back to article Dead network provider arms Rustock botnet from the hereafter

McColo, a network provider that was yanked offline following reports it enabled more than half the world's spam, briefly returned from the dead over the weekend so it could hand-off command and control channels to a new source, security researchers said. The rogue network provider regained connectivity for about 12 hours on …


This topic is closed for new posts.
  1. Vulch
    Gates Horns


    Spam rejections jumped up on the work server at 23:00ish last (monday) night. Used to be two a second on average, dropped to 0.4 last week when McColo got cut off, crept back up to just under one over the week and jumped to 5 a second last night and up until lunchtime today when it dropped back to 3 again.

    Strangely the actual level of spam that gets through to real users has hardly changed over the week, it's stuff to the random non-existent usernames at our domains that dropped and came back.

  2. DrG


    CWIE Holding are the owners and operators of and the hosting company CaveCreek Hosting ( )

    Would like to know how they are related to this deal...

  3. Anonymous Coward
    Anonymous Coward


    We can't get the botnets to self-destruct. THAT would be a worthwhile goal. (*SIGH*) Maybe we can get them to only receive instructions from!

    Ah, wishful thinking!

  4. Ernest
    Paris Hilton


    DrG, if you read the article you will know. Paris because you made the same school boy/girl error she did

  5. Anonymous Coward

    15MB of data per second !!! FFS

    Are they with virgin or bt? Enquiring minds would like to know.

  6. Chris C


    That certainly does sound suspicious. Unfortunately, there probably wasn't enough research or investigation to file criminal charges against McColo's controllers. When they were cut off last Tuesday, one of my clients noticed just under a 50% drop in spam -- from an average of 81,500 per day down to 43,200 per day. I'm sure their aging mail server breathed a sigh of relief at the time.

    A number of years ago, after a particularly nasty worm began spreading like wildfire, a white/grey hat created a worm that went into people's systems and downloaded the patches to plug the hole that allowed the first worm in (I forget the name of the "good" worm, perhaps one of you could remind me). While I'm certainly not in favor of unauthorized access, maybe this isn't such a bad idea. If people still can't be bothered to patch old flaws, perhaps something like that is needed. Then again, when Microsoft waits 7 years to patch a hole...

    Of course, what would help even more is if these idiot high-speed ISPs didn't insist on users plugging their systems right into the network with no firewall. There should *ALWAYS* be a hardware box between your system and the modem. With dial-up modems, that wasn't possible (and quite frankly, not necessary). With cable/DSL modems, having a hardware firewall as a go-between is trivial. The question is, who will create a low-cost hardware firewall for your average consumer? Yes, cable/DSL routers do this for us, but there are still many people who plug right into the modem (using either a network cable or a USB cable). Until hardware firewalls become commonplace, we'll never get rid of botnets. No, I'm not suggesting that a hardware firewall will eliminate the problem, but it will certainly help prevent it. Eliminating unsolicited connection requests is definitely a good first step.

  7. Moss Icely Spaceport
    Thumb Down

    All your bots are belong to us

    Uploading at 15MB per second, hell I'd be happy get a 5MB download speed!

  8. Anonymous Coward
    Anonymous Coward


    I've been using ccbill for many years now, never had any problems.

  9. John Savard

    After Estonia, and Georgia

    Perhaps it would make sense to simply disconnect Russia from the Internet.

  10. JohnG

    Chris C - Firewalls not the big issue

    The snag is that having a firewall is not enough. Typically, most domestic firewalls allow users to connect outwards using any protocol. This allows a trojan both to send smtp mail and to collect instructions from the botnet masters by making regular connections to a server (e.g. an IRC server).

    Infection is also not affected by the presence of a firewall - typical vectors include malicious incoming emails and websites that host the trojans. In both cases, the user's system has initiated an outgoing connection.

    It might be useful if ISPs didn't allow users to connect with unpatched systems (other than to the sites that provide the patches) - but do the ISPs care more about SPAM or their earnings?

  11. Anonymous Coward
    Anonymous Coward

    Huh, that explains...

    It definitely explains why there was a massive spike (when compared to Wednesday - Friday) in spam on Saturday, which then suddenly dropped again.

  12. Piers

    If we know the IP the bots are connecting to... would be dead handy if someone like spamhaus had a list that ISPs could then block access to. Then the bots couldn't phone home. If only it could be that easy!

  13. Anonymous Coward
    Anonymous Coward

    At least we have an IP range to banish to the outer darkness

    Well at least we have another IP range to banish, well it wasn't up long enough to re-route all the bots.

    Bring on the whitehat worm :)

  14. Donovan Hill

    I remeber years ago...

    Chris C:

    I remember years ago when Shaw Cable claimed that people using hardware firewalls were stealing internet simply because they were using one IP for multiple pieces of hardware. If you wanted local filesharing or printer sharing their solution was to purchase more IP Addresses......

    I installed a hardware firewall.

  15. Mage Silver badge


    Quote: "There should *ALWAYS* be a hardware box between your system and the modem. With dial-up modems, that wasn't possible (and quite frankly, not necessary)."

    Yes there should.

    And it was very possible and needed on Dialup & ISDN. I ran Firewalls on many sites from 1995 to 2002 for dialup connections (analogue & ISDN). These usually provided a Proxy to share and autodial the connection. It also made rogue premium rate auto-diallers toothless as the actual PCs all used ethernet. on

  16. Anonymous Coward
    Anonymous Coward


    DrG asked how they are related -

    Giglinx resells IP Transit for CWIE.

    The IPs stay SWIPed to CWIE so that spam and abuse can be tracked and brought to their attention. (which was not done, in this case)

    CCBill has nothing to do with this situation.

This topic is closed for new posts.

Other stories you might like