Spammers look east after McColo shutdown

Zombie networks likely to resurface in two weeks


Analysis One week after rogue ISP McColo was shut down spam levels have yet to return to normality. But security experts are under no illusions that this represents anything more than a temporary reprieve, which will probably come accompanied by a change in tactics by spammers.

The volume of spam in circulation fell by as much as two thirds after upstream providers pulled the plug on McColo, which harboured many of the command and control servers that controlled the world's spam distribution. Immediately prior to McColo’s shut down, these three botnets were ranked first, second and fifth the world’s most prolific sources of spam, altogether responsible for nearly 70 per cent of junk mail, according to net security firm Marshal8e6.

McColo hosted the command and control infrastructure for three of the world’s most prolific spam botnets: Srizbi, Mega-D and Rustock. IT systems were also used to peddle porn, support credit card fraud and other nefarious cybercrime activities.

These operations were too profitable to be abandoned, so its no surprise that backup connectivity systems were used over the following weekend to hand over control of compromised systems to servers in Russia. Security watchers reckon that the shutdown of McColo - which follows clampdowns against EstDomains and Intercage, other ISPs criticised for hosting dubious customers - will encourage cybercrooks to look east.

"I suspect that these botherds will now move offshore to 'safer' bulletproof hosting in China or Russia. Though this might be a problem for their bandwidth requirements into the US," said Matt Sergeant, senior antispam technologist for MessageLabs, referring to the relative lack of bandwidth available from Chinese servers.

Command and control servers play an important role in managing compromised (zombie) clients. Infected machines contact control servers periodically to get updated instructions and spamming templates. Decentralised P2P control systems were used by the Storm worm, for example, and the closure of command and control systems for more centrally controlled botnets may spur a more decentralised approach in future.

The industralisation of spam distribution has meant that junk mail distribution is no longer the cottage garage industry it might have been five or 10 years ago. This has meant that targeted action by the law enforcement and IT security communities can have a palpable effect on spam.

A few security firms dispute the consensus that the shutdown of McColo had a huge effect on spam volumes.

Cloudmark, which provides spam filtering services to some of the world's largest service providers, said the McColo shutdown hit small-fry spam distributors while leaving the Mr Bigs of junk mail largely unaffected.

The filtering firm saw a reduction in the number of IP connections when McColo was removed but not much change in spam volumes. "The mediocre, easy to target spammers have less traffic trying to break into the large ISPs but the really nasty spammers who make millions of dollars are the ones that the high-profile ISPs receive the bulk of their spam from. It is these spammers that were unaffected by the disconnection of McColo," it said.

Displacement effect

So does shutting down the likes of McColo, EstDomains and Intercage just a game of "whack-a-mole" does it have an effect on the amount of spam hitting users' inboxes?

"The real aim here is to increase the cost of operating a spam economy so that spammers get out of the game. If we can keep spammers off low-cost, high-bandwidth US colo providers and force them offshore this will increase their costs and hopefully make it much harder for them to spam," said MessageLabs' Sergeant.

Jose Nazario, a security analyst at Arbor Networks, pointed out that an effect on spam distribution, even if it's short-lived, is "useful as a sign to law enforcement that these guys really do hang out in one or two places, and maybe it's worth going after them".

Nazario agreed that unscrupulous hosts were likely to step into the gap vacated by McColo but this didn't make enforcement efforts any less worthwhile. "Any gains are, so far, temporary. So we begin anew, tracking badness and hotbeds of nefarious activity," Nazario told El Reg.

The shutdown of the McColo spam control systems meant, for the first time this year, that China eclipsed the US as the primary source of spam, according to managed security firm, Network Box. China now produces more spam than any other country in the world.

Simon Heron, internet security analyst at Network Box, added that malware levels have also dropped since the McColo shutdown. "We’ve also seen a significant drop in emails containing viruses and phishing attacks. This indicates that McColo’s servers were also used to distribute malicious emails containing viruses, and not just the usual junk marketing mail," he said.

Heron agrees with other observers that the spam operators who used McColo are likely to reappear in a matter of weeks on the other side of the world. “McColo came back online briefly over last weekend, most likely uploading all the command and control software required to run the botnets. So we’d expect spam to be back to usual levels in a couple of weeks using servers based in Russia," he said. ®

Similar topics

Broader topics


Other stories you might like

  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading
  • Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai
    Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says

    A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

    The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

    Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

    Continue reading
  • Emotet reestablishes itself at the top of the malware world
    Botnet infrastructure shut down last year, now central to a fast-spreading email scam, researchers say

    More than a year after essentially being shut down, the notorious Emotet malware operation is showing a strong resurgence.

    In a March threat index, Check Point researchers put the Windows software nasty at the top of its list as the most widely deployed malware, menacing or infecting as much as 10 percent of organizations around the globe during the month – a seemingly unbelievable estimate, and apparently double that of February.

    Now Kaspersky Labs says a rapidly accelerating and complex spam email campaign is enticing marks with fraudulent messages designed to trick one into unpacking and installing Emotet or Qbot malware that can steal information, collect data on a compromised corporate network, and move laterally through the network and install ransomware or other trojans on networked devices.

    Continue reading
  • Microsoft-led move takes down ZLoader botnet domains
    That should keep the criminals offline for, well, weeks probably

    Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using to spread the remote-control malware and orchestrate infected machines.

    The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.

    From what we can tell from the filings submitted by Microsoft to the courts, its justification for the seizure is that ZLoader used the domains to injure the Windows giant as well as residents of the US state and commit computer fraud, infringement of Microsoft trademarks, and other illegal activity. The trademark infringement being that at least one of the domains was used for a website that featured Microsoft trademarks in an attempt to masquerade as a legit Redmond site, and also references in phishing emails to Microsoft-trademarked programs, such as Excel.

    Continue reading

Biting the hand that feeds IT © 1998–2022