Every now and then, a controversial issue triggers a flood of online discourse. For our Noise Filter feature, the WHIR pans the raging rivers of opinion for shining nuggets of useful commentary.
(WEB HOST INDUSTRY REVIEW) — Alleged host to some of the most prolific online criminals, web hosting provider McColo went offline last week when its Internet providers cut off their service to the company, reducing the global volume of spam by up to 75 percent according to some estimates.
The Washington Post’s Security Fix blog has been watching McColo (www.mccolo.com) for the past four months, finding that the San Jose host may be hosting “some of the most disreputable cyber-criminal gangs in business today,” including child pornography, anti-virus scams and malicious software, which has stolen banking and credit card information from more than half a million people. Security Fix blogger Brian Krebs informed two of its upstream Internet providers, which subsequently ceased their service to McColo.
By the afternoon of November 11, 2008, the San Jose hosting company was all but offline, which caused Internet security firm SophosLabs (www.sophos.com) to record a decline of more than 75 percent in connections to its spamtrap mail servers. Similarly, security firm IronPort (www.ironport.com) reported a 70 percent drop in spam over a two day period and MXLogic (www.mxlogic.com) a 50 percent reduction.
SpamCop Statistics for the past 31 days show a dramatic drop in spam following November 11.
While Brian Krebs’s Security Fix team and other security experts have been playing a valuable watchdog role in online monitoring, some bloggers have suggested that this “vigilante” activity is being fuelled by government apathy.
Security research community Hostexploit.com found that McColo went back online for roughly 24 hours starting at 9:30 EST Saturday November 15, using the Telia node in Los Angeles to reconnect, before being taken offline once more. In a recent Cyber Crime USA report, Hostexploit.com security researchers said the company has played “a key role in managing world’s major botnets, and malware warehousing, which has been estimated as partially controlling 50 to 75 percent of the world’s spam.”
A Wednesday Washington Post report by Brian Krebs states that it is uncertain if US law enforcement will do anything about McColo’s alleged negligence in hosting scams and illegal content because it may not be held legally responsible for its clients’ activities. He said that there is no evidence that McColo has committed any crime, noting that liability is typically decided based on the hosting provider being aware of the content.
In this installment of Noise Filter, we will look at what security researchers have found about McColo and what it means in the grand scheme of cyber-crime. We will also look at what this “bust” means for law enforcement agencies that seem to be letting citizens take online crime monitoring into their own hands.
Ross Thomas wrote in SophosLabs’ security blog:
Despite the recent reported shift by botnet operators from centralized IRC and HTTP-based C&C architectures to a more elusive peer-to-peer (P2P) model, it appears a large majority of extant spam-sending botnets still exhibit single points of failure that expose them to catastrophic damage by well-placed counter-attacks.
Significant success can be achieved by defenders of the global email infrastructure through complaints to those who provide Internet connectivity to so-called “rogue ISPs.” While it’s true that researchers have complained to McColo’s upstream providers in the past with no apparent effect, the most egregious offenders cannot escape mainstream notice indefinitely.
Bob Levin wrote in the Simple Hosting Online Blog:
Don’t think that this one event, eliminated spam and malware on the Internet. It didn’t. Getting rid of one helps a lot but there will more that will pop up to take their place. It will always be with us. It was just a dent into the problem. It happened to be a very large dent, but only a dent. It’s like any crime. Just because it may be outlawed, doesn’t mean that it will completely go away. They will regroup and reopen somewhere else. You always have to be aware and protect yourself from spam and Internet attacks.
This McAfee graph shows in detail the drop in spam emails following the shut-down of McColo.
In McAfee’s Avert Labs blog, research scientist and “Artemis geek” Chris Barton wrote:
Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus…. Enjoy the lower load averages while they last though. This is no reason to rest, however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF* today for sure.
(* Note: The IWF is a UK hotline for reporting illegal content specifically child sexual abuse content and criminally obscene racial hate content made to incite violence.)
In their Nov 18, 2008 “McColo – Cyber Crime USA Supplement” issue, Jart Armin and Paul Ferguson wrote :
It would appear the Telia node in Los Angeles was that used to reconnect McColo, from Saturday Nov 15 08, approximately 9:30 EST and was stopped on Sunday [at] 10:00.
How this came about was not Telia’s fault, as a common practice that Telia and many other carriers allow “bandwidth resellers,” in this case a “Giglinx.com” … to cut deals and put an un-vetted ASN onto Telia’s network. Security departments of many carriers, including Telia make thorough checks as to reputation of regular and long term clients. However, bandwidth resales are often temporary and it is assumed the reseller has checked on the reputation. Therefore, the bad guys take advantage of the bandwidth reselling, in this case Giglinx in LA.
Cedric Pernet wrote in Weblog Cert-Lexsi, a French IT blog:
McColo had two main ICQ contact addresses. One was registered under “McColo Sales” while the other was registered under “Alexey (McColo)” … Research on these two ICQ identities soon led us to a number of Russian underground forums. It seems like they were posting on them on a regular basis. We thought they might be Russian and kept searching, finding some posts concerning adult content hosting, and found two other ICQ numbers associated to Alexey, or should I say “Alex” or “Alexey Bladewalker”?
Digging more, I found several messages indicating that the leader of McColo could be dead since the 2nd or 3rd of September 2007. McColo might have been set up by a certain “Nikola,” information I couldn’t verify unfortunately, but which looks plausible. McColo died supposedly in a car crash, as the passenger of a BMW car which was racing with a Porsche Cayenne in the streets of Moscow. McColo was sitting on the front-right place of the BMW, while the driver was another well-know cyber-criminal, known as “Jax”.
Jaikumar Vijayan wrote in an article for Computerworld:
What’s remarkable about the McColo and Intercage shutdowns is that they weren’t initiated by law enforcement officials or via court order. Neither did they happen because either company was forced into bankruptcy or had other financial problems. Instead, both companies were forced offline when their upstream ISPs, acting upon information provided by security researchers, simply disconnected them and their customers from the Internet.
Behind the scenes of the McColo and Intercage cases, a ferocious struggle is taking place between the purveyors of Web-based malware and loosely aligned but highly committed groups of security researchers who are out to neutralize them.
Those who support these self-appointed Net police – and many do – dismiss any suggestions that the researchers are acting as online vigilantes and instead liken their efforts to Neighborhood Watch programs designed to keep city streets safe. Backers claim that the effort to shut down miscreant ISPs is needed because of the inability of law enforcement agencies to deal with a problem that is global in nature, as well as a lack of applicable laws both domestically and internationally.
Maxim Weinstein ‘s StopBadware Blog entry reads:
Even as I applaud the efforts of journalists and security researchers to cut off spammers and malware purveyors at the source, I wonder about who else is negatively affected by these takedowns. Surely McColo and previously-taken-down Intercage had legitimate customers, owners of websites and/or domain names that they used for their personal blogs, their small businesses, their family photo albums, and so on. What happened to those users when their providers and their sites suddenly became unavailable? This doesn’t necessarily make it wrong to shut down the providers, as the disease (spam, malware, etc., affecting potentially millions of people) is almost certainly worse than the cure. But it does raise the question of whether we can find ways to hit the bad guys where it hurts, without also hurting innocent bystanders.
