SlideShare a Scribd company logo

Hosting Firm Shutdown Forces Botnets To Relocate

Download as DOCX, PDF
G
guesta5c8fd

News item about spam.

TechnologyNews & Politics
1 of 8
McColo Shutdown Cuts Spam by 75% Hosting firm shutdown forces botnets to relocate Criminals affected by plug-pulling already shifting operations, says researcher By Gregg Keizer http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120162&source= NLT_PM&nlid=8 November 13, 2008 (Computerworld) The shutdown Tuesday of a California-based hosting company not only knocked down spam volumes but has also put a dent in malware-spreading botnets and other criminal activity, researchers said today. While cybercriminals will face some short-term difficulties as they are forced to relocate their operations, the relief will be only temporary for the world's Internet users, the researchers added. McColo Corp., the San Jose-based company that was cut off from the Web by its upstream Internet providers two days ago, hosted a staggering variety of cybercriminal activity, according to researchers familiar with its operation. Other than spewing out huge quantities of spam -- by some estimates, at times up to 75% of all spam -- McColo hosted the command-and-control servers of some of the biggest botnets, hosted child pornographic sites and domains that hustled users for money by scaring them into thinking that their PCs were infected with massive amounts of malware. Among the world's largest botnets controlled from servers hosted by McColo, researchers have counted the Sinowal, Srizbi and Rustock networks. The hosting service even harbored the server that RSA Security Inc. found that contained more than 500,000 stolen online bank and credit card accounts. Paul Ferguson, a network architect at Trend Micro Inc., was one of 10 security researchers who put years of work into investigating McColo and documenting its criminal activities. quot;The work goes back two years,quot; said Ferguson. quot;We did our due diligence and went through legitimate channelsquot; in an attempt to get McColo to change its spots. quot;But they just played a shell game when they did respond, maybe change an IP address on one domain. They weren't serious. So we decided it was time to shine a light on the darkness.quot; Ferguson joined nine other researchers to publish a paper Wednesday called quot;McColo: Cyber Crime USAquot; that detailed their findings. The paper is available on the HostExploit.com site (download PDF). Spam levels remained significantly lower today than before McColo's shutdown -- according to IronPort, spam volumes are down about 58% Thursday from Monday's numbers. Although the shutdown may stymie online criminal activity for a time, Ferguson and others were only cautiously optimistic. quot;I completely expect the criminal operators that were 'pulling the strings' in McColo to redeploy their operations elsewhere,quot; said Ferguson. quot;That's almost a given.quot; He added that there are signs the criminals are already shifting their servers and domains to other hosting companies. Page 1 of 8
McColo Shutdown Cuts Spam by 75% Ben Feinstein, director of operations for the counterthreat unit of SecureWorks Inc., an Atlanta-based security company, echoed Ferguson. quot;In the short term, this may have a positive effect in reducing online crime, but in the medium- and long-term, they'll reorganize and move to other hosting providers.quot; The move won't even be that hard, said Feinstein. quot;The real pioneers of cloud computing were these criminal organizations,quot; he argued. quot;One of the features of a lot of these botnets is that they can push out updates to the bots to point them toward new command-and-control servers. So while they may lose some bots, they will be able to reconstruct their botnets.quot; That doesn't mean this week's takedown was for naught. quot;There are two important byproducts of that [forced] redeployment,quot; said Ferguson. quot;It increases the cost of doing business for them, and when they do move, we can observe and track them.quot; quot;It's definitely a positive take-away,quot; said Feinstein. quot;This, and the Intercage takedown [in September] serve as examples that if you allow this kind of activity to run rampant on your network, or you're aiding and abetting criminals, there can be consequences.quot; Even then, however, Feinstein said there might be a dark lining to the cloud. quot;McColo's upstream providers were responsive in the end [to the evidence], but are you going to get that from other providers in other parts of the world? Unlikely. So big takedowns like this may get more difficult.quot; quot;I'm just taking solace in small victories,quot; countered Ferguson. quot;What we have to try to do is raise the cost of doing business for these guys.quot; WashingtonPost.com http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html Brian Krebs on Computer Security About This Blog | Archives | RSS Feed (What's RSS?) A Closer Look at McColo Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity. In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it). Page 2 of 8
McColo Shutdown Cuts Spam by 75% For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post. The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets -- agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets -- again, click on it to enlarge). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo. Bear in mind, this is by no means a comprehensive account of the sites and activity that experts say were funneled through this provider: I have redacted some of the data -- for example, the list of domains accused of hosting child pornography. Others, including additional domains allegedly offering fake anti-virus solutions, simply wouldn't fit on the map. Additional Source Material: Host Exploit: McColo Cyber Crime Fireeye: Srizbi & Rustock Fireeye: Rustock SecureWorks: Mega-D ThreatExpert: Pushdo/Cutwail SecureWorks: Warezov Matchent: Asprox Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts Dancho Danchev: Fake Security Software, Part 9 Page 3 of 8
McColo Shutdown Cuts Spam by 75% Dancho Danchev: A Diverse Portfolio of Fake Security Softwtware - Part Eleven Robtex: McColo Corp. Autonomous System Report By Brian Krebs | November 13, 2008; 12:08 PM ET Cyber Justice , Fraud , From the Bunker , Misc. Previous: Spam Volumes Drop by Two-Thirds After Firm Goes Offline | http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html Host of Internet Spam Groups Is Cut Off Spam Drops After Internet Providers Disconnect a California Hosting Firm By Brian Krebs washingtonpost.com Staff Writer Wednesday, November 12, 2008; 7:16 PM The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedly engaged in spam activity was taken offline, according to security firms that monitor spam distribution online. While its gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for what could be called a full-scale cyber crime offensive, security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world's junk e-mail. The servers are operated by McColo Corp., which these experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email. But the company's web site was not accessible today, when two Internet providers cut off MoColo's connectivity to the Internet, security experts said. Immediately after McColo was unplugged, security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening. Spamcop.net, another spam watch dog, found a similar decline, from about 40 spam e-mails per second to around 10 per second. (See their graphic representation here.) Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site. It's not clear what, if anything, U.S. law enforcement is doing about McColo's alleged involvement in the delivery of spam. An FBI spokesman declined to offer a comment for this story. The U.S. Secret Service could not be immediately reached for comment. Page 4 of 8
McColo Shutdown Cuts Spam by 75% Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law. Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C., said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography. In the case of child pornography, providers may be held criminally liable if they know about but do nothing to eliminate such content from their servers. For example, in 2001, BuffNET, a large regional service provider in Buffalo, N.Y., pleaded guilty to knowingly providing access to child pornography because the company failed to remove offending Web pages after being alerted to the material. Rasch said liability in such cases generally hinges on whether the hosting provider is aware of or reasonably should have been aware of the infringing content. quot;It's a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours and not suspecting there may be drug activity going on,quot; Rasch said. quot;There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags. And to have so many third parties looking at the volume and content from this Internet provider saying 'This is outrageous,' clearly the people doing the hosting should know that as well.quot; Global Crossing, a Bermuda-based company with U.S. operations in New Jersey, which was one of the two companies providing Internet connectivity to McColo, declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity. Benny Ng, director of marketing for Hurricane Electric, a Fremont, Calif., company that was the other major Internet provider for McColo, took a much stronger public stance, upon receiving information about this investigation from washingtonpost.com We shut them down,quot; Ng said. quot;We looked into it a bit, saw the size and scope of the problem [washingtonpost.com was] reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them.quot; Paul Ferguson, a threat researcher with computer security firm Trend Micro, said despite the apparently unilateral actions by McColo's Internet providers, his opinion is that U.S. authorities should have been examining McColo and its customers for a long time. quot;There is damning evidence that [McColo's] activity (allegedly hosting purveyors of spam) has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care,quot; Ferguson said.quot; Page 5 of 8
McColo Shutdown Cuts Spam by 75% Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or quot;botnets,quot; which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert. Reports by Joe Stewart, director of malware research for Atlanta-based SecureWorks, said that these known botnets: Mega-D, Srizbi, Pushdo, Rustock and Warezov, quot;have their master servers hosted at McColo. Stewart said he has complained to McColo several times about botnets operating out of the company's servers, and each time, he said, the company claimed it was addressing the problem. But according to Stewart, they did so by just moving the offending Web sites to a different section of their network. quot;McColo runs a service that offers its clients quite a bit more protection from takedowns than the average Web host,quot; Stewart said. quot;If they get abuse complaints they will try to appease whoever is complaining, but the end result is usually they just end up moving their Internet addresses around.quot; Collectively, these botnets appear to be responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity. Vincent Hanna, a researcher for the anti-spam group Spamhaus.org, said Spamhaus sees roughly 1.5 million computers infected with either Srizbi or Rustock sending spam over an average one- week timeframe. Hanna said McColo has for years hosted botnet and other suspicious activity, and that it has a reputation as one of the most dependable players in the so-called quot;bulletproof hostingquot; business, which are Web servers that will remain online regardless of complaints. quot;These are serious issues, almost all relating to the very core of spammer infrastructure,quot; he said. Researchers have found that on any given day, about half of all spam sent through the top botnets are ads for male enhancement products and other knockoff designer drugs, with a fair number of the online pharmacy sites linked in spam messages that were hosted at McColo. Last month, the Federal Trade Commission convinced a U.S. district court to seize the assets of an international spam network selling counterfeit prescription drugs, a network Spamhaus identified as the largest quot;spam gangquot; in the world. The spammers allegedly used the Mega-D botnet, which is capable of sending 10 billion e-mail messages each day. Jart Armin, a private security researcher who documented the activity at McColo in a report published today, said McColo is currently hosting at least 40 different child pornography Web sites or sites that collect payment for the illicit content -- and that traffic analysis showed that one of the sites garnered between 15,000 and 25,000 visitors each day. Page 6 of 8
McColo Shutdown Cuts Spam by 75% Ian Amit, director of security research for Aladdin Knowledge Systems, an Israeli security intelligence firm, said cyber criminals have for many months used servers at McColo to manage Web sites that push out new versions of the quot;Torpig,quot; or quot;Sinowalquot; Trojan horse program, which is widely considered one of the stealthiest and most sophisticated families of malicious software in existence today. In October, RSA FraudAction Research Lab learned a single cyber crime group has used the Torpig Trojan to steal more than a half million bank, credit and debit card accounts from infected PCs over the past two-and-a-half years. Amit said he found that recent Torpig attacks were being coordinated out of a Web server in Florida, which in turn was controlled by a VPN server running at McColo. Aladdin's findings were mirrored by those of researchers at iDefense, a security firm in Sterling, Va. quot;We traced back the management connections, and found that the criminals were logged into the attack server in Florida using connections from McColo,quot; Amit said. Over the past year, media attention paid to Internet service providers and hosting companies that were profiting from cyber crime activity forced two of the most notorious networks underground or off the Web entirely. Late last year, stories published by washingtonpost.com and elsewhere about criminal activity and child pornography at the St. Petersburg based Russian Business Network (RBN) caused the hosting company's upstream Internet providers to cease routing traffic for the company. The same thing happened in September, when upstream Internet providers pulled the plug on Northern California based Intercage following media reports about the level of cyber-crime activity emanating from its network. But some security experts worry that if major Internet providers similarly shun McColo, it will only make the criminals and their activities harder to track and to block. Stewart, of SecureWorks, notes that in the case of the RBN, the company's clients didn't really go away, but instead simply dispersed their operations to less concentrated areas of the Internet. quot;Everything will just be more spread out and harder to mitigate,quot; Stewart said. quot;We rather like knowing where the bad activity is coming from, so protecting our networks is easier.quot; Jon Praed, founder of the Internet Law Group in Arlington, Va., and an attorney who has pursued spammers in cases filed by some of the nation's largest ISPs, said many security companies do not want safe havens to go away because it merely forces those companies to work harder to find the cyber-crime intelligence that powers their businesses. What's more, he said, if enough Internet providers begin severing ties with known sources of illegal activity, the cyber-criminal groups will be increasingly forced into a smaller number of areas on the Internet, ultimately increasing their costs and making them easier to isolate, identify and block. quot;Good network providers are going to have to step up and separate themselves from these providers who are increasingly dependent on criminal operations,quot; Praed said. quot;The fact that Page 7 of 8
McColo Shutdown Cuts Spam by 75% McColo, a virtual den of iniquity, is able to survive into 2008 in the United States is a willful sign that we haven't yet begun the job of driving these operations to places where we can begin to curtail their existence.quot; Page 8 of 8

Recommended

4 Biggest Challenges for Creative Teams
4 Biggest Challenges for Creative Teams4 Biggest Challenges for Creative Teams
4 Biggest Challenges for Creative TeamsWrike
 
Back-to-School Survey 2016
Back-to-School Survey 2016Back-to-School Survey 2016
Back-to-School Survey 2016Deloitte United States
 
Essential things that should always be in your car
Essential things that should always be in your carEssential things that should always be in your car
Essential things that should always be in your carEason Chan
 
How to Battle Bad Reviews
How to Battle Bad ReviewsHow to Battle Bad Reviews
How to Battle Bad ReviewsGlassdoor
 
Activism x Technology
Activism x TechnologyActivism x Technology
Activism x TechnologyWebVisions
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

Recommended

4 Biggest Challenges for Creative Teams
4 Biggest Challenges for Creative Teams4 Biggest Challenges for Creative Teams
4 Biggest Challenges for Creative TeamsWrike
 
Back-to-School Survey 2016
Back-to-School Survey 2016Back-to-School Survey 2016
Back-to-School Survey 2016Deloitte United States
 
Essential things that should always be in your car
Essential things that should always be in your carEssential things that should always be in your car
Essential things that should always be in your carEason Chan
 
How to Battle Bad Reviews
How to Battle Bad ReviewsHow to Battle Bad Reviews
How to Battle Bad ReviewsGlassdoor
 
Activism x Technology
Activism x TechnologyActivism x Technology
Activism x TechnologyWebVisions
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 

More Related Content

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 

Hosting Firm Shutdown Forces Botnets To Relocate

  • 1. McColo Shutdown Cuts Spam by 75% Hosting firm shutdown forces botnets to relocate Criminals affected by plug-pulling already shifting operations, says researcher By Gregg Keizer http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120162&source= NLT_PM&nlid=8 November 13, 2008 (Computerworld) The shutdown Tuesday of a California-based hosting company not only knocked down spam volumes but has also put a dent in malware-spreading botnets and other criminal activity, researchers said today. While cybercriminals will face some short-term difficulties as they are forced to relocate their operations, the relief will be only temporary for the world's Internet users, the researchers added. McColo Corp., the San Jose-based company that was cut off from the Web by its upstream Internet providers two days ago, hosted a staggering variety of cybercriminal activity, according to researchers familiar with its operation. Other than spewing out huge quantities of spam -- by some estimates, at times up to 75% of all spam -- McColo hosted the command-and-control servers of some of the biggest botnets, hosted child pornographic sites and domains that hustled users for money by scaring them into thinking that their PCs were infected with massive amounts of malware. Among the world's largest botnets controlled from servers hosted by McColo, researchers have counted the Sinowal, Srizbi and Rustock networks. The hosting service even harbored the server that RSA Security Inc. found that contained more than 500,000 stolen online bank and credit card accounts. Paul Ferguson, a network architect at Trend Micro Inc., was one of 10 security researchers who put years of work into investigating McColo and documenting its criminal activities. quot;The work goes back two years,quot; said Ferguson. quot;We did our due diligence and went through legitimate channelsquot; in an attempt to get McColo to change its spots. quot;But they just played a shell game when they did respond, maybe change an IP address on one domain. They weren't serious. So we decided it was time to shine a light on the darkness.quot; Ferguson joined nine other researchers to publish a paper Wednesday called quot;McColo: Cyber Crime USAquot; that detailed their findings. The paper is available on the HostExploit.com site (download PDF). Spam levels remained significantly lower today than before McColo's shutdown -- according to IronPort, spam volumes are down about 58% Thursday from Monday's numbers. Although the shutdown may stymie online criminal activity for a time, Ferguson and others were only cautiously optimistic. quot;I completely expect the criminal operators that were 'pulling the strings' in McColo to redeploy their operations elsewhere,quot; said Ferguson. quot;That's almost a given.quot; He added that there are signs the criminals are already shifting their servers and domains to other hosting companies. Page 1 of 8
  • 2. McColo Shutdown Cuts Spam by 75% Ben Feinstein, director of operations for the counterthreat unit of SecureWorks Inc., an Atlanta-based security company, echoed Ferguson. quot;In the short term, this may have a positive effect in reducing online crime, but in the medium- and long-term, they'll reorganize and move to other hosting providers.quot; The move won't even be that hard, said Feinstein. quot;The real pioneers of cloud computing were these criminal organizations,quot; he argued. quot;One of the features of a lot of these botnets is that they can push out updates to the bots to point them toward new command-and-control servers. So while they may lose some bots, they will be able to reconstruct their botnets.quot; That doesn't mean this week's takedown was for naught. quot;There are two important byproducts of that [forced] redeployment,quot; said Ferguson. quot;It increases the cost of doing business for them, and when they do move, we can observe and track them.quot; quot;It's definitely a positive take-away,quot; said Feinstein. quot;This, and the Intercage takedown [in September] serve as examples that if you allow this kind of activity to run rampant on your network, or you're aiding and abetting criminals, there can be consequences.quot; Even then, however, Feinstein said there might be a dark lining to the cloud. quot;McColo's upstream providers were responsive in the end [to the evidence], but are you going to get that from other providers in other parts of the world? Unlikely. So big takedowns like this may get more difficult.quot; quot;I'm just taking solace in small victories,quot; countered Ferguson. quot;What we have to try to do is raise the cost of doing business for these guys.quot; WashingtonPost.com http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html Brian Krebs on Computer Security About This Blog | Archives | RSS Feed (What's RSS?) A Closer Look at McColo Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity. In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it). Page 2 of 8
  • 3. McColo Shutdown Cuts Spam by 75% For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post. The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets -- agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets -- again, click on it to enlarge). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo. Bear in mind, this is by no means a comprehensive account of the sites and activity that experts say were funneled through this provider: I have redacted some of the data -- for example, the list of domains accused of hosting child pornography. Others, including additional domains allegedly offering fake anti-virus solutions, simply wouldn't fit on the map. Additional Source Material: Host Exploit: McColo Cyber Crime Fireeye: Srizbi & Rustock Fireeye: Rustock SecureWorks: Mega-D ThreatExpert: Pushdo/Cutwail SecureWorks: Warezov Matchent: Asprox Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts Dancho Danchev: Fake Security Software, Part 9 Page 3 of 8
  • 4. McColo Shutdown Cuts Spam by 75% Dancho Danchev: A Diverse Portfolio of Fake Security Softwtware - Part Eleven Robtex: McColo Corp. Autonomous System Report By Brian Krebs | November 13, 2008; 12:08 PM ET Cyber Justice , Fraud , From the Bunker , Misc. Previous: Spam Volumes Drop by Two-Thirds After Firm Goes Offline | http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html Host of Internet Spam Groups Is Cut Off Spam Drops After Internet Providers Disconnect a California Hosting Firm By Brian Krebs washingtonpost.com Staff Writer Wednesday, November 12, 2008; 7:16 PM The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedly engaged in spam activity was taken offline, according to security firms that monitor spam distribution online. While its gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for what could be called a full-scale cyber crime offensive, security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world's junk e-mail. The servers are operated by McColo Corp., which these experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email. But the company's web site was not accessible today, when two Internet providers cut off MoColo's connectivity to the Internet, security experts said. Immediately after McColo was unplugged, security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening. Spamcop.net, another spam watch dog, found a similar decline, from about 40 spam e-mails per second to around 10 per second. (See their graphic representation here.) Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site. It's not clear what, if anything, U.S. law enforcement is doing about McColo's alleged involvement in the delivery of spam. An FBI spokesman declined to offer a comment for this story. The U.S. Secret Service could not be immediately reached for comment. Page 4 of 8
  • 5. McColo Shutdown Cuts Spam by 75% Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law. Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C., said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography. In the case of child pornography, providers may be held criminally liable if they know about but do nothing to eliminate such content from their servers. For example, in 2001, BuffNET, a large regional service provider in Buffalo, N.Y., pleaded guilty to knowingly providing access to child pornography because the company failed to remove offending Web pages after being alerted to the material. Rasch said liability in such cases generally hinges on whether the hosting provider is aware of or reasonably should have been aware of the infringing content. quot;It's a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours and not suspecting there may be drug activity going on,quot; Rasch said. quot;There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags. And to have so many third parties looking at the volume and content from this Internet provider saying 'This is outrageous,' clearly the people doing the hosting should know that as well.quot; Global Crossing, a Bermuda-based company with U.S. operations in New Jersey, which was one of the two companies providing Internet connectivity to McColo, declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity. Benny Ng, director of marketing for Hurricane Electric, a Fremont, Calif., company that was the other major Internet provider for McColo, took a much stronger public stance, upon receiving information about this investigation from washingtonpost.com We shut them down,quot; Ng said. quot;We looked into it a bit, saw the size and scope of the problem [washingtonpost.com was] reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them.quot; Paul Ferguson, a threat researcher with computer security firm Trend Micro, said despite the apparently unilateral actions by McColo's Internet providers, his opinion is that U.S. authorities should have been examining McColo and its customers for a long time. quot;There is damning evidence that [McColo's] activity (allegedly hosting purveyors of spam) has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care,quot; Ferguson said.quot; Page 5 of 8
  • 6. McColo Shutdown Cuts Spam by 75% Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or quot;botnets,quot; which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert. Reports by Joe Stewart, director of malware research for Atlanta-based SecureWorks, said that these known botnets: Mega-D, Srizbi, Pushdo, Rustock and Warezov, quot;have their master servers hosted at McColo. Stewart said he has complained to McColo several times about botnets operating out of the company's servers, and each time, he said, the company claimed it was addressing the problem. But according to Stewart, they did so by just moving the offending Web sites to a different section of their network. quot;McColo runs a service that offers its clients quite a bit more protection from takedowns than the average Web host,quot; Stewart said. quot;If they get abuse complaints they will try to appease whoever is complaining, but the end result is usually they just end up moving their Internet addresses around.quot; Collectively, these botnets appear to be responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity. Vincent Hanna, a researcher for the anti-spam group Spamhaus.org, said Spamhaus sees roughly 1.5 million computers infected with either Srizbi or Rustock sending spam over an average one- week timeframe. Hanna said McColo has for years hosted botnet and other suspicious activity, and that it has a reputation as one of the most dependable players in the so-called quot;bulletproof hostingquot; business, which are Web servers that will remain online regardless of complaints. quot;These are serious issues, almost all relating to the very core of spammer infrastructure,quot; he said. Researchers have found that on any given day, about half of all spam sent through the top botnets are ads for male enhancement products and other knockoff designer drugs, with a fair number of the online pharmacy sites linked in spam messages that were hosted at McColo. Last month, the Federal Trade Commission convinced a U.S. district court to seize the assets of an international spam network selling counterfeit prescription drugs, a network Spamhaus identified as the largest quot;spam gangquot; in the world. The spammers allegedly used the Mega-D botnet, which is capable of sending 10 billion e-mail messages each day. Jart Armin, a private security researcher who documented the activity at McColo in a report published today, said McColo is currently hosting at least 40 different child pornography Web sites or sites that collect payment for the illicit content -- and that traffic analysis showed that one of the sites garnered between 15,000 and 25,000 visitors each day. Page 6 of 8
  • 7. McColo Shutdown Cuts Spam by 75% Ian Amit, director of security research for Aladdin Knowledge Systems, an Israeli security intelligence firm, said cyber criminals have for many months used servers at McColo to manage Web sites that push out new versions of the quot;Torpig,quot; or quot;Sinowalquot; Trojan horse program, which is widely considered one of the stealthiest and most sophisticated families of malicious software in existence today. In October, RSA FraudAction Research Lab learned a single cyber crime group has used the Torpig Trojan to steal more than a half million bank, credit and debit card accounts from infected PCs over the past two-and-a-half years. Amit said he found that recent Torpig attacks were being coordinated out of a Web server in Florida, which in turn was controlled by a VPN server running at McColo. Aladdin's findings were mirrored by those of researchers at iDefense, a security firm in Sterling, Va. quot;We traced back the management connections, and found that the criminals were logged into the attack server in Florida using connections from McColo,quot; Amit said. Over the past year, media attention paid to Internet service providers and hosting companies that were profiting from cyber crime activity forced two of the most notorious networks underground or off the Web entirely. Late last year, stories published by washingtonpost.com and elsewhere about criminal activity and child pornography at the St. Petersburg based Russian Business Network (RBN) caused the hosting company's upstream Internet providers to cease routing traffic for the company. The same thing happened in September, when upstream Internet providers pulled the plug on Northern California based Intercage following media reports about the level of cyber-crime activity emanating from its network. But some security experts worry that if major Internet providers similarly shun McColo, it will only make the criminals and their activities harder to track and to block. Stewart, of SecureWorks, notes that in the case of the RBN, the company's clients didn't really go away, but instead simply dispersed their operations to less concentrated areas of the Internet. quot;Everything will just be more spread out and harder to mitigate,quot; Stewart said. quot;We rather like knowing where the bad activity is coming from, so protecting our networks is easier.quot; Jon Praed, founder of the Internet Law Group in Arlington, Va., and an attorney who has pursued spammers in cases filed by some of the nation's largest ISPs, said many security companies do not want safe havens to go away because it merely forces those companies to work harder to find the cyber-crime intelligence that powers their businesses. What's more, he said, if enough Internet providers begin severing ties with known sources of illegal activity, the cyber-criminal groups will be increasingly forced into a smaller number of areas on the Internet, ultimately increasing their costs and making them easier to isolate, identify and block. quot;Good network providers are going to have to step up and separate themselves from these providers who are increasingly dependent on criminal operations,quot; Praed said. quot;The fact that Page 7 of 8
  • 8. McColo Shutdown Cuts Spam by 75% McColo, a virtual den of iniquity, is able to survive into 2008 in the United States is a willful sign that we haven't yet begun the job of driving these operations to places where we can begin to curtail their existence.quot; Page 8 of 8