[funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd)

Kee Hinckley nazgul at somewhere.com
Wed Nov 12 17:30:45 UTC 2008

After reading this, and the (Washington Post I believe--I'm away from  
my laptop right now) article on this, two things are bothering me.

The article expressed a good deal of frustration with the (lack of)  
speed with which law enforcement has been tackling these issues. What  
wasn't clear was whether any attempt had been made to involve them  
prior to the shutdown. At the very least, it seems that this makes any  
prosecution more difficult. While it appears that folks did a great  
job of following the network connections--to nail the individuals  
involved you need to follow the money. Even worse, what if the FBI  
*was* investigating them already, and now their target has been shut  
down? Unless there was behind-the-scenes cooperation that hasn't been  
reported, someone (on either the technical or law enforcement side)  
was not behaving responsibly. This should have been a coordinated  
shutdown--simultaneously involving closing network connections and  
arresting individuals.

Secondly, aren't we still playing whack-a-mole here? The network  
controlled over a million compromised PCs. Those machines are still  
compromised. Since the individuals who controlled them are evidently  
still at large, I think it's safe to assume that the keys to those  
machines are still out there. If that's the case, then those machines  
will be up and spamming again inside of a week. The only thing that  
might delay that would be if the primary payment processors really  
were taken offline as well. I don't want to open the "counter-virus"  
can of worms. But how hard would it have been to identify the control  
sequences for those PCs and change them to random sequences? Shutting  
down a central control center is good news, but taking 1.5 million PCs  
permanently (at least until next infection) out of a botnet would be  
really impressive.

Maybe more information will prove me wrong, but right now this seems  
more like a lost opportunity than a great success. I was quite  
surprised to hear that so many operations were centralized in one  
place. I doubt that opportunity is going to come again.

Kee Hinckley
CEO/CTO Somewhere, Inc.

More information about the NANOG mailing list