McColo shutdown won't stop spam, malware, warn security experts

By Dennis Fisher, Executive Editor 14 Nov 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For years, security experts, antispam activists and law enforcement agencies have known where to find the Internet's worst spammers and malware distributors, but there was little they could do with that knowledge. The patchwork of international laws governing computer crime, along with the reluctance of some Internet service providers to pull the plug on customers accused of wrongdoing, have contributed in keeping many of these illegitimate businesses operating.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

But now the tide is beginning to turn. First came the news that ICANN had decided to de-accredit EstDomains, an ISP notorious in the security community for serving as a haven for malware authors and spammers. Then earlier this week, the upstream providers for McColo Corp. killed their connections to the hosting provider, which has been known in security circles as another home base for malware and spammers, as well as alleged child pornographers. This effectively cut McColo off from the Internet, resulting in a significant drop in global spam levels. Symantec Corp. said on Thursday that it had seen spam levels decline 65% since Tuesday, and other messaging security providers reported similar drop-offs.

These are rare success stories in the fight against spam and malware, but security experts have no illusions that this is the beginning of the end of spam and malware, or that the drop-off will even last more than a few days.

"There are a lot of different issues involved. The folks involved in spam gave up on whack-a-mole model, where as soon as you take an ISP down and malware hosting and command and control along with it, then they move to another network," said Danny McPherson, vice president and chief security officer at Arbor Networks Inc. "Everyone understands where they are for a while and then they move somewhere else. They just take their address space and announce it elsewhere and they're back in business."

SearchSecurity radio:

In fact, McPherson said that some of the people involved with McColo, which is based in San Jose, Calif., are trying to get their address space announced somewhere else on the Internet right now.

"When that happens, they'll be right back at it," he said.

McPherson, who has been studying the spam and botnet problem, along with his colleague at Arbor, Jose Nazario, said that part of the reason there have been a string of wins recently against spammers and botnet operators is the increase in cooperation among security researchers, ISPs and others interested in stopping the problem. There has always been a loose-knit community of activists working to take down phishing sites and spammers whenever possible, but the level of cooperation by ISPs and law enforcement has been spotty, for a variety of reasons.

For ISPs, the problems arise from the contracts they have with their customers. Simply pulling the plug on a suspected spammer or malware-hosting service is not usually an option; the ISPs need solid proof. And gathering that proof takes time and effort, which many service providers don't have the resources to handle.

But that attitude is beginning to change, as ISPs see the negative effects that having their brands associated with spam operations and malware distributors can have, McPherson said.

"A big part of this is that the security community came together. The fact that the security community is collaborating and saying these are the worst neighborhoods on the Internet, then the community acts," he said. "A lot of the ISPs act on these before they become huge issues. The majority of them actually take immediate action when they see this kind of activity. The security community and research firms are doing a better job of sharing information now."

Tags: Malware, Viruses, Trojans and Spyware,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary