McColo Shutdown Strands Tons of Zombies

By Matthew Hines  |  Posted 2008-11-18 Print this article Print

Researchers are finding hundreds of thousands of stranded bots hopelessly attempting to connect to command and control centers that were taken offline when shady hosting provider McColo was cut off by its own hosts last week.

After Washington Post blogger Brian Krebs and a team of other interested parties, including researchers at FireEye, worked to get Global Crossing and Hurricane Electric to turn off McColo's access to the larger Internet, spam levels immediately dipped worldwide, with some experts assessing that services running over the shuttered provider's network had been accounting for as much as three quarters of all unsolicited e-mail.

Now researchers with anti-botnet specialists FireEye are reporting that in another major benefit of the McColo takedown, armies of zombie computers are now unable to connect back to the machines that were responsible for sending them their botnet commands.

FireEye, whose technology scans the networks of Internet access providers and enterprise organizations to isolate potential botnet activity, said that it has already observed over 450,000 individual IP addresses attempting to connect to one specific zombie control center, dubbed Srizbi, which had previously resided on McColo-controlled servers.

However, the company warned that many of the machines might still be able to connect to backup command centers that were not affected by the McColo takedown.

"Although McColo was knocked off the Internet last week due to violations of upstream Internet bandwidth providers' terms of use, the botnet problem continues to escalate as orphaned Srizbi, Rustock, and other botnet PCs attempt to call home to backup C&C infrastructures," FireEye reported.

The company said that when McColo briefly returned to the Internet over the weekend before being shut down again, thousands of Rustock bots were likely patched and reconnected to a new command and control center in Russia.

"Detection and prevention remain paramount before the process of reclaiming orphaned Srizbi bots accelerates if/when McColo gets back onto the Internet," FireEye said. "Once reclaimed, bots will connect to the new C&C infrastructure and essentially go silent since they will stop the chatter of searching for a live C&C."

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel