Malware, mayhem, and the McColo takedown

The takedown of the McColo hosting service led to a gratifying, if temporary, decrease in spam this week -- but it could also portend a rise in malware infections.

As with the September takedown of Atrivo (nee Intercage), users around the net are currently enjoying the kind of respite from spam that comes when a major "evil ISP," as MessageLabs senior anti-spam technologist Matt Sergeant puts it, bites the dust.

McColo, which went offline after its upstream Internet providers decided to pull the plug, is believed to have been responsible for "command-and-control" functionality for botnets sending 65% of all spam. That number comes from Doug Bowers, senior director of anti-abuse engineering at Symantec, who acknowledges that spam traffic has been low since the takedown.

The hosting service is also believed to be the last of the giant "evil IPSs" located in the US, and though Sergeant says there's nothing necessarily keeping another American ISP from stepping into the breach, the likelihood is that the takedown will push spammers to international hosts.

"The aim," he told BetaNews, "in terms of global spam, is to increase costs for spammers. Despite making a lot of money, spammers have a low profit margin." Bowers adds that the US' robust infrastructure is most attractive for the kind of "services" McColo offered, but that inevitably such services will move elsewhere, perhaps to Eastern Europe.

Financial concerns might accomplish what law enforcement has not. The upstream providers have been long aware that something needed to be done, and they've been working with law enforcement, but Sergeant notes that law enforcement is "massively understaffed" where spam is concerned.

"Spam costs businesses millions if not billions each year; the economic cost of spam is about equal to that of illegal drugs. But there's little political impetus" to fix the junk-mail problem, he said.

The Internet's allegedly governing bodies haven't been any better at framing the problem and figuring out how to address it. ICANN has been, Sergeant says ruefully, "glacially slow" at clamping down on bad registrars, and though some security folk are rejoicing that ICANN will finally deliver on its death sentence for notorious registry EstDomains.com, it's mainly of interest as another vector of address, rather than as a strong measure to shut off the spam tap. (The end of EstDomains also hinges on a technicality concerning its ICANN contract, not because the Estonian firm offered an anonymous domain-name registration service much abused by spammers and their ilk [PDF available here].)

As for upstream providers, the decision to shut down a problem client's access usually means weighing the income the client pays against the embarrassment of associating with them. Beyond that, there's no particular upside in terms of traffic; spam is many bad things, but for the likes of the upstream providers, it's not a huge bandwidth hog.

A more ominous development, as Sergeant notes, is the potential for malware infections to evolve as a result of the takedown -- a thought that seems counterintuitive, perhaps, especially since the Atrivo takeover was credited with sticking the final stake in the heart of the Storm Worm's botnet.

As McColo's various nefarious clients regroup over the next few days, the Net will likely see a botnet-by-botnet return of the most notorious offenders. (Sergeant says there's evidence that the Srizbi botnet may already have restarted; Bowers' team hasn't seen it yet, but "the next day or two" will be most interesting.) It's possible that as they re-establish themselves, they'll do so bearing fresher, more pernicious code.

Or at least, Bowers says, a code of a different horror: "The takedown is likely to accelerate the trend toward peer-to-peer botnets, rather than the more centralized command-and-control structure [McColo's users employed]." In other words, enjoy the relative quiet in the wake of the giant takedown. We may not see its like again -- not because the spam's going away, but because the bad-guy dinosaurs might start making like mammals.