Hosting firm shutdown forces botnets to relocate

Criminals affected by plug-pulling already shifting operations, says researcher.

The shutdown Tuesday of a California-based hosting company not only knocked down spam volumes but has also put a dent in malware-spreading botnets and other criminal activity, researchers said today.

While cybercriminals will face some short-term difficulties as they are forced to relocate their operations, the relief will be only temporary for the world's Internet users, the researchers added.

McColo, the company that was cut off from the Web by its upstream Internet providers two days ago, hosted a staggering variety of cybercriminal activity, according to researchers familiar with its operation. Other than spewing out huge quantities of spam -- by some estimates, at times up to 75 percent of all spam -- McColo hosted the command-and-control servers of some of the biggest botnets, hosted child pornographic sites and domains that hustled users for money by scaring them into thinking that their PCs were infected with massive amounts of malware.

Among the world's largest botnets controlled from servers hosted by McColo, researchers have counted the Sinowal, Srizbi and Rustock networks.

The hosting service even harbored the server that RSA Security found that contained more than 500,000 stolen online bank and credit card accounts.

Paul Ferguson, a network architect at Trend Micro, was one of 10 security researchers who put years of work into investigating McColo and documenting its criminal activities. "The work goes back two years," said Ferguson. "We did our due diligence, and went through legitimate channels" in an attempt to get McColo to change its spots. "But they just played a shell game when they did respond, maybe change an IP address on one domain. They weren't serious. So we decided it was time to shine a light on the darkness."

Ferguson joined nine other researchers to publish a paper Wednesday called "McColo: Cyber Crime USA" that detailed their findings. The paper is available on the HostExploit.com site (download PDF).

Although the move may stymie online criminal activity for a time, and spam levels remained significantly lower today than before McColo's shutdown -- according to IronPort , spam volumes are down about 58 percent Thursday from Monday's numbers -- Ferguson and others were only cautiously optimistic.

"I completely expect the criminal operators that were 'pulling the strings' in McColo to redeploy their operations elsewhere," said Ferguson. "That's almost a given." Ferguson added that there are signs the criminals are already shifting their servers and domains to other hosting companies.

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: IronPort, RSA, RSA, The Security Division of EMC, SecureWorks, Solace, Trend Micro
References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: spam, botnets
Whitepapers
All whitepapers

TPG should pay rural levy for each FTTB service: NBN Co

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia