Network News

X My Profile
View More Activity

A Closer Look at McColo

Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity.

mcmap1.jpg In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it).

For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post.

The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets -- agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets -- again, click on it to enlarge). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.

marshal.jpg

Bear in mind, this is by no means a comprehensive account of the sites and activity that experts say were funneled through this provider: I have redacted some of the data -- for example, the list of domains accused of hosting child pornography. Others, including additional domains allegedly offering fake anti-virus solutions, simply wouldn't fit on the map.

Additional Source Material:

Host Exploit: McColo Cyber Crime

Fireeye: Srizbi & Rustock

Fireeye: Rustock

SecureWorks: Mega-D

ThreatExpert: Pushdo/Cutwail

SecureWorks: Warezov

Matchent: Asprox

Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts

Dancho Danchev: Fake Security Software, Part 9

Dancho Danchev: A Diverse Portfolio of Fake Security Softwtware - Part Eleven

Robtex: McColo Corp. Autonomous System Report

By Brian Krebs  |  November 13, 2008; 12:08 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Spam Volumes Drop by Two-Thirds After Firm Goes Offline
Next: Critical Security Updates for Firefox, Safari

Comments

Hello Brian,
Great Job (and nice mindmap)!!

But could you enlighten me about something: what exactly are the government authorities doing about these disastrous occurences? Why wasn't McColo investigated thoroughly to try to arrest the actual perpetrators?

How and when do you think we might obtain more permanent solutions?

All the best.

Posted by: jeremiel | November 13, 2008 1:00 PM | Report abuse

Thank you for the interesting article. It would be great if as a next step you charted the time it takes for all these knocked down services to find new routes and servers.

Posted by: limejunction | November 13, 2008 2:00 PM | Report abuse

Imagine, one web hosting company responsible for 75 percent of the world's SPAM - located in the United States. Not to mention the other things it was responsible for, like hackers that were stealing bank accounts. It took a couple of private companies to have this nonsense shut down? What role does the government take in tying to prevent this kind of criminality? This is unbelievable.

Posted by: nyc98765 | November 13, 2008 2:24 PM | Report abuse

Great app - FreeMind. Works great under Ubuntu Linux 8.10.

Thanks for the info, and all the work tracking down the spammers.

Posted by: Post-It1 | November 13, 2008 5:47 PM | Report abuse

Any idea yet who is behind this company? Guess its not very common for a US company to have their website designed in Romania, or? (see http://vane.ru)

Posted by: diddl14 | November 13, 2008 5:50 PM | Report abuse

Marshall Trace posted this new info about the botnet trying to get itself back online: http://tinyurl.com/5ou9rk

In light of their findings, couldn't someone just register these domain names before the spammers do to keep this sucker off line for good?

Supposedly there are in the neighborhood of a dozen control servers.

Posted by: joshcramer | November 13, 2008 11:14 PM | Report abuse

None of the domains listed on the marshal site resolve, no use to register them, they would simply register new ones...it all makes very little sense when cybercrime registrars like http://www.estdomains.com/
who supposedly were closed down by ICANN, are still alive....

Posted by: roflem | November 14, 2008 3:35 AM | Report abuse

I'm not sure where anyone is getting "75% of the world's spam," - spam delivery rates certinally haven't been affected by the take down.

Posted by: gm123 | November 14, 2008 10:30 AM | Report abuse

Hopefully, the new IT Tech Czar, to be identified and appointed by our president-elect after he is in office, will be able to take a role in leading a more active government to monitor and take down these miscreants once and for all. Why have a viable IT infrastructure underpinned by the WWW if it's not safe and secure? That is, unless these scum are also active politically and contribute to PAC's, and other orgs that take soft-money.

Posted by: peterpallesen | November 14, 2008 11:02 AM | Report abuse

@GM123 -- The stats on spam decline are coming from the companies with probably the widest view on the spam problem.

As of 7:30 p.m. ET last night, IronPort said in a press release:

IronPort continues to track spam volumes post shutdown of McColo, and reports that volumes remain down about 60%. Per SenderBase, the global spam volume yesterday was 64.1 billion. This compares to 153 billion two days ago, prior to the McColo shut down.

At 3:30 pm ET Thursday, Symantec also issued a press release on their view of the spam decline:

During the past 48 hours, Symantec and other message security companies have observed a 65% decrease in spam messages. Symantec would like to provide you with additional details regarding this significant drop in spam traffic worldwide that is connected to the shutdown of a Silicon Valley-based Web hosting company named McColo Corp.

Posted by: Brian Krebs | November 14, 2008 11:28 AM | Report abuse

Also, if you see the graphic from Marshal referenced in the blog post above, and add up the percentages of spam from the botnets which had all or some of their control servers at McColo (the first four on the list), you'll see they are responsible for more than 75 percent of all spam, at least from Marshal's perspective.

Posted by: Brian Krebs | November 14, 2008 11:31 AM | Report abuse

As an IT professional and someone who has unfortunately fallen victim to the likes of these cyber criminals. My company fell victim to a hacker who tried to use one of my servers as a spambot. It cost me dearly, downtime, overtime hours, loss of clients, having to purchase new server, software, etc.
What needs to happen is to hold responsible the ones who are ultimately responsible, the companies that these spammers are advertising for. They should be held accountable. You only need to catch a few and slap them with so much prison time and fines that others MAY think twice.

Posted by: ExtremelyFrustrated | November 14, 2008 9:43 PM | Report abuse

Brian

Don't know what control you have, if any, over PostGlobal blocking comments that might be critical of Islam in the Obama article today about whether Islam sees Obama as a 'Superman.'

Such blocking, while perhaps lawful, does great harm to the 1st Amendment.

Posted by: brucerealtor@gmail.com | November 15, 2008 3:19 AM | Report abuse

whatever spam relief this provided, is over for me now. Over 50 spam already this morning.

Posted by: fairisfair | November 17, 2008 2:47 PM | Report abuse

How sad that the government that is suppose to protect us from criminals, predators, con artists etc. will not aggressively pursue the enforcement of the various Federal Laws & Statue against deceptive, false and misleading practices by internet businesses, against cyber crime involving identity theft and child pornography. It's a fact they have their head in the sand when it comes to cyber crime and it makes trying to curtail the mafia activity as kinder garden in scope. It involves the national security and the business security of this county. The loss in productivity, the cost in protection and amount of economic loses is staggering.

Very few people know the depth and scope of this problem. Many people are unaware that their computers could be zombies infected with trojans, rootkits, malware and spyware which infects every other computer they come into contact with. Their information is compromised, their identity has been exposed and everyone else who they share a program, an email, a photo with.

It will bring down the internet eventually if aggressive action is not taken now. I've been reporting these sites to the FTC and IRCC to no avail tracing the routes and locations of their servers and reporting true location. Just wonder where the FBI was in not bringing these sites down and prosecuting them for federal crimes. You wonder how many terrorist are operating sites that are not being monitored by government?

Posted by: Ecoclimber | November 19, 2008 2:12 AM | Report abuse

McColo is back, or at least not taken completely offline. I decided to look at some of the domains as listed in the chart above and interested to see that: www.valium-plus.com is still online and hosted by McColo Corp in New York City. Hrrm?? Were are our police at? Also, his client is in California with full whois info listed online:

Domain Name: VALIUM-PLUS.COM

Registrant:
George Stiegman
George Stiegman ()
346 GOLDEN LANTERN
DANA POINT
California,92629
US
Tel. +1.9494957886

Creation Date: 23-Sep-2008
Expiration Date: 23-Sep-2009

Domain servers in listed order:
36063.mars.orderbox-dns.com
36063.earth.orderbox-dns.com
36063.venus.orderbox-dns.com
36063.mercury.orderbox-dns.com

Administrative Contact:
George Stiegman
George Stiegman ()
346 GOLDEN LANTERN
DANA POINT
California,92629
US
Tel. +1.9494957886

Technical Contact:
George Stiegman
George Stiegman ()
346 GOLDEN LANTERN
DANA POINT
California,92629
US
Tel. +1.9494957886

Billing Contact:
George Stiegman
George Stiegman ()
346 GOLDEN LANTERN
DANA POINT
California,92629
US
Tel. +1.9494957886

Status:LOCKED

Posted by: OpticBurst | November 19, 2008 3:48 AM | Report abuse

xanax-plus.com is up also

Posted by: OpticBurst | November 19, 2008 3:50 AM | Report abuse

Arent these guys drug dealers? Hello FBI.. Do your job already..

Posted by: OpticBurst | November 19, 2008 3:51 AM | Report abuse

5-easysteps.com now hosted in Canada with Next Dimension Inc

Posted by: OpticBurst | November 19, 2008 3:54 AM | Report abuse

Why aren't these domain blocked entirely from registering with a new registrar and web host provider. If the domains were blocked from the ICANN then they would be forced offline until the setup new sites.

This country is fake about security since you can spam your rear off and get shut down and move to a new host and start again..

Were is our National Security through all of this. This matter has everything to do with National Security. I can count the # of times I searched for something online and had some malicious auto-downloader inffect my PC causing me to pay for a New Windows XP license. I am spent!! Is anyone here just as spent on this matter??

I dont thing anyone really gives a rats rump what happens to McColo other than the media attention behind it. Sure you got a great article here. But what good is some article if noone really cares of the outcome of this all. McColo is still up and running their services in New York and the United States Government can care less... if they did care, then why is McColo still providing services to the above sites I meantioned. The whois info clearly shows its McColo's data center and IP's... :(

Posted by: OpticBurst | November 19, 2008 4:02 AM | Report abuse

I as a legitimate web hosting provider has personally spent thousands upon thousands of $ trying to fight the wrath of McColo. Constantly updating my servers software, even at a time forced offline by their botnet's.

Now that everything is on the table about McColo and their permitting these services, I feel we need a class action law suit against these guys. Really! The owner of McColo lives in upstate New York. This gives us legit jurisdiction to files such suet's against McColo Corporation.

Posted by: OpticBurst | November 19, 2008 4:09 AM | Report abuse

here is phone number to owner of McColo corp: 1 (914) 455-5598

Please tell this guy how you feel about him spamming the world!

Posted by: OpticBurst | November 19, 2008 4:13 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company