Network News

X My Profile
View More Activity

The Fallout from the 3FN Takedown

The Federal Trade Commission's unprecedented recent takedown against troubled Web hosting provider 3FN.net has had an immediate -- if little noticed -- impact on the level of spam sent worldwide, and the number of infected PCs doing the spamming, according to multiple sources.

Experts say the drop in spam probably is not visible to most Internet users or even operators of large networks, as the decrease is within the upper ranges of daily fluctuations in spam volumes. Still, the preliminary results indicate that a large number of spam-spewing zombie PCs were being coordinated out of severs hosted at 3FN.

According to botnet expert Joe Stewart, director of malware research at Atlanta based SecureWorks, 3FN was home to a large number of command-and-control servers for the Cutwail spam botnet, one of the world's largest. As of last week, Stewart said he was tracking upwards of 400,000 spam zombies infected with Cutwail and sending spam. When I caught up with Stewart again on Monday, he said the number of Cutwail-infected PCs actively spamming was fluctuating between 120,000 and 150,000.

"Since so many of the Cutwail controllers [that were at 3FN] were taken down, we can assume that either the bots that were talking to the controllers there no longer have a controller and they're orphaned, or two, they have fallback control servers that are just getting overloaded at the moment," Stewart said.

As for whether the 3FN takedown had an impact on overall spam levels, it depends on whom you ask. Symantec's Dermot Harnett writes that a repeat of the spam volume decline observed following the closure of McColo in November 2008 is not expected in this case. Dmitri Alperovitch, vice president of threat research at McAfee, said the company is tracking record levels of spam at the moment.

Anti-spam experts at Spamhaus.org say the 3FN shutdown "caused an immediate precipitous collapse" in Cutwail spam. "However, as it was only one spambot of many, its collapse is not particularly apparent in total spamtrap flow."

Below you can see two graphics showing the decline in spam sent by Cutwail. Following that is a third graph that depicts Spamhaus's view of the total spam volume for the last week, which shows how the kneecapping of Cutwail is hardly noticeable amid the overall spam volume fluctuations.

cutwaildrop.JPG

cbltotal.JPG

Jose Nazario, a senior security researcher at Arbor Networks, published data today suggesting that spam actually went up dramatically on June 4, the day the FTC announced its action against 3FN. The following graphic shows the top 50 countries sending Arbor's spam traps messages, sorted by unique sending Internet address and subject.

arbor3fn.JPG

Meanwhile, a large number of Webmasters who had sites hosted at 3FN before its shutdown have been protesting the company's closure. This webmaster forum, Google translated from Russian into English, offers 40-plus pages of this discussion for anyone who cares to read it.

Also, in an order filed by U.S. District Judge Ronald Whyte, for the Northern District of California, the court notes that since issuing the temporary restraining order that shut down 3FN's hosting servers in San Jose, Calif., last week, "the court has received communications from third parties who were using the defendant's hosting services for the third parties' Web sites. These communications raise a significant concern that there may be a number of innocent third parties who are suffering harm as a result of the temporary restraining order."

Since our story ran, I've heard from a couple of readers who had sites hosted at 3FN. One of those is Suren Ter-Saakav, a Russian native who now lives in a suburb of Philadelphia. Ter-Saakav said his site www.denaq.com -- which sells batteries -- was among those that was knocked offline when the FTC shuttered 3FN.

"That site has been shut down and I have lost my client history and the history of orders," Ter-Saakav said, adding that he's concerned the FTC's action paints all Russian Webmasters in the same light. "Nobody mentioned that there were good Russian Webmasters there too."

The court has ordered (PDF) the FTC to file a proposal by close of businesses today that lays out a process for "expeditiously addressing concerns raised by third parties and minimizing any undue harm to innocent third parties." I will update this post with that proposal once it is filed.

Update, June 10, 11:34 a.m. ET The FTC's proposed order is here. It calls on the court to appoint someone who can evaluate the claims of third parties whose data is stored on 3FN's servers, and "coordinate the release of copies of such data to third parties whose data does not appear to relate to the conduct prohibited by the court order that forced 3FN's Internet providers to pull the plug on the company.

By Brian Krebs  |  June 9, 2009; 3:08 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker , U.S. Government  | Tags: 3fn, ftc takedown cutwail, pricewert  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Unshrinking Shortened Web Links
Next: Microsoft Issues Record Number of Security Updates

Comments

Spamhosters usually use 3rd parties as human shields. It's unfortunate for them, but there's a reason the hosting was cheap.

Posted by: Stoatwarbler | June 10, 2009 6:15 PM | Report abuse

Stoatwarbler, I was a client of the hosting. I know prices. I have invoices. And what about you? Could you identify the source of "the hosting was cheap"?

Posted by: tersuren | June 11, 2009 1:18 AM | Report abuse

I have one site hosting on 3fn, and i can't say that their prices are low!
For example i can find same disc space, bandwith, mysql datebase, bla bla bla etc with price $1 per mount but 3fn cost me $5, and i realy never have problems with them.
I know that many people(about 1k) like me who have "white" sites, now have big problems with their sites.
They spent a lot of money to the site promotion and now whole their work time and money = zero

I think in this case you did more bad than good.
Realy, I am very disappointed.

Posted by: Serghei | June 11, 2009 12:56 PM | Report abuse

Brian, it seems you missed some aspects of the takedown. To be exact -
1. virtus.ua – Ukrainian institute of aesthetic medicine (now moved to another server BUT – more than 1 year work with content lost)
2. odessabuy.com – Odessa biggest internet shop (now moved to another server but all users profiles and orders lost)
3. intefra.od.ua - Odessa online company catalog
4. e-musictherapy.com - on line music shop of Dr. Sergei Shaboutin
5. energoholod.com.ua - Refrigerating machinery company
6. vetoasis.com.ua – online shop (all data base lost)
7. filmarket.net - online dvd shop
8. automotomart.com – car site
9. 7729400.com – car site
10. 9263373.ru – car site
11. autoexport.ru – export car site
12. cointech.ru – car site
13. unerauto.ru – car site
14. ridesafely.ru – car site
15. ridesafelyspb.ru – car site
16. sto-avto.ru - about car export
17. aikiway.od.ua - Aikido club in Odessa
18. apriori.od.ua - Legal services
19. camry-vip.com.ua - auto rent
20. cosyapartments.net - realty rent in Odessa
21. energostar.com.ua - electric equipment company
22. eoc.kiev.ua - rack trading company (now moved to another server but with out last database)
23. gromtochka.com.ua - rock band site
24. intefra.msk.ru - Moskow online company catalog
25. k-dog.org - dog training company
26. kiev-realty.net - Kiev online realty database
27. kursi-odessa.com - Odessa institute of professional technologies
28. lacartelacarte.com – Advertising agency “lacarte”
29. locman.com.ua - Legal services “Locman”
30. mastershik.com.ua - furniture shop
31. max-realty.org - online realty database
32. mirkrovli.com.ua – roof trading company
33. moneychanger.com.ua – online currency exchange system
34. omdinc.org –trading company
35. panaceya100.com - trading company
36. parallely.com – financial services company – stock broker
37. phantom.com.ua - Voltage stabilizer Trade mark
38. ppasvet.com.ua – Pishepromavtomatika Voltage stabilizer company
39. profitcon.com – stock broker (moved to another server but 90% of content lost)
40. rnblife.com.ua – rnb portal and online shop
41. rtgroup.com.ua - Wholesale trading company
42. seocron.com – seo tools site
43. sklad-obyvi.com.ua – Wholesale footwear shop
44. sklad-odessa.com - rack trading company
45. solaris-vip.od.ua – personal page
46. spto.com.ua – equipment trading company
47. steinal.com - rack trading company
48. strmet.com.ua - The forged products
49. sunny-paradise.com.ua - personal page
50. tibetphoto.com.ua - Personal tibet photo collection
.....
and so one. So far I've got 2945 such fallouts. Don't be shy. Say something for them.

Posted by: michandr | June 13, 2009 4:30 AM | Report abuse

Stoatwarbler: well said

tersuren: they've had $5 virtuals and they've spended alot of $$ on advertising. No doubt they had alot of small kosher clients, yes, like human shield.

Posted by: serge2 | June 13, 2009 1:02 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company