With or without McColo, spam volume increasing again

With or without McColo, spam volume increasing again

Summary: It was only a matter of time for spam volume to sky rocket again, despite McColo's shutdown in November. Two weeks after the cybercrime-friendly ISP got disconnected from the Internet, spam volumes are increasing once again with the main botnets using it as a command and control location regaining their strength by migrating to new hosting locations.

SHARE:
TOPICS: Security
3

Spam Statistics SpamCopIt was only a matter of time for spam volume to sky rocket again, despite McColo's shutdown in November. Two weeks after the cybercrime-friendly ISP got disconnected from the Internet, spam volumes are increasing once again with the main botnets using it as a command and control location regaining their strength by migrating to new hosting locations. Attempting to capitalize on the upcoming holidays, it took spammers two weeks to restore operations of the botnets responsible for a huge percentage of the spam messages globally. The attached graph courtesy of SpamCop.net's Statistics perfectly illustrates their motivation, with week 45 and week 46 indicating McColo's demise, and week 47 and 48 demonstrating continuity planning in action.

Let's take a brief retrospective at the two major cybercrime-friendly ISP clean up operations in 2008, and discuss the continuity planning strategies that they took advantage of.

Following the persistent reports issues by the security community for months, at the end of September, California based ISP Atrivo/Intercage was disconnected from the Internet by its upstream provider causing only a brief disruption of spam levels. The clean up operation continued, and in the middle of November the infamous cybercrime friendly ISP McColo that's been operating for years, was also disconnected from the Internet resulting in the first major spam decline for years.

Mega-D BotnetWith the botnet masters now unable to issue commands to the infected hosts, hundreds of thousands of bots were unsuccessfully attempting to receive malicious instructions from a location that was no longer online. At first, it would seem tha the security community got them off guard, but at a later stage it became evident the very same marginal thinking applied by Atrivo/Intercage who's been switching from upstream provider to upstream provide during the entire 2008, proved itself once again. During the several hours in which they managed to get McColo back online, the botnet masters issued new commands making McColo's existence irrelevant to the overall continuity of the botnets operations. The owners of some of the botnets using McColo as a main command and control server then briefly started regaining control of them, with Srizbi attempting to migrate to an Estonian ISP, and Rustock to LayeredTech.

According to Marshal's TRACE team's most recent stats, of all the botnets that used to operate at McColo, Mega-D so far has been the only one to not only resume its operations, but to engage in more aggressive spamming than ever, currently representing 44.9% of spam activity from a single bot. As long as the spammers and their customer base aren't facing the music, it would simply be a game of cat and mouse.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Proposal

    Let's start sending all paper mail with no envelopes.
    Why not? What's that you say? Privacy? Hmmm. That's reasonable.

    Then, maybe we should send emails enclosed in 'envelopes', Yes?

    What a great idea! Envelopes. (I kid.)

    Seriously, What is obvious to me is that we are NOT taking privacy seriously where email is concerned.

    [b]Remedy: Federally Mandate PGP, GnuPG, S/MIME email encryption.[/b]

    The key word is 'Mandate'. If ISPs can assume that the requisite enclosure (encrypted, signed certificate) is used (a simple test of the MIME header) then all spam mail gets shunted.

    [b]Side effects:[/b]

    MIME sender address cannot be tampered with.

    The channel for email becomes a closed loop where senders and recipients can communicate confidently without fear of opening spam and maintain guaranteed privacy.

    Think of it as being like a VPN for email. Yeh, Yeh, that's right.

    DNSSec does the same thing for DNS transactions ensuring your DNS requests are indeed being sent to a bona fide DNS server.

    Read my blog and decide for yourselves:

    o [url=http://www.dtschmitz.com/dts/2008/08/pgp-empowerment-and-your-privacy.html]PGP: Empowerment and Your Privacy[/url]
    o [url=http://www.dtschmitz.com/dts/2008/11/still-sending-naked-email-get-your-protection-here.html]Still sending naked email? Get your protection here[/url]

    Right now all email is going without 'envelopes' (clear text--readable by anyone). Oh dear. That's not good.

    Not something you'd do with regular mail. Think about it.

    Privacy. It's your right Folks.
    no_zd_user_name
  • How about a "Spammer" season

    one-week every year where it's open season on spammers, the hunter that shoots the biggest spammer wins a $million bucks.

    NAB :-)
    nabisho
  • RE: With or without McColo, spam volume increasing again

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut