by certifiedbug on December 15, 2008
in Security
by certifiedbug on November 26, 2008
in Security
by certifiedbug on November 18, 2008
in Security
by certifiedbug on November 17, 2008
in Security
Spamhaus.
McColo is a bit different from Intercage/Atrivo in that although the IP addresses were from the N. American registry ARIN, were routed in the US, and the company used US postal addresses, the person or persons controlling the operation are based in Moscow, Russia.
We recommend anyone who saw more than a 30% reduction look into employing some sort of SMTP connection filtering as this drop in botnet spam, nice as it is, will not last. Investigators report that many of the C&C servers at McColo were originally hosted at Intercage/Atrivo. Even now, several of the C&C functions are migrating to hosting closer to the homes of the botmasters: Russia.
Complete article: Another one bytes the dust
Certifiedbug, November 13, 2008. McColo on the move?
by certifiedbug on November 13, 2008
in Security
This still shows.
CIDR Report for AS26780
26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.
Steve Linford from Spamhaus responding to a topic at Google Groups,
McColo Corp
Andreas Kohlbach wrote:
> Mccolo will (under a different name) find a new peer at some
> point, or already has, and in a couple of hours or days all is back where
> it was.
They already have, McColo are now coming back up on retn.net (AKA
Eltel, the old timers will remember that name, a very dirty Russian
network well known for hosting spammers and malware).
Which is a pity, as spam volumes dropped by 30% after McColo went off
the net late Tuesday as vast amounts of bots could no longer contact
their control boxes on McColo IPs and whole botnets went dark. Eltel
(retn.net) will be reactivating the McColo IPs anytime now allowing
the botnets to contact their masters and the spam will flow again.
Spamhaus is preparing to SBL Eltel (retn.net) as soon as we have
confirmation that they have brought McColo’s botnet control machines
back on line.
Steve Linford
The Spamhaus Project
http://www.spamhaus.org
Updates
Washington Post, A Closer Look at McColo
TRACE Blog
Srizbi Stopped, for now
FireEye Malware Intelligence Lab
http://blog.fireeye.com/research/2008/11/index.html
by certifiedbug on November 12, 2008
in Security
The stats at Spamcops and MxLogic, along with my own spam filter, makes me a believer in the claim of researchers that McColo provided the connectivity responsible for half the world’s spam.
No doubt the cyber crooks who lost their botnet’s ‘command and control’ servers will resume business somewhere else, but right now we can enjoy the temporary drop in spam.
Let’s not forget the child pornography (child abuse) vendors. At least 40 websites, nameservers or payment services used for child pornography were recently found to be hosted by McColo, according to HostExploit’s Report (PDF)
Third “Bad ISP” Dissolves — McColo Gone
Jose Nazario writes that in arbornetworks own database they have been tracking a few dozen botnets that phoned home to McColo IPs, and also nearly 1000 distinct URLs from hundreds of different malcode samples.
These guys ran a dirty operation.
As with Atrivo/Intercage, McColo relied on US transit peers.
by certifiedbug on November 12, 2008
in Security
HostExploit’s Cyber Crime Series - Version 2.0
This second CYBER CRIME USA report highlights those Internet players that currently host the world‟s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from HostExploit.com is based on tracking and documenting ongoing cyber criminal activity.
HostExploit Report (PDF)
Certifiedbug, August 28, 2008. Cyber Crime USA
GarWarner, November 12, 2008. Internet Landfill: McColo Corporation
Certifiedbug, November 12, 2008. McColo Corp down for the count
by certifiedbug on November 12, 2008
in Security
Brian Krebs at the Washington Post reports,
A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.
1) Major Source of Online Scams and Spams Knocked Offline
2) Host of Internet Spam Groups is Cut Off
“This story was updated from an earlier version to clarify McColo’s role in hosting of suspicious sites.”
Certifiedbug,
Spamcop stats, week.
I doubt that is a coincidence, more later.
Edit: Spamcop, 24 hours.
CIDR Report for AS26780
Global Crossing still shows a listing.
“26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.”
FireEye Malware Intelligence Lab, 2008.10.26.
If you look back in our articles, you’ll see a fairly deep connection between Malware, Botnets, and McColo. With the shutdown of Atrivo, McColo seems to be the frontrunner for Botnet/Malware hosting -
Rogue.AntiVirus2009 hosted by McColo
