[funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd)
Gadi Evron
ge at linuxbox.org
Wed Nov 12 20:04:10 UTC 2008
On Wed, 12 Nov 2008, Kee Hinckley wrote:
> After reading this, and the (Washington Post I believe--I'm away from my
> laptop right now) article on this, two things are bothering me.
>
> The article expressed a good deal of frustration with the (lack of) speed
> with which law enforcement has been tackling these issues. What wasn't clear
> was whether any attempt had been made to involve them prior to the shutdown.
> At the very least, it seems that this makes any prosecution more difficult.
> While it appears that folks did a great job of following the network
> connections--to nail the individuals involved you need to follow the money.
> Even worse, what if the FBI *was* investigating them already, and now their
> target has been shut down? Unless there was behind-the-scenes cooperation
> that hasn't been reported, someone (on either the technical or law
> enforcement side) was not behaving responsibly. This should have been a
> coordinated shutdown--simultaneously involving closing network connections
> and arresting individuals.
>
> Secondly, aren't we still playing whack-a-mole here? The network controlled
> over a million compromised PCs. Those machines are still compromised. Since
> the individuals who controlled them are evidently still at large, I think
> it's safe to assume that the keys to those machines are still out there. If
> that's the case, then those machines will be up and spamming again inside of
> a week. The only thing that might delay that would be if the primary payment
> processors really were taken offline as well. I don't want to open the
> "counter-virus" can of worms. But how hard would it have been to identify the
> control sequences for those PCs and change them to random sequences? Shutting
> down a central control center is good news, but taking 1.5 million PCs
> permanently (at least until next infection) out of a botnet would be really
> impressive.
>
> Maybe more information will prove me wrong, but right now this seems more
> like a lost opportunity than a great success. I was quite surprised to hear
> that so many operations were centralized in one place. I doubt that
> opportunity is going to come again.
All your points sound valid to me, but I am already proved wrong that
while I believed this to be a great precedent and a strategic move... it
wouldn't happen again. It did... twice, since Atrivo, Estdomians (kinda)
and now mccolo.
> Kee Hinckley
> CEO/CTO Somewhere, Inc.
More information about the NANOG
mailing list