Botnet Operators Likely to Change Tactics in Wake of McColo, Intercage ISP Shutdowns

Whether or not other companies like McColo that are suspected of bad behavior will face shutdowns is anyone's guess. After McColo was initially taken down, it got new life the weekend of Nov. 15 when Swedish ISP TeliaSonera provided peering. McColo was quickly taken offline after security researchers contacted TeliaSonera and complained, but the minds behind the Rustock botnet were still able to push out an update to computers under their control.

Officials at FireEye announced Nov. 18 that the company had detected more than 450,000 Srizbi bots still trying to connect to C&C servers that were once hosted by McColo. Phillip Lin, director of marketing at FireEye, predicted that because not all the C&C domains are hosted McColo, many of these bots will eventually reconnect to an online C&C and go back into the underground.

"For now, bots that are searching for a C&C master are more visible, so FireEye is reaching out to the victims and notifying them of how to disconnect themselves from the botnet," Lin said. "We're optimistic that providers who have the right technology and coordination will try to follow the example of shutting down these clearly egregious cases of abuse and illegal activities."

Still, he noted that McColo had operated for years before being shut down and that it can be difficult to accurately determine which customers on what servers are actually hosting malicious content.

"In McColo's case it was clear to Global Crossing and Hurricane Electric that McColo was complicit somehow in the abusive and illegal activities on their own hosted servers … most cases are not this clear-cut," Lin said.