Posts tagged as:

McColo

Brian Krebs at The Washington Post reports.
Retail Fraud Rates Plummeted the Night McColo Went Offline

Ori Eisen, founder of 41st Parameter, a company providing anti-fraud consulting to a number of big retailers and banks, informed Krebs that at least two of the largest retailers his company serves saw massive declines in fraud rates directly following McColo’s take down.

Think about close to a quarter of a million dollars worth of fraudulent charges that his customers faced every day and that’s huge.

Also by Brian Krebs: Web Fraud 2.0: Faking Your Internet Address

{ 0 comments }

Srizbi spam botnet resurrected, in time for the holidays

by certifiedbug on November 26, 2008

in Security

Two articles of note:
Brian Krebs at The Washington Post: Spam Volumes Expected to Rise with Botnet Resurrection.

Atif Mushtaq and Alex Lanstein at FireEye: Srizbi control regained by original owner

The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia.

I have already noticed an increase over the past 24 hours.

Update, Washington Post.
Srizbi Botnet Re-Emerges Despite Security Firm’s Efforts

{ 0 comments }

McColo. Exploiting un-vetted bandwidth reselling

by certifiedbug on November 18, 2008

in Security

McColo, estimated to host the command-and-control servers for at least five large botnets, briefly regained connectivity Saturday for approximately 12-24 hours.

This happened after a Los Angeles-based reseller named Giglinx sold bandwidth from the Swedish internet service provider TeliaSonera to the bad guys.

The reconnection opened the door, enabling a partial update of the botnet and pushing as much as 15MB of data per second to servers located in Russia, before Telia quickly pulled the plug.

Jart Armin & Paul Ferguson.
Report Supplement; McColo – Exploiting the security flaw in un-vetted bandwidth reselling Version 2.1 Nov 18th 08 (PDF)

Host Expoit also has a video presentation mapping McColo’s attempt to reconnect to the internet November 15/16 2008.
http://hostexploit.com/index.php?option=com_content&view=article&id=25&Itemid=34

FireEye Malware Intelligence Lab’s blog has a map showing the masses of Srizbi Bots.
http://blog.fireeye.com/research/2008/11/not-to-sound-the-panic-alarm.html#more

http://certifiedbug.com/blog/tag/mccolo/

{ 0 comments }

Spamhaus remarks on McColo

by certifiedbug on November 17, 2008

in Security

Spamhaus.

McColo is a bit different from Intercage/Atrivo in that although the IP addresses were from the N. American registry ARIN, were routed in the US, and the company used US postal addresses, the person or persons controlling the operation are based in Moscow, Russia.

We recommend anyone who saw more than a 30% reduction look into employing some sort of SMTP connection filtering as this drop in botnet spam, nice as it is, will not last. Investigators report that many of the C&C servers at McColo were originally hosted at Intercage/Atrivo. Even now, several of the C&C functions are migrating to hosting closer to the homes of the botmasters: Russia.

Complete article: Another one bytes the dust

Certifiedbug, November 13, 2008. McColo on the move?

{ 0 comments }

McColo on the move?

by certifiedbug on November 13, 2008

in Security

This still shows.

CIDR Report for AS26780
26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.

Steve Linford from Spamhaus responding to a topic at Google Groups,
McColo Corp

Andreas Kohlbach wrote:

> Mccolo will (under a different name) find a new peer at some
> point, or already has, and in a couple of hours or days all is back where
> it was.

They already have, McColo are now coming back up on retn.net (AKA
Eltel, the old timers will remember that name, a very dirty Russian
network well known for hosting spammers and malware).

Which is a pity, as spam volumes dropped by 30% after McColo went off
the net late Tuesday as vast amounts of bots could no longer contact
their control boxes on McColo IPs and whole botnets went dark. Eltel
(retn.net) will be reactivating the McColo IPs anytime now allowing
the botnets to contact their masters and the spam will flow again.

Spamhaus is preparing to SBL Eltel (retn.net) as soon as we have
confirmation that they have brought McColo’s botnet control machines
back on line.

Steve Linford
The Spamhaus Project
http://www.spamhaus.org

Updates
Washington Post, A Closer Look at McColo

TRACE Blog
Srizbi Stopped, for now

FireEye Malware Intelligence Lab
http://blog.fireeye.com/research/2008/11/index.html

{ 0 comments }

McColo Corp downed, spam down

by certifiedbug on November 12, 2008

in Security

The stats at Spamcops and MxLogic, along with my own spam filter, makes me a believer in the claim of researchers that McColo provided the connectivity responsible for half the world’s spam.

No doubt the cyber crooks who lost their botnet’s ‘command and control’ servers will resume business somewhere else, but right now we can enjoy the temporary drop in spam.

Let’s not forget the child pornography (child abuse) vendors. At least 40 websites, nameservers or payment services used for child pornography were recently found to be hosted by McColo, according to HostExploit’s Report (PDF)

Third “Bad ISP” Dissolves — McColo Gone
Jose Nazario writes that in arbornetworks own database they have been tracking a few dozen botnets that phoned home to McColo IPs, and also nearly 1000 distinct URLs from hundreds of different malcode samples.

These guys ran a dirty operation.

As with Atrivo/Intercage, McColo relied on US transit peers.

{ 1 comment }

McColo Cyber Crime USA

by certifiedbug on November 12, 2008

in Security

HostExploit’s Cyber Crime Series - Version 2.0

This second CYBER CRIME USA report highlights those Internet players that currently host the world‟s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from HostExploit.com is based on tracking and documenting ongoing cyber criminal activity.

HostExploit Report (PDF)

Certifiedbug, August 28, 2008. Cyber Crime USA

GarWarner, November 12, 2008. Internet Landfill: McColo Corporation

Certifiedbug, November 12, 2008. McColo Corp down for the count

{ 0 comments }

McColo Corp down for the count

by certifiedbug on November 12, 2008

in Security

Brian Krebs at the Washington Post reports,

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.

1) Major Source of Online Scams and Spams Knocked Offline

2) Host of Internet Spam Groups is Cut Off
“This story was updated from an earlier version to clarify McColo’s role in hosting of suspicious sites.”

Certifiedbug,

Spamcop stats, week.

I doubt that is a coincidence, more later.

Edit: Spamcop, 24 hours.

CIDR Report for AS26780
Global Crossing still shows a listing.
“26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.”

FireEye Malware Intelligence Lab, 2008.10.26.

If you look back in our articles, you’ll see a fairly deep connection between Malware, Botnets, and McColo. With the shutdown of Atrivo, McColo seems to be the frontrunner for Botnet/Malware hosting -

Rogue.AntiVirus2009 hosted by McColo

{ 0 comments }