Malware Outlook: Stormy

Last fall saw the takedown of Atrivo/Intercage and McColo Hosting Solutions, two known hosts of botnets. Botnets are the most pervasive method being used today for sending spam campaigns. According to the whitepaper FireEye: Taking the Botnet Threat Seriously, “A botnet is comprised of a collection of machines that have been infiltrated by functionality that can be automated and controlled remotely by an attacker.

The attack traces its roots to automated Internet Relay Chat (IRC) agents known as bots (short for robots), easily available and easily deployed, and originally intended to extend and automate the management of IRC networks. The remote control capabilities of bots enable them to be leveraged in a coordinated manner to unleash attacks against networks, as well as targeted, stealthy attacks on specific servers via agents managed remotely from a command-and-control (C&C) center operated by one or more attackers (hence botnet).” Because a typical spam campaign includes millions of email messages, botnets are employed instead of conventional email servers. According to FireEye, 11 percent of the world’s computers are enmeshed in at least one botnet.

When McColo Hosting Solutions was disconnected in November, spam levels dropped significantly. Spamcop.net, a spam watch-dog group, noted a decline from about 40 spam emails per second to around 10 per second. Trend Micro speculated that McColo was accountable for anywhere from 50 to 75 percent of all spam activity “on the planet”. As predicted by industry experts, however, it has been a short-lived victory; spam has resumed to pre-take down levels. “STORM is definitely still out there,” says Jamz Yaneza, threat research manager at Trend Micro, Inc. “It has been broken down in chunks. The disbandment wasn’t in my opinion the result of pressure on it but mainly because it is an old botnet. Now we are seeing the rise of a new type of botnet.” Yaneza comments that the techniques used in STORM (for example Fast-Flux and Double-Flux) have not gone away. “They have been borrowed by different kinds of botnets and the backend networks have been sold in the underground piece by piece,” he explains. “There is a whole criminal underground here. The bad guys even have incorporated tech support in terms of their botnets, and their phish kits. That surprised me and it’s also really scary. They have a whole software lifecycle.”

While McColo was located in San Jose, Calif. and offered “IT services for any customer, starting from individuals to large companies and corporations” and boasted of using “only certified equipment providers, such as Cisco, IBM, Intel, and Supermicro” the company did not have a good reputation. “Webmasters have been complaining of abuse from McColo sites for years,” says Phillip Lin, director of marketing for FireEye, Inc. “McColo-hosted sites were caught harvesting email addresses from Web sites (to use in spam campaigns). McColo has been linked to Digital Infinity out of Russia.” Unfortunately, persistence and innovation are hallmarks of these messaging ne’er-do-wells. “Reports are that McColo recently changed business names again to ‘World of Hi-Tech Investments LLC’ out of Delaware,” reports Lin.

According to a Messaging Anti-Abuse Working Group (MAAWG) report issued last month, “The percentage of email identified as abusive has oscillated over the last year between 89 percent and 92 percent.” If spam volumes have rebounded, can the McColo take down be considered a success? “I assume that some in U.S. law enforcement were a bit unhappy with the fact that the Washington Post broke the story, because they had wanted to take a slower watch and learn approach,” says Greg Shapiro, VP and chief technology officer for Sendmail, Inc. “Now others know that this is a possibility, and as a result will now spread out, and try to hide more. Former McColo clients are already taking steps to prevent themselves from being detected and centralized in a single IP like that again. So it was good, but in the long-term it may hurt us. We just have to wait and see.”

Lin believes that removing McColo from the Internet should be seen in perspective as the first of many milestones to come that will be necessary to protect the Internet and its users. “Cutting McColo off has shown the world that it is possible (and productive) to fight back against Internet ‘bad actors’, those egregious entities that exist on the Internet only to facilitate cyber crime,” says Lin. “Also, FireEye’s subsequent take down of the massive Srizbi botnet proved that disabling botnets is possible given the right technology and coordination among the Internet’s governing and operating bodies.”