McColo

Looking back at McColo

by certifiedbug on November 13, 2009

in Internet Security

Brian Krebs-Security Fix
A year later: A look back at McColo

A year ago today, the Internet community witnessed a remarkable event: The unplugging of McColo, a Web hosting facility in Northern California that for a long time controlled a majority of the spam-sending operations on the planet. McColo’s two main Internet providers abruptly yanked the cord after Security Fix presented them with scads of evidence collected by security researchers tying massive amounts of spam and other illicit activity to McColo’s network.

http://certifiedbug.com/blog/tag/mccolo/

FireEye Labs: Smashing the Mega-d/Ozdok botnet in 24 hours

{ 0 comments }

Brian Krebs at The Washington Post reports.
Retail Fraud Rates Plummeted the Night McColo Went Offline

Ori Eisen, founder of 41st Parameter, a company providing anti-fraud consulting to a number of big retailers and banks, informed Krebs that at least two of the largest retailers his company serves saw massive declines in fraud rates directly following McColo’s take down.

Think about close to a quarter of a million dollars worth of fraudulent charges that his customers faced every day and that’s huge.

Also by Brian Krebs: Web Fraud 2.0: Faking Your Internet Address

{ 0 comments }

Two articles of note:
Brian Krebs at The Washington Post: Spam Volumes Expected to Rise with Botnet Resurrection.

Atif Mushtaq and Alex Lanstein at FireEye: Srizbi control regained by original owner

The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia.

I have already noticed an increase over the past 24 hours.

Update, Washington Post.
Srizbi Botnet Re-Emerges Despite Security Firm’s Efforts

{ 0 comments }

McColo, estimated to host the command-and-control servers for at least five large botnets, briefly regained connectivity Saturday for approximately 12-24 hours.

This happened after a Los Angeles-based reseller named Giglinx sold bandwidth from the Swedish internet service provider TeliaSonera to the bad guys.

The reconnection opened the door, enabling a partial update of the botnet and pushing as much as 15MB of data per second to servers located in Russia, before Telia quickly pulled the plug.

Jart Armin & Paul Ferguson.
Report Supplement; McColo – Exploiting the security flaw in un-vetted bandwidth reselling Version 2.1 Nov 18th 08 (PDF)

Host Expoit also has a video presentation mapping McColo’s attempt to reconnect to the internet November 15/16 2008.
http://hostexploit.com/index.php?option=com_content&view=article&id=25&Itemid=34

FireEye Malware Intelligence Lab’s blog has a map showing the masses of Srizbi Bots.
http://blog.fireeye.com/research/2008/11/not-to-sound-the-panic-alarm.html#more

http://certifiedbug.com/blog/tag/mccolo/

{ 0 comments }

Spamhaus remarks on McColo

November 17, 2008

Spamhaus. McColo is a bit different from Intercage/Atrivo in that although the IP addresses were from the N. American registry ARIN, were routed in the US, and the company used US postal addresses, the person or persons controlling the operation are based in Moscow, Russia. We recommend anyone who saw more than a 30% reduction [...]

Read the full article →

McColo on the move?

November 13, 2008

This still shows. CIDR Report for AS26780 26780 MCCOLO – McColo Corporation Adjacency: 1 Upstream: 1 Downstream: 0 Upstream Adjacent AS list AS3549 GBLX Global Crossing Ltd. Steve Linford from Spamhaus responding to a topic at Google Groups, McColo Corp Andreas Kohlbach wrote: > Mccolo will (under a different name) find a new peer at [...]

Read the full article →

McColo Corp downed, spam down

November 12, 2008

The stats at Spamcops and MxLogic, along with my own spam filter, makes me a believer in the claim of researchers that McColo provided the connectivity responsible for half the world’s spam. No doubt the cyber crooks who lost their botnet’s ‘command and control’ servers will resume business somewhere else, but right now we can [...]

Read the full article →

McColo Cyber Crime USA

November 12, 2008

HostExploit’s Cyber Crime Series – Version 2.0 This second CYBER CRIME USA report highlights those Internet players that currently host the world‟s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from HostExploit.com is based on tracking and documenting ongoing cyber [...]

Read the full article →

McColo Corp down for the count

November 12, 2008

Brian Krebs at the Washington Post reports, A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network. 1) Major [...]

Read the full article →