McColo, estimated to host the command-and-control servers for at least five large botnets, briefly regained connectivity Saturday for approximately 12-24 hours.
This happened after a Los Angeles-based reseller named Giglinx sold bandwidth from the Swedish internet service provider TeliaSonera to the bad guys.
The reconnection opened the door, enabling a partial update of the botnet and pushing as much as 15MB of data per second to servers located in Russia, before Telia quickly pulled the plug.
Jart Armin & Paul Ferguson.
Report Supplement; McColo – Exploiting the security flaw in un-vetted bandwidth reselling Version 2.1 Nov 18th 08 (PDF)
Host Expoit also has a video presentation mapping McColo’s attempt to reconnect to the internet November 15/16 2008.
http://hostexploit.com/index.php?option=com_content&view=article&id=25&Itemid=34
FireEye Malware Intelligence Lab’s blog has a map showing the masses of Srizbi Bots.
http://blog.fireeye.com/research/2008/11/not-to-sound-the-panic-alarm.html#more
http://certifiedbug.com/blog/tag/mccolo/
