With or without McColo, spam volume increasing again

It was only a matter of time for spam volume to sky rocket again, despite McColo's shutdown in November. Two weeks after the cybercrime-friendly ISP got disconnected from the Internet, spam volumes are increasing once again with the main botnets using it as a command and control location regaining their strength by migrating to new hosting locations. Attempting to capitalize on the upcoming holidays, it took spammers two weeks to restore operations of the botnets responsible for a huge percentage of the spam messages globally. The attached graph courtesy of SpamCop.net's Statistics perfectly illustrates their motivation, with week 45 and week 46 indicating McColo's demise, and week 47 and 48 demonstrating continuity planning in action.

Let's take a brief retrospective at the two major cybercrime-friendly ISP clean up operations in 2008, and discuss the continuity planning strategies that they took advantage of.

Following the persistent reports issues by the security community for months, at the end of September, California based ISP Atrivo/Intercage was disconnected from the Internet by its upstream provider causing only a brief disruption of spam levels. The clean up operation continued, and in the middle of November the infamous cybercrime friendly ISP McColo that's been operating for years, was also disconnected from the Internet resulting in the first major spam decline for years.

With the botnet masters now unable to issue commands to the infected hosts, hundreds of thousands of bots were unsuccessfully attempting to receive malicious instructions from a location that was no longer online. At first, it would seem tha the security community got them off guard, but at a later stage it became evident the very same marginal thinking applied by Atrivo/Intercage who's been switching from upstream provider to upstream provide during the entire 2008, proved itself once again. During the several hours in which they managed to get McColo back online, the botnet masters issued new commands making McColo's existence irrelevant to the overall continuity of the botnets operations. The owners of some of the botnets using McColo as a main command and control server then briefly started regaining control of them, with Srizbi attempting to migrate to an Estonian ISP, and Rustock to LayeredTech.

According to Marshal's TRACE team's most recent stats, of all the botnets that used to operate at McColo, Mega-D so far has been the only one to not only resume its operations, but to engage in more aggressive spamming than ever, currently representing 44.9% of spam activity from a single bot. As long as the spammers and their customer base aren't facing the music, it would simply be a game of cat and mouse.