, unless you are a spammer.
But I suspect troll is closer to the mark.
Apparently TeliaSonera shut down the link as soon as they realised what was happening - the contract was through a proxy company.
See the Register article for more details.
So we can't really blame TeliaSonera.
Why the spamming bastards didn't just courier a hard drive to Russia instead is a mystery, though.
One swallow does not a fellatrix make
if spam wasn't profitable nobody would be doing it
Not necessarily. Spam may not be profitable, spamming may be. If you convince someone to pay you to spam for them, whether or not the spam itself generates any profit, you hustled them out of the money.
The use of a server located in Russia for C&C of the botnet is probably not as desirable as a US based host because of the large numbers of companies and ISPs which either black hole China and Russia entirely or subject traffic coming from and going to those parts of the Internet to much greater firewall scrutiny. I can see why they wanted the US server hosting in the first place while keeping the Russian datacenter as the backup plan.
The article said they had to update the command & control data for the botnets. The 'nets won't let just any computer control them, and this Russian server probably wasn't on the master list, so they needed to get back online with their old DNS hostname first.
Hail Eris, full of mischief...
E pluribus sanguinem
The facts do not support the conclusions here! Fundamentally, the argument that people keep siding with is "it's okay to nuke an ISP that harbors spammers." This argument is made on emotion -- the frustration we all share about receiving spam and it's negative impact. Those emotions don't consider the unintended consequences, which is that innocent people can be harmed when this course of action is taken. The legal system in this country is heavily slanted towards keeping the innocents out of the line of fire at whatever cost; An ethical principle I happen to agree with.
The ISPs need to be held legally accountable for harboring spammers, which means using legal methods to make the cost of doing so high enough that they comply. By going through the backdoor and shutting off their connections, this weakens the entire market and the infrastructure of the internet at large -- because we are implying then that our personal ethics are more important than our legal obligations. What we're saying here is that agents in the market of providing internet services are free to excercise their own judgement -- which also means now they are liable for things like copyright infringement, or people passing child porn through their network, etc. It opens the door to accusations of selective enforcement, discrimination, and worse.
And calling me a troll, or saying that I support spammers, or that I am a spammer... Is a cheap way of ducking an uncomfortable truth.
#fuckbeta #iamslashdot #dicemustdie
The problem is, once you give the government jurisdiction to decide who can and cannot use the Internet, they will use that power to further their own interests rather than yours.
No politician will ever vote to decrease his own power.
Canter and Siegel were kicked off their ISPs in decently short order 14 years ago (1994) after starting to spam. See:
https://secure.wikimedia.org/wikipedia/en/wiki/Canter_and_siegel
Anyone familiar with the history of spamfighting will be able to point to numerous examples every year since then, of escalating size and complexity.
Vigilantism is acting extrajudicially AND illegally as a community group to right a wrong or combat a criminal. It's an inappropriate model here - the response was entirely legal. It was done by people who, contrary to your assertion, were openly identified and stood and stand by their information.
If people were assassinating botnet operators or burning McColo datacenters down, THAT would be vigilantism. This is just community response.
Actually, its my PROFESSIONAL duty. Good luck suing me for pointing out that you are committing a felony to your provider. I have the feds computer crimes department on speed-dial.
If a shit-ton of malicious crap and SPAM/malware are coming into MY client's network (causing ME and MY CLIENTS a material loss), or if my client's systems have been infected with a botnet controlled from YOUR IP space(a felony), it is your responsibility to address that when I tell you about it. If you don't I'll talk to YOUR provider. Or would you rather I call the FBI and tell them you're systematically attacking my client?
I don't even have to be involved actually, I can just tell MY client's providers (some of which are backbone providers) what I see coming from YOUR network and they have entire departments to deal with that type of shit. So you can fight Level 3 and Verizon for all I care. Your customers are attacking their customers, they can cut you off just as easily.
Please, dont do this.
These servers were plugged off on early monday (local moscow time), as soon we got contact with podolsk-mo. The networks of bad guys were:
62.176.16.0/22 (they got from local ISP)
91.200.144.0/22 (client's network)