Botnet Operators Likely to Change Tactics in Wake of McColo, Intercage ISP Shutdowns

By Brian Prince  |  Posted 2008-11-21

Botnet Operators Likely to Change Tactics in Wake of McColo, Intercage ISP Shutdowns

Between the shutdown of Web hosting company McColo Nov. 11 and the death of ISP Intercage, aka Atrivo, in September, we may be entering a new phase of Internet security-one where every part of the Internet's ecosystem takes a more proactive role in securing Web users.

But attackers always adapt to the times, and security experts expect botnet operators to focus on avoiding situations where a knockout blow like the McColo shutdown can take them offline.

"There has been a great deal of talk about a more distributed botnet infrastructure and several smaller botnets were already following this model," said Graham Cluley, senior technology consultant with Sophos. "However, because the big [old-fashioned] botnets were still working there was no need for them to change their methods. The closing of McColo will force changes."

Joe Stewart, SecureWorks' director of malware research, shared a similar opinion. He predicted that some of the more tech-savvy botnet operators may design a fast-flux hosting platform for their command and control servers on compromised home computers. Others, he speculated, will follow the path of the Storm botnet and try going the peer-to-peer route.

"It is very hard to build a fully decentralized P2P system that is scalable and reliable," Stewart said. "Storm wasn't even fully P2P, it used a tiered-proxy C&C [command and control] system, and you could still shut down the master controller at the top to kill the botnet temporarily if you could find it."

After Intercage was shut down, spam levels dropped as well. However, that decline only lasted a few days. By the end of October, the proportion of spam circulating the Internet was unchanged from September, according to a report by MessageLabs, now part of Symantec.

The short fall-off shows that botnet controllers will react to a disruption in service by pointing their bots to a new C&C channel as soon as possible. That fact has left some researchers a little surprised that the latest decline in spam has lasted as long as it has.

"The volumes are still way down," said Matt Sergeant, senior anti-spam technologist at MessageLabs. "Asprox has come back, but it was always a fairly low-volume botnet in comparison to the big guns. Warezov has spiked, taking advantage of the other bots being down, we presume, [as] its C&C wasn't hosted at McColo."

To avoid this situation in the future, Sergeant predicted botnet operators would look to have multiple redundant C&Cs and more algorithmic generated DNS (Domain Name System) names for failover purposes.

Bots on the Move


Whether or not other companies like McColo that are suspected of bad behavior will face shutdowns is anyone's guess. After McColo was initially taken down, it got new life the weekend of Nov. 15 when Swedish ISP TeliaSonera provided peering. McColo was quickly taken offline after security researchers contacted TeliaSonera and complained, but the minds behind the Rustock botnet were still able to push out an update to computers under their control.

Officials at FireEye announced Nov. 18 that the company had detected more than 450,000 Srizbi bots still trying to connect to C&C servers that were once hosted by McColo. Phillip Lin, director of marketing at FireEye, predicted that because not all the C&C domains are hosted McColo, many of these bots will eventually reconnect to an online C&C and go back into the underground.

"For now, bots that are searching for a C&C master are more visible, so FireEye is reaching out to the victims and notifying them of how to disconnect themselves from the botnet," Lin said. "We're optimistic that providers who have the right technology and coordination will try to follow the example of shutting down these clearly egregious cases of abuse and illegal activities."

Still, he noted that McColo had operated for years before being shut down and that it can be difficult to accurately determine which customers on what servers are actually hosting malicious content.

"In McColo's case it was clear to Global Crossing and Hurricane Electric that McColo was complicit somehow in the abusive and illegal activities on their own hosted servers ... most cases are not this clear-cut," Lin said.

Rocket Fuel