My 12/01/08 Missoulian column
Have you noticed less spam and phishing e-mails over the last few weeks from banks saying your “account has been compromised” or pitches from online pharmacies selling all kinds of pills? The usual rules still apply: Don’t open spam and don’t click on the links or you’ll more than likely get hit with malware or a scam.
But there’s an interesting story behind the spam drop-off that centers on a company called McColo Corp. and its computer servers in San Jose, Calif., and the Security Fix blog at the Washington Post, written by Brian Krebs.
Through extensive research and help from other computer security professionals, Krebs was instrumental in uncovering that the Web hosting company McColo was providing services for the “remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via e-mail.”
In other words, McColo was letting botnets of hundreds of thousands of PCs be controlled from their rented servers, and those PCs were spewing billions of spam e-mails a day that clogged inboxes and stole personal information.
As a result of Krebs’ work, McColo was disconnected from its own Internet provider, and spam levels dropped like a rock, down 70 percent or more at first. There’s still a problem with spam – about 50 billion spam e-mails are sent each day, as measured by one security firm, as opposed to 160 billion a day before – but McColo’s out as a big player, for now.
The fact that McColo was disconnected is a new development in the battle against spam and spam-related crime because it has seldom happened in the past. But right away the story gets more complex. Krebs writes that what is unclear is the “extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.”
Before delving further into the story, here’s some technical background on hosting and botnets: running a hosting business means providing the computer servers for Web sites and other Internet services, legitimate or not. Even though cyberspace is “everywhere,” Web sites must reside and be “served” from a physical server somewhere.
A botnet is a collection of PCs – at homes, offices, in governments, etc. – that have been compromised by malware. The malware gets installed when someone clicks on a spam e-mail link or visits a Web site; the malware is able to infect the PC because of out-of-date (or altogether missing) antivirus software or out-of-date security patches (or, in some cases, security problems not yet fixed).
Once malware is installed, the PC can be remotely controlled by the botnet owner. Botnet owners “herd” hundreds of thousands of PCs, and are used to send billions of spam e-mails a day. The owners of botnets – individuals or criminal groups are located all over the world – need high-speed hosting services in order to command and control their extensive botnets.
If your PC is infected and part of a botnet, it’s busy sending spam, unbeknownst to you, and controlled by that botnet herder. The herder – more than likely employed by organized crime – tells the bots which spam to send, according to what kind of deals they have arranged to sell pharmaceuticals or to steal credit card numbers and personal data.
In order to get McColo disconnected, Krebs worked with information provided by many different security professionals and companies who had complained over the years to McColo, to no avail. Krebs writes that “multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or botnets.”
McColo allegedly said it would look into the situation, but then simply moved the botnet control servers to a different part of their network, shuffling its domain addresses to (temporarily) hide them again.
But one Internet service provider, also in San Jose, was critical in cutting McColo off from the Internet as a whole. After Krebs pieced the story together, he showed evidence of extensive botnet activity to the ISP and showed the ISP that it was one of McColo’s upstream connections. The ISP then was able cut off McColo within an hour.
This was a big development in the world of spam and a big deal for Krebs to be able to pull it off. (Krebs told me earlier this year that he started out working at the Washington Post in the mailroom. Now, because of his work on security-related research and articles, Security Fix is now an important blog on the security circuit.)
As soon as McColo went offline, the story turned into what looks to be a vast gray-area of law and enforcement. Krebs writes through his series of articles “that it’s not clear what, if anything, U.S. law enforcement is doing about McColo’s alleged involvement in the delivery of spam.”
He also writes that the FBI and the U.S. Secret Service couldn’t or wouldn’t comment on McColo, and that the U.S. Computer Emergency Readiness Team, or US-CERT – a partnership between the Department of Homeland Security and the private sector to combat cybersecurity threats – wouldn’t respond to requests for information.
Hosting companies are not generally liable for what is contained or delivered by their computer servers, except in cases such as child pornography and copyright violations. There are some cases of hosting companies in the U.S. pleading guilty to knowingly hosting such material in years past, but none relate to McColo.
Unfortunately, spam rates are creeping up again because one botnet came back to life for a few hours after the “herder” found another ISP to provide server space in Europe. The botnet was able to communicate with thousands of its PCs before being disconnected again. So the McColo and botnet story is far from over. Krebs continues to follow the story at Security Fix.