Botnets Still Fighting McColo Hangover

By Matthew Hines  |  Posted 2008-11-21 Print this article Print

There's more evidence suggesting that major botnets are feeling a serious pinch in the wake of the takedown of notorious hosting provider McColo last week.

Anti-botnet specialist FireEye reported earlier this week that it had observed over 450,000 stranded bots fruitlessly attempting to connect back to command and control servers that had been swept offline when McColo's access to the Internet was cut off by its own providers.

Now, security gateway provider Marshal8e6 (created via the merger of rivals Marshall and 8e6 earlier this month) is reporting that it too has seen a dramatic dip in spam and bot activity, and spambot activity, based on the McColo shutdown, which was spearheaded by Brian Krebs, a noted security blogger who writes for the Washington Post.

Like other spam watchers, Marshal8e6 said that it has measured a 70 percent falloff in overall spam volumes since the infrastructure supported by McColo was wiped out.

While some experts have predicted that spam and botnet activities would likely ramp back up quickly after the parties using McColo as a delivery mechanism found new service providers to use, the infected machines responsible for generating much of the world's spam have not yet returned, the company TRACE researchers said late Thursday.

According to the firm's previous research reports, a mere handful of the world's spambots are responsible for as much as 90 percent of all unsolicited e-mail worldwide.

"McColo was hosting the command and control infrastructure for three of the world's most prolific spam botnets: Srizbi, Mega-D and Rustock," the TRACE team said in a report summary. "When McColo was shut down, the spammers were disconnected from the networks of spam-sending bot computers under their control."

As other have noted, the researchers contend that Krebs' plan to at least temporarily shutter McColo by going upstream and challenging Global Crossing and Hurricane Electric, who provided Internet access to the hosting firm, may be the biggest blow to spam and botnet schemes ever pulled off.

"This is the most significant single event in the fight against spam we have ever seen," Phil Hay, lead threat analyst with the TRACE team said in the summary. "It shows that a coordinated effort against spammers by security researchers can have a positive and meaningful impact on global spam levels. It is something that we have been working towards for a long time and it is fantastic to see the flow-on effects on spam levels as a result of targeting the bigger botnets."

According to Marshal8e6's statistics, just prior to McColo's shut down, the Srizbi, Mega-D and Rustock botnets were ranked first, second and fifth respectively as the world's most prolific sources of spam, jointly accounting for nearly 70 percent of all spam worldwide.

The fact that spam distribution has largely become centralized into a smaller group of larger providers over the last several years made the takedown that much more effective, the company said.

However, as other security experts have predicted, despite the encouraging news, Trace team contends that it won't be long until the most innovative spammers find a new way to deliver their wares to end users and get the botnets back up and running.

"It is a cliche, but the fight against spam is a game of cat and mouse," said Hay. "Over the longer term, the spammers will learn from this incident and will probably evolve their botnet control systems. They may adopt a more resilient peer-to-peer or layered model where control servers are harder to access and spread among many hosts."

"The spammers are no doubt already setting up new command and control servers. The challenge for them is to re-establish connections with the thousands of zombie computers still infected with their bot code," he said. "We fully expect spam will resume in large volumes eventually. However, almost a week later, the spammers haven't managed to do that yet."

Maintaining pressure on ISPs and hosting providers whose infrastructure is being used by the attackers will remain the most effective way to keep on fighting the problem, the expert contends.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel