News
Spam Wars: Where Are The Feds?
The FTC's HerbalKing operation grabbed a lot of headlines; the McColo takedown cut spam
By Robert McMillan, IDG News Service (San Francisco Bureau)
To keep things secret, the criminals hadn't registered these domains, but they had coded several hundred of them into their botnet software. But the researchers learned these domain names by looking at the botnet code to find out what the hacked computers would do when McColo went down. Shortly before the McColo network was knocked offline by Global Crossing and Hurricane Electric, researchers registered the hundreds of backup domains themselves.
When the botnets couldn't go to McColo's IP (Internet Protocol) space for instructions, they started looking for their backup domains, but these were controlled by security researchers. Now, disconnected from their control servers, and unable to connect to a backup, two of the Internet's worst botnets, Srizbi and Rustock, have been decapitated.
"There have got to be hundreds of thousands of bots out there that aren't phoning home right now" said Joe Stewart, a botnet expert with SecureWorks who has tracked the McColo situation.
These bots might well be disabled for good, provided McColo's computers do not get brought back online. But that's exactly what happened a week ago, when a reseller of Swedish ISP TeliaSonera reconnected McColo temporarily.
The mistake was quickly noted, and TeliaSonera quickly disconnected McColo. But security vendor FireEye reckons that the bad guys were able to regain control of thousands of botnet computers during this brief window of opportunity. When McColo went back on the Internet, its IP address space worked again and cybercriminals were able to send instructions to their botnet computers. They would not have been able to do this had the FBI been able to shut down McColo's San Jose, California, data center, as it did with Creative Internet.
Creative Internet was exceptionally brazen about its activities and that type of raid is unlikely to happen again, said Spamhaus' Cox. "You can't prove those sort of cases to a sufficient level to get it to a grand jury," he said. ISPs are almost always given a pass when this type of activity is discovered on their network because they can plausibly deny that they knew anything about it.
The FTC would like to change that, however. In April, the FTC asked Congress for changes to the FTC Act that would allow it to pursue those who aided and abetted in fraud, which would allow it to go targets such as bad actor ISPs who have helped fraudulent businesses.
Congress has already granted the FTC a similar authority to go after brokers who knowingly provide lists to telemarkerters, said Steven Wernikoff, a staff attorney with the FTC. "It's hard to see why people who facilitate fraud via the Internet should get a pass," he said.
HerbalKing
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
