ISP McColo Shut Down After Connection Found To Spammers


ISP McColo was taken offline Tuesday by its upstream ISP after a research report by several security vendors alleged McColo helped cybercriminals promote spam, online fraud and child pornography.

McColo has been tracked for years by Internet security researchers, who have suspected the ISP of hosting spam and Web sites of cybercriminals known as phishers -- cybercriminals who distribute malware by claiming to offer everything from herbal remedies to celebrity videos.

McColo's termination followed closely on the heels of an incendiary report released by researchers from numerous security organizations and companies, including McAfee, Trend Micro and Arbor Networks, detailing shady criminal practices of ISPs like McColo and their connection with spam and cybercrime.

ISPs can connect with each other to exchange Internet traffic in what is known as peering. McColo was booted offline Tuesday night when upstream ISP Hurricane Electric disconnected from McColo, leaving it without a huge portion of its Internet traffic.

"They're obviously doing bad things online and we don't want that on our network," said Benny Ng, director of infrastructure for Hurricane Electric.

Ng added that Hurricane Electric has no plans to reinstate McColo's Internet privileges, but said he might give them another chance if they could clean up their act and prove they were legitimate.

Security experts said that McColo was an integral link in a chain of connectivity that hosted a slew of cybercriminal activity, such as spam, botnets, pornography and malware distribution, while some even speculated that the ISP was responsible for as much as half the world's spam.

Meanwhile, the report mentions that McColo hosted command and control servers for some of the world's biggest botnets -- incorporated networks of infected computers under the control of a remote attacker or cybercrime group. In one example, the report states that the Sinowal Trojan virus tracked by security company RSA was found to have originated from a McColo IP address. RSA researchers ultimately found that the Sinowal malware was responsible for the theft of about 500,000 online bank account and credit and debit card numbers.

Consequently, security researchers noticed a significant drop in the level of spam immediately following the McColo shutdown Tuesday night.

In particular, researchers at IronPort/Cisco say they saw global spam levels drop at least 60 percent -- from 190 billion spam messages to 112 billion spam message per day -- following Tuesday's shutdown.

"Usually this time of year we're talking about spam spikes. This time we're excited to find a temporary reprieve," said Nilesh Bhandari, product manager with IronPort/Cisco.

But just how temporary a reprieve remains in question. Bhandari said that spam levels will likely return to their normal levels within a matter of days to weeks as other ISPs step in to fill the gap left by McColo's temporary vacancy.

"McColo will find another provider," Bhandari said. "They'll most likely move their command and control center offshore and go someplace where it's less likely to be analyzed closely."

"Unfortunately, spam volumes are likely going to return to the high levels of the holiday season. This is big business," he added.

The McColo shutdown also comes just two months after network provider Intercage, which was found to host copious spam, malware and other fraudulent activity, was disconnected by its providers. As in the case of McColo, Intercage's takedown created a brief decline in the amount of spam around the globe. However, volumes returned to their normal levels as cybercriminals regrouped and found other providers.

"When [ISP] Atrivo was de-peered, the world saw a brief drop in the output of spam. If McColo were ever to suffer the same fate, worldwide spam output would probably be cut in half," the report states.

Meanwhile, security experts say that cybercrime's proliferation is primarily due to the fact that it requires practically no overhead, is extremely lucrative and is relatively risk-free.

"By whacking their host and making them move from time to time, all of a sudden they can't do any of the work and development that they normally do," said John Bambenek, SANS Internet Storm Center handler. "We need to be looking at some of these techniques and make them react to changes that we're doing. We need to find a part business solution and part technological solution that slows them down, increases their cost and reduces their profitability."

Bambenek also contended that while spam volumes might soon increase in the short term, the serial ISP shutdowns indicate a trend of plummeting tolerance that IT security administrators have not just for spammers, but for the infrastructure that enables them.

"What we're seeing is a lot of self-regulation. It's not the public per se. It's more or less the information security community and IT community in general," Bambenek said. "A lot of people are tired of those costs being foisted on the general public and they're pushing back. In that sense, it's an economic market response to a situation."