Re: [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd)

• From: Gadi Evron
• Date: Wed Nov 12 15:04:20 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me.

The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown. At the very least, it seems that this makes any prosecution more difficult. While it appears that folks did a great job of following the network connections--to nail the individuals involved you need to follow the money. Even worse, what if the FBI *was* investigating them already, and now their target has been shut down? Unless there was behind-the-scenes cooperation that hasn't been reported, someone (on either the technical or law enforcement side) was not behaving responsibly. This should have been a coordinated shutdown--simultaneously involving closing network connections and arresting individuals.

Secondly, aren't we still playing whack-a-mole here? The network controlled over a million compromised PCs. Those machines are still compromised. Since the individuals who controlled them are evidently still at large, I think it's safe to assume that the keys to those machines are still out there. If that's the case, then those machines will be up and spamming again inside of a week. The only thing that might delay that would be if the primary payment processors really were taken offline as well. I don't want to open the "counter-virus" can of worms. But how hard would it have been to identify the control sequences for those PCs and change them to random sequences? Shutting down a central control center is good news, but taking 1.5 million PCs permanently (at least until next infection) out of a botnet would be really impressive.

Maybe more information will prove me wrong, but right now this seems more like a lost opportunity than a great success. I was quite surprised to hear that so many operations were centralized in one place. I doubt that opportunity is going to come again.

Kee Hinckley
CEO/CTO Somewhere, Inc.

• References:
  • [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd) Gadi Evron
  • Re: [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd) Kee Hinckley

• Prev by Date: Re: [funsec] McColo: Major Source of Online Scams and Spams KnockedOffline (fwd)
• Next by Date: Re: [funsec] McColo: Major Source of Online Scams and Spams KnockedOffline (fwd)
• Date Index
• Thread Index
• Author Index
• Historical