[funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd)

Gadi Evron ge at linuxbox.org
Wed Nov 12 20:04:10 UTC 2008

On Wed, 12 Nov 2008, Kee Hinckley wrote:
> After reading this, and the (Washington Post I believe--I'm away from my 
> laptop right now) article on this, two things are bothering me.
> The article expressed a good deal of frustration with the (lack of) speed 
> with which law enforcement has been tackling these issues. What wasn't clear 
> was whether any attempt had been made to involve them prior to the shutdown. 
> At the very least, it seems that this makes any prosecution more difficult. 
> While it appears that folks did a great job of following the network 
> connections--to nail the individuals involved you need to follow the money. 
> Even worse, what if the FBI *was* investigating them already, and now their 
> target has been shut down? Unless there was behind-the-scenes cooperation 
> that hasn't been reported, someone (on either the technical or law 
> enforcement side) was not behaving responsibly. This should have been a 
> coordinated shutdown--simultaneously involving closing network connections 
> and arresting individuals.
> Secondly, aren't we still playing whack-a-mole here? The network controlled 
> over a million compromised PCs. Those machines are still compromised. Since 
> the individuals who controlled them are evidently still at large, I think 
> it's safe to assume that the keys to those machines are still out there. If 
> that's the case, then those machines will be up and spamming again inside of 
> a week. The only thing that might delay that would be if the primary payment 
> processors really were taken offline as well. I don't want to open the 
> "counter-virus" can of worms. But how hard would it have been to identify the 
> control sequences for those PCs and change them to random sequences? Shutting 
> down a central control center is good news, but taking 1.5 million PCs 
> permanently (at least until next infection) out of a botnet would be really 
> impressive.
> Maybe more information will prove me wrong, but right now this seems more 
> like a lost opportunity than a great success. I was quite surprised to hear 
> that so many operations were centralized in one place. I doubt that 
> opportunity is going to come again.

All your points sound valid to me, but I am already proved wrong that 
while I believed this to be a great precedent and a strategic move... it 
wouldn't happen again. It did... twice, since Atrivo, Estdomians (kinda) 
and now mccolo.

> Kee Hinckley
> CEO/CTO Somewhere, Inc.

More information about the NANOG mailing list