McColo Briefly Returns, Hands Off Botnet Control

A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."

Uncongested Relief!

[IgnacioB]

I gotta say the past week without so much SPAM has been like having a 10 year head cold where I've become more and more congested...and just lived with it. To suddenly have the congestion stop for just a week....I almost forgot what life is SUPPOSED to be like without a clogged sinus of an Inbox. Damn spammers! I wish I could have one pointed out and slap them up side the head....and then let the other million of people get to slap them. Then after that slapfest.....find a person that bought something from a spammer and slap them. If there were ever a time for authorities to get involved...it would be now! Raid that ISP and you know they'd catch some guilty folks...some of which could flip.

Alas...

[Amazing+Quantum+Man]

This is an example of the old saying "The Internet treats censorship as damage and routes around it".

Unfortunately, this is happening for the bad guys as well as us.

Re:Epic Fail.

[rossz]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?

Re:Epic Fail.

[Microlith]

What are you smoking? Or rather, are you someone arguing a point without a clue.

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Whether they had any legit customers is suspect. If they did, I'm sure they would have come to light very quickly.

Will my internet connection go down because someone uses my ISP for spam?

No, your ISP will be notified about spam originating from its networks and they'll either deal with the user who is undoubtedly violating their TOS or the ISP's IP range will be entered into mail blackhole lists. Nothing new there.

If my computer becomes infected with malware, how long before I have 'researchers' digging through my private data?

Unlikely, and sadly you probably won't get punted off the net like you should. Instead, your computer will continue to be abused for the purposes of these criminals.

Your efforts to compare this to the drug war are completely irrational, as their causes and symptoms are wildly different. On top of that, there was no government involvement here.

Re:Epic Fail.

[TheRealMindChild]

wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous. Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam?

Well, frankly, yes. An ISP that turns a blind eye to such activities as accused, is just as good as helping the bad guys. And guess what... this is a war where almost anyone is willing to take casualties to end it. Now the innocent bystanders know they were dealing with shit for an ISP and have a big sign in front of their face to move to someone more reputable. It is a win for everyone, except the nefarious spammers/botnet operators that were put out by it. There is no sympathy for these folks.

Re:So what's YOUR solution?

[st0rmshad0w]

1. I don't have a solution, I'm just considering the ethical aspect.

What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider? The ISP has a duty to obey the terms they agreed to, and if it can't or won't it gets cut off. Just like you or I would get cut off by our upstream for violating whatever agreement we may have in place.

2. I'd rather deal with spam, malware, and con artists clogging the internet than vigilantes blowing holes in it.

Considering the sheer cost of cleaning up this bullshit, I doubt many share the same opinion. And the intenet was designed to route around holes in it. Theoretically at least.

3. As to who's protecting them -- it's not a question of who but what. In this case, economics.

No. There are definately quite a few "who"s in this mix. Like the greedy bastards who look the other way while their customers commit felonies. They are accessories to the crimes of their clients if they don't cut them off for their criminal bullshit.

4. It has taken this long because until now people were restrained by ethical considerations prevalent within the community. However, a certain moral flexibility seems to be developing now out of frustration. This can only end badly.

Are you kidding? People have been black-holed for decades on the internet for stuff like this.

WHERE IS THE ETHICAL ISSUE WITH TELLING A PROVIDER THAT THEIR CLIENTS ARE IN GROSS VIOLATION OF THEIR ACCEPTABLE USE POLICY????

Or worse.

Either they need to act on it when its pointed out or they will find themselves having to screen their traffic for content because of some cockamamy law passed because they were KNOWINGLY looking the other way while the sold space to kiddy-porn traders after numerous people pointed it out.

Re:Let's turn TeliaSonera into a smoking crater ne

[aproposofwhat]

Apparently TeliaSonera shut down the link as soon as they realised what was happening - the contract was through a proxy company.

See the Register article for more details.

So we can't really blame TeliaSonera.

Why the spamming bastards didn't just courier a hard drive to Russia instead is a mystery, though.

Re:Let's turn TeliaSonera into a smoking crater ne

[Nimey]

The article said they had to update the command & control data for the botnets. The 'nets won't let just any computer control them, and this Russian server probably wasn't on the master list, so they needed to get back online with their old DNS hostname first.

Re:Can they hear me now?

[demiurgie]

Please, dont do this.
These servers were plugged off on early monday (local moscow time), as soon we got contact with podolsk-mo. The networks of bad guys were:
62.176.16.0/22 (they got from local ISP)
91.200.144.0/22 (client's network)