RE: [gnso-ff-pdp-may08] Major Source of Internet Spam Yanked Offline

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

#Apparently 75% of worldwide spam has been shut down:
#
# 
http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html
# 
http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html?sid=ST2008111200662&s_pos=

We'll see how long that lasts. In fact, let me be optimistic for a 
change and say that I hope we've just "permanently" lost 3/4ths of 
the world's spam (but I won't argue with you if you tell me that 
I'm being unduly optimistic, because I probably am, oh well). 

I will also say that given the amount of badness allegedly associated with
that provider, I'd be highly surprised if there wasn't some sort of law
enforcement investigation focussed on that site (although that's just
speculative on my part). Of course, if there was any sort of investigation
underway, taking that site down probably negatively impacted that work. 

#Note they did it without any policy recommendations in regards to Fast
#Flux, etc., by taking out one of the choke points, namely the hosting
#for the mother ship of the botnets.

At least one security researcher asserts that "in all the McColo based 
Botnets, all the communication uses hard coded IPs." That design choice
may be part of the reason why, when McColo went down, we're seeing a
more sustained (rather than strictly momentary) effect. [see 
blog.fireeye.com/research/2008/10/more-on-mccolo-and-rogues.html ]

But is Fast Flux completely out of the picture even for this item? No.

That same item also notes "What AntiVirus2009/XPAntiVirus is currently 
using fast flux for is the download of the malicious binaries. For 
instance [article continues]"

#It might be useful to get some input from those researchers or the
#ISPs, i.e. what data would have made their jobs easier to have
#detected the mother ship more quickly. 

While this particular provider may just have hit the mainstream
media, its alleged role hasn't been news within the technical
security community.

For example:

-- http://www.secureworks.com/research/threats/warezov/

   "In the past, Warezov has often had its C&C servers hosted by 
   Atrivo/Intercage. However with the recent shutdown of that service, 
   Warezov has switched to another hosting service well-known to malware 
   incident responders: McColo Corporation. Like Atrivo/Intercage, this 
   provider has something of a reputation for frequently hosting botnet 
   control servers. It's not the only one, but it is one of the most 
   popular in the Russian spam underground. Currently McColo hosts C&C 
   servers for some of the biggest botnets - Rustock, Srizbi, 
   Pushdo/Cutwail, Ozdok/Mega-D and Gheg all have part or all of their 
   master control servers hosted by McColo. When Atrivo was de-peered, the 
   world saw a brief drop in the output of spam. If McColo were ever to 
   suffer the same fate, worldwide spam output would probably be cut in 
   half (until each botnet operator found new hosting, which wouldn't be 
   long)."

Regards,

Joe

P.S. Oh yes, I should also mention that Thorsten Holz did a talk on 
Fast-Flux Service Networks the last week of October; if you're
interested, slides are available. See:

http://honeyblog.org/junkyard/paper/08_ff_it-underground.pdf

Nice talk, including some cool graphs, and do I see a mention or
several of "our own" Jose Nazario? I think I do! :-)