Network News

X My Profile
View More Activity

A year later: A look back at McColo

A year ago today, the Internet community witnessed a remarkable event: The unplugging of McColo, a Web hosting facility in Northern California that for a long time controlled a majority of the spam-sending operations on the planet. McColo's two main Internet providers abruptly yanked the cord after Security Fix presented them with scads of evidence collected by security researchers tying massive amounts of spam and other illicit activity to McColo's network.

The outcome, of course, is now well known: The volume of spam sent worldwide tanked overnight, and remained at diminished levels for many weeks. All sorts of other badness diminished as well (more on that later). But since then, the sizable chunk of virtual real estate previously occupied by McColo has remained eerily quiet.


A review of more than 3,000 Internet addresses previously assigned to the hosting firm reveals an Internet ghost town, as if the entire neighborhood had been contaminated by some kind of toxic sludge that frightened off any potential future occupants.

And maybe it has. The Internet community typically shuns networks known to harbor spammers and organizations that host malicious software and other nastiness, usually by including their numeric Internet addresses on "blocklists." Many organizations configure their e-mail servers to reject messages from addresses included on one or more of these blocklists. A heavily blocklisted network quickly becomes unattractive to legitimate businesses, since any e-mail sent out of that network will most likely be refused by the intended recipients.

"The problem is once an address block gets so polluted and absorbed into all these blocklists, it's difficult to get off all of them because there is no central blocking authority," said Paul Ferguson, an advanced threat researcher at Trend Micro. "That space won't be toxic for all time to come, but certainly it is going to be tainted for whoever ends up with it."

Don Bertier, chief security officer at Savvis Inc., a networking and managed hosting provider, said it's not uncommon for a once-blighted block of Internet addresses to remain unoccupied long after the abuse that caused the listing has gone.

"What you'll find is some blacklists out there are derivatives of other lists, and it's hard to get those cleaned up," Bertier said, recalling a case last year in which a customer was given a swath of Internet addresses, only to find it was impossible to send e-mail from that space. "Typically in those cases, we'll work with the customers to get them new space and mark that allocation as something that really shouldn't be used for e-mail."

Then again, perhaps there are other, less scandalous reasons why McColo's main chunks of Internet space remain unoccupied. In any case, a scan of the space shows that none of the addresses are currently listed on any of more than 100 blocklists.

The dismantling of McColo wasn't without precedent. A year before McColo's collapse, the notorious St. Petersburg based Russian Business Network was scattered to the four winds when its upstream Internet providers backed away, following investigative reports in The Washington Post, Security Fix and other publications about a massive concentration of badness there.


In September 2008, a half dozen Internet providers one by one pulled out of another Northern California hosting firm named Atrivo (a.k.a. "Intercage"), after Security Fix and others publicized research into the company's colorful history as a malware-friendly hosting provider. Atrivo's exit from the Internet also caused a major -- albeit brief --- drop in spam rates. That event also kneecapped the Storm worm botnet, which was once responsible for sending 20 percent of the world's spam. Storm was never heard from again.

In June, legal efforts by the Federal Trade Commission resulted in the closure of 3FN/Pricewert, a hosting provider that the agency said hosted everything from botnet control servers to child pornography and rogue antivirus products. Spam rates, particularly from the Cutwail botnet -- which had a sizable number of its control servers at 3FN -- fell measurably as a result, but for nowhere near as long as with McColo.


Depending on who you ask, McColo's demise reduced the volume of spam by between 40 and 75 percent for several weeks (see the graphic at right for one view of that impact). By some accounts, spam levels did not return to their pre-McColo levels until five months after the hosting firm's demise.

Critics of targeting problematic ISPs and hosting providers say the tactic only forces the spam purveyors and botnet masters to make their operations more resilient, devious and distributed. As e-mail security vendor MessageLabs noted in its third-quarter 2009 report on spam trends, "botnet technology has evolved significantly since the end of 2008, and the most recent closures now have a seemingly limited impact on the botnet activity, with downtime and outages lasting for only a few hours, rather than weeks or months as before."

Indeed, McLess than 10 day's after McColo's shutdown, experts first spotted Conficker, one of the most aggressive and complex botnets ever devised, by most accounts. Conficker almost seemed built specifically to avoid putting all of its eggs into one basket, as many botmasters had in placing their control servers at McColo. Instead, it was designed to download itself from any one of 250 pseudo-random Web site names spread over five top-level domains. That strategy seems to have worked: Conficker has since infected some 7 million PCs, according to a recent count provided by, a nonprofit group that tracks botnet activity.

In the end, a more surgical approach to combating the different infrastructure points supporting massive spam botnets may prove to be the model for targeting spam operations going forward. Last week, Milpitas, Calif., based security firm FireEye took aim at the Mega-d/Ozdok botnet, once responsible for sending close to 30 percent of spam.

That effort involved working with domain registrars to take down all registered Web sites used to control the botnet, and working with ISPs to get those sites closed down. FireEye also cut Mega-d off from its fail-safe mechanism, by systematically registered dozens of domains that the botnet was configured to search out for new instructions should the existing control networks get shut down. At the end of that process, which FireEye says took about 24 hours, some quarter million PCs infected with Mega-d were no longer answering to the botmasters, but reporting to servers controlled by FireEye.


The result? So far, spam from the Mega-d botnet has ceased, according to M86 Security Labs, a company that tracks botnet activity (graphic at above left courtesy M86).

Circling back to McColo briefly, the impact from McColo's demise was felt far beyond anti-spam circles: According to Microsoft, it also brought a large drop in the success of phishing Web sites.

In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedown.

By Brian Krebs  |  November 11, 2009; 10:50 AM ET
Categories:  Cyber Justice , From the Bunker  | Tags: conficker, mccolo  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft plugs 15 holes in Windows, Office
Next: Brazilian Govt: Soot, not hackers, caused '07 blackouts


I suspect we may see some bots that are developed which will continue to function in an autopilot mode even when disconnected from the CnC servers. They might for example launch DOS attacks if they find the internet is reachable but that they cannot reach a CnC server.

Still the Mega-d takedown is a step forward, but the guys who write malware will find ways to harden their stuff even more I fear..

Posted by: jackrussell252521 | November 11, 2009 12:44 PM | Report abuse

and all the convictions and fines that we've had of these botmasters and spammers. isn't the internet and regulation by the users great! go get 'em industry!

Posted by: bnglfn | November 11, 2009 4:52 PM | Report abuse

1) @bnglfn: What is your point? Your post is incomprehensible to me.

2) Is it possible that malware masters war-
game their own programs, and are thus able to anticipate the 'shape' of the next counterattack against them by the forces of law, order, commerce, and internet integrity? And that anticipation helps them 'engineer' their next outflanking of the 'good guys?' Or, do they simply continue improving their 'product,' knowing that any single iteration will eventually become obsolete? If THIS is reads incoherently, I apologize to the more computer savvy readers ahead of time.

3)Trivia game stuff: after months of seeing it in print, it occurs to me--is 'conficker' named after the German 'f word?'

Posted by: featheredge99 | November 12, 2009 4:23 AM | Report abuse

I suppose it is likely that the malware makers do in fact try and anticipate the next move of the good guys, but it is sort of like a chess game and you can never be 100% sure.

I would venture a guess that after the takedown of Mega-D that the remaining botmasters are trying to come up with ways to prevent their own bots from being taken over.

Posted by: jackrussell252521 | November 12, 2009 4:43 PM | Report abuse

Brilliant. Who else would have thought of this? Of course I have my solution. But that solution implies cleaning up crime online in general.

Posted by: Rixstep | November 13, 2009 6:31 AM | Report abuse

Fascinating stuff. I had no idea that it was possbible to make meaningful inroads against botnets and worms. Also feels weird to know that the virtual world has ghettos just as does the real one.

Posted by: drdiem | November 13, 2009 11:06 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company