McColo

Last updated

McColo
Industry Web hosting service
Founded2004;20 years ago (2004) in San Jose, California, United States
FounderNikolai "Kolya" McColo [1]
DefunctNovember 11, 2008 (2008-11-11)
FateShutdown
Headquarters
San Jose, California
,
United States
Website mccolo.com
Effect of McColo takedown on spam volumes, from SpamCop. McColo-Spammonth.gif
Effect of McColo takedown on spam volumes, from SpamCop.

McColo was a US-based web hosting service provider [2] that was, for a long time, the source of the majority of spam-sending activities for the entire world. [3] In late 2008, the company was shut down by two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers. [2]

Contents

History

McColo was formed by a 19-year-old Russian hacker and student named Nikolai. Nikolai's nickname was "Kolya McColo"; hence the name of the provider. [4]

Malware traffic

At the time of termination of its upstream service on November 11, 2008, it was estimated that McColo customers were responsible for a substantial proportion of all email spam then flowing [5] and subsequent reports claim a two-thirds or greater reduction in global spam volume. [6] This reduction had been sustained for some period after the takedown. [7] McColo was one of the leading players in the so-called "bulletproof hosting" market — ISPs that will allow servers to remain online regardless of complaints.

According to Ars Technica and other sources, upstream ISPs Global Crossing and Hurricane Electric terminated service when contacted by Brian Krebs and The Washington Post ’s Security Fix blog, [8] [9] but multiple reports had been published by organisations including SecureWorks, FireEye and ThreatExpert, all naming McColo as the host for much of the world's botnet traffic. [10] [11] [12] [13] According to Joe Stewart, director of malware research for SecureWorks, the Mega-D, Srizbi, Pushdo, Rustock and Warezov botnets all hosted their master servers at McColo; numerous complaints had been made but McColo simply moved offending servers and sites to different subnets. Spamhaus.org reportedly finds roughly 1.5 million computers infected with either Srizbi or Rustock sending spam in an average week.

Following the shut down, details began to emerge of the ISP's other clients, which included distributors and vendors of child pornography and other criminal enterprises, including the Russian Business Network. [14]

McColo gained reconnection briefly on November 19, 2008 via a backup connection agreement common in the industry, but was rapidly shut down again. [15]

The McColo takedown especially affected Srizbi, one of the world's largest botnets, controlling 500,000 infected nodes as of November 2008. [16]

Symantec's monthly state of spam report for April 2009 stated that spamming was now back to what it was before McColo was taken offline. Due to botnets being created and old ones being brought back online, it estimated that about 85 percent of all email traffic is spam. [17] [18] By November 2009 the IP space used by McColo was still largely unused, as much of it was unattractive to buyers due to being widely blacklisted. [3]

See also

Related Research Articles

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to take action against what they allege to be spammers. The correctness of this assessment by Spamhaus is regularly disputed. If the assessment is based on objective characteristics or on standards set by Spamhaus itself is disputed. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers. Spamhaus has been criticized to purposely hide all direct methods of contact from its webpages to avoid transparency, while asking transparency from others.

<span class="mw-page-title-main">Bulletproof hosting</span> Internet service for use by cyber-criminals

Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies.

Brian Krebs is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals. Krebs is the author of a daily blog, KrebsOnSecurity.com, covering computer security and cybercrime. From 1995 to 2009, Krebs was a reporter for The Washington Post and covered tech policy, privacy and computer security as well as authoring the Security Fix blog.

<span class="mw-page-title-main">Blue Frog</span>

Blue Frog was a freely-licensed anti-spam tool produced by Blue Security Inc. and operated as part of a community-based system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists. The tool was discontinued in 2006.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm Worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of the PHP-based malware kit MPack and an alleged operator of the now defunct Storm botnet.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly Bot", making it one of the largest known botnets.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

<span class="mw-page-title-main">Jart Armin</span> Cybercrime and computer security investigator and analyst

Jart Armin is an investigator, analyst and writer on cybercrime and computer security, and researcher of cybercrime mechanisms and assessment.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span> Internet security organization

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

References

  1. Krebs, Brian (2014). Spam Nation. Sourcebooks. p. 43. ISBN   9781402295621 . Retrieved June 19, 2017.
  2. 1 2 Krebs, Brian (November 12, 2008). "Host of Internet Spam Groups Is Cut Off". Washington Post. Retrieved January 27, 2009.
  3. 1 2 "Security Fix - A year later: A look back at McColo". Archived from the original on August 10, 2011. Retrieved August 20, 2019.
  4. Carr, Jeffrey. Inside Cyber Warfare: Mapping the Cyber Underworld. O'Reilly Media, Inc., 2009, ISBN   0596802153, pg. 127.
  5. McColo goes silent, The Register, November 12, 2008
  6. Spam Volumes Drop by Two-Thirds After Firm Goes Offline, Washington Post "Security Fix" blog, November 12, 2008
  7. Spam Back to 94% of All E-Mail, The New York Times "Bits" Blog, March 31, 2009
  8. A Closer Look at McColo, Washington Post Security Fix blog
  9. Spam sees big nosedive as rogue ISP McColo knocked offline, Ars Technica, November 12, 2008
  10. Stewart, Joe. "The Return of Warezov". SecureWorks. Retrieved February 25, 2016.
  11. FireEye threat analysis
  12. ThreatExpert threat analysis
  13. threat analysis
  14. Washington Post, November 12, 2008
  15. McColo reconnect highlights network security gap, Ars Technica, November 20, 2008
  16. Srizbi returns from the dead, The Register, November 26, 2008
  17. Spammers recovering from McColo shutdown
  18. State Of Spam for April 2009
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.