Spam is silenced, but where are the feds?

The FTC's HerbalKing operation grabbed a lot of headlines; the McColo takedown cut spam

The reason why some security experts have called for a similar takedown at McColo has, in part, to do with the sneaky way that McColo's customers were disrupted. Researchers say that McColo computers weren't actually sending out spam, just running the command and control servers that marshalled an estimated half-million infected botnet computers. These infected machines would take their instructions from servers on McColo's network, but should those computers ever be knocked offline, they were given several other backup Internet domains to check for commands.

To keep things secret, the criminals hadn't registered these domains, but they had coded several hundred of them into their botnet software. But the researchers learned these domain names by looking at the botnet code to find out what the hacked computers would do when McColo went down. Shortly before the McColo network was knocked offline by Global Crossing and Hurricane Electric, researchers registered the hundreds of backup domains themselves.

When the botnets couldn't go to McColo's IP (Internet Protocol) space for instructions, they started looking for their backup domains, but these were controlled by security researchers. Now, disconnected from their control servers, and unable to connect to a backup, two of the Internet's worst botnets, Srizbi and Rustock, have been decapitated.

"There have got to be hundreds of thousands of bots out there that aren't phoning home right now" said Joe Stewart, a botnet expert with SecureWorks who has tracked the McColo situation.

These bots might well be disabled for good, provided McColo's computers do not get brought back online. But that's exactly what happened a week ago, when a reseller of Swedish ISP TeliaSonera reconnected McColo temporarily.

The mistake was quickly noted, and TeliaSonera quickly disconnected McColo. But security vendor FireEye reckons that the bad guys were able to regain control of thousands of botnet computers during this brief window of opportunity. When McColo went back on the Internet, its IP address space worked again and cybercriminals were able to send instructions to their botnet computers. They would not have been able to do this had the FBI been able to shut down McColo's California data center, as it did with Creative Internet.

Creative Internet was exceptionally brazen about its activities and that type of raid is unlikely to happen again, said Spamhaus' Cox. "You can't prove those sort of cases to a sufficient level to get it to a grand jury," he said. ISPs are almost always given a pass when this type of activity is discovered on their network because they can plausibly deny that they knew anything about it.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags can-spam actspam

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?