[funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Via Security Fix.

[snip]

A U.S. based Web hosting firm that security experts say was responsible for
facilitating more than 75 percent of the junk e-mail blasted out each day
globally has been knocked offline following reports from Security Fix on
evidence gathered about criminal activity emanating from the network.

For the past four months, Security Fix has been gathering data from the
security industry about McColo Corp., a San Jose, Calif., based Web hosting
service whose client list experts say includes some of the most
disreputable cyber-criminal gangs in business today.

On Monday, Security Fix contacted the Internet providers that manage more
than 90 percent of the company's connection to the larger Internet, sending
them information about badness at McColo as documented by the security
industry.

[snip]

More:
http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online
_scams_a.html

Also, more details will become available real soon now...

- - ferg

Since 11/5, my spam load has dropped from about 400,000 attempts per day to less than 40,000 ! And most of this I had noted was comming from what looked like compromised web hosts - eg: same host/domain name representing 10 or 20 addresses in any given range). I am shocked at the sudden and dramatic downtick but also equally delighted! Way to go!

Gadi Evron wrote:

After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me.

The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown. At the very least, it seems that this makes any prosecution more difficult. While it appears that folks did a great job of following the network connections--to nail the individuals involved you need to follow the money. Even worse, what if the FBI *was* investigating them already, and now their target has been shut down? Unless there was behind-the-scenes cooperation that hasn't been reported, someone (on either the technical or law enforcement side) was not behaving responsibly. This should have been a coordinated shutdown--simultaneously involving closing network connections and arresting individuals.

Secondly, aren't we still playing whack-a-mole here? The network controlled over a million compromised PCs. Those machines are still compromised. Since the individuals who controlled them are evidently still at large, I think it's safe to assume that the keys to those machines are still out there. If that's the case, then those machines will be up and spamming again inside of a week. The only thing that might delay that would be if the primary payment processors really were taken offline as well. I don't want to open the "counter-virus" can of worms. But how hard would it have been to identify the control sequences for those PCs and change them to random sequences? Shutting down a central control center is good news, but taking 1.5 million PCs permanently (at least until next infection) out of a botnet would be really impressive.

Maybe more information will prove me wrong, but right now this seems more like a lost opportunity than a great success. I was quite surprised to hear that so many operations were centralized in one place. I doubt that opportunity is going to come again.

Kee Hinckley
CEO/CTO Somewhere, Inc.

The more we allow Gadi Evron to post the more this list turns into a
rehash of digg and reddit news aggregation web sites.

Don't assume what you don't know.

- - ferg

p.s. McColo's upstream providers are completely within their rights to
terminate connectivity if they feel that they have violated their
contractual terms of service.

We noticed a very sudden 50% reduction yesterday. Now to see how long it lasts...

I do know that the CA AG office ignores any complaints received from the Internet Crime Complaint Center (IC3), which bars many complaints state/local LE would have received from the public about McColo. Law enforcement (in the US, anyway), by nature, is 99% reactive and 1% proactive; no complaints to LE results in no response from LE. It's hard to tell if any local/state/federal agencies knew-about/were-investigating McColo (it was the same with Intercage), but the bigger question is: does it really matter? How many cops does it take to throw a community lynching?

-- Nick

Nicholas R. Newman
Computer Crimes Specialist
National White Collar Crime Center
1000 Technology Drive, Suite 2130
Fairmont, WV 26554

1-877-628-7674 x2244
nnewman@nw3c.org

None.
The question that remains is: Why is the community having to resort to lynching?

Following the metaphor and using the US "Old West" as an example,
lynchings were largely due to one of the following:

   * a lack of organized law enforcement
   * a lack of effective law enforcement
   * an outraged mob following the lead of a few with their own agenda
in the heat of some moment

I don't think the latter point applies (though some have argued it
very much does). The former two points though very much do IMO, and I
think this was the point Kee was making. To put it another way:

How can we as network operators help law enforcement become more
organized and effective such that lynchings are no longer needed?

I'm not convinced there's an adequate answer to that question given
the current structure of "the internet", and the nature of how things
work.
( I suppose there's room in there for an argument that community
lynchings are the most effective way to deal with the problems that
arise, though I don't think such is the case. )

After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me.

The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown. At the very least, it seems that this makes any prosecution more difficult. While it appears that folks did a great job of following the network connections--to nail the individuals involved you need to follow the money. Even worse, what if the FBI *was* investigating them already, and now their target has been shut down? Unless there was behind-the-scenes cooperation that hasn't been reported, someone (on either the technical or law enforcement side) was not behaving responsibly. This should have been a coordinated shutdown--simultaneously involving closing network connections and arresting individuals.

Secondly, aren't we still playing whack-a-mole here? The network controlled over a million compromised PCs. Those machines are still compromised. Since the individuals who controlled them are evidently still at large, I think it's safe to assume that the keys to those machines are still out there. If that's the case, then those machines will be up and spamming again inside of a week. The only thing that might delay that would be if the primary payment processors really were taken offline as well. I don't want to open the "counter-virus" can of worms. But how hard would it have been to identify the control sequences for those PCs and change them to random sequences? Shutting down a central control center is good news, but taking 1.5 million PCs permanently (at least until next infection) out of a botnet would be really impressive.

Maybe more information will prove me wrong, but right now this seems more like a lost opportunity than a great success. I was quite surprised to hear that so many operations were centralized in one place. I doubt that opportunity is going to come again.

All your points sound valid to me, but I am already proved wrong that while I believed this to be a great precedent and a strategic move... it wouldn't happen again. It did... twice, since Atrivo, Estdomians (kinda) and now mccolo.

Jason Ross wrote:

n3td3v wrote:

The more we allow Gadi Evron to post the more this list turns into a
rehash of digg and reddit news aggregation web sites.

Well, I'll just drop off the list so you you can talk uninterrupted about Important Operational Matters like "who's got a freebie DSL connection for me in Inner Sweatsock, Mumbolia?"

I wonder how many of these "pseudo-anarchists" are bewailing the lack of
regulation in the financial markets, given the events of the past couple of
months? A certain amount of regulation and oversight is needed, both in the
financial world and on the Internet. I am all for seeing how little we can
get by with, but clearly, some is needed.

There's a common misconception of what LE does online (and when I say LE, I'm talking mostly state/local agencies): if you watch CSI or any other show that has anything to do with computer crimes, there is always a team of uber-geeks at every single agency (no matter how big it is) who spend 50% of their time online looking for phishing sites, CP sites, fraud sites and on and on. The real world isn't like that at all. For example, one state police agency we're familiar with has a team of *two guys* that do almost all of the computer forensics work for the *entire state*. Considering the caseload they have (if I remember correctly, a computer has a turn-around time of 6 months, a cell phone about a week; this is because every avenue a defense attorney is going to take has to be covered), there quite simply is not time to do anything proactive online (such as analyze spam to find out most of it is coming from a couple particularly nasty web hosting companies on the other side of the country). In most small agencies, the "computer forensics guy" is just the guy that knows more about computers than anyone else (read as, he figured out which port on the back of the computer was the USB port to hook up a new printer). A handful of agencies nationwide are fortunate enough to have a CSI-esque computer forensics unit, but most do not.

Let's compare these two scenarios:

1. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California. They've determined that the majority of spam world-wide originates from this company offering bullet-proof hosting. So they call the upstream providers and get them cut off. NastySitesUnlimited tries to switch providers, but are disconnected again. And again. And again. A few days later, company files for bankruptcy because no one will give them an uplink to the 'net. Problem solved. End of story.

2. Some LE agency serves a search warrant for "any digital evidence" and collects hundreds of terabytes of worth of data. 5 years later, after everything is processed (and during this time, things at Nasty Hosting Company have continued as normal, thanks to regular backups), charges are finally brought against some entity in the business, he gets thrown in jail for a few years and fined heavily, business gets renamed (VP takes over) and it's almost like nothing ever happened.

Which happened faster and was more effective?

On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out.

If we lived in a perfect world, there would be a third scenario:

3. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California. So they gather an abundance of super-damning evidence and submit it to LE. LE starts an investigation with the outstanding leads provided in the package, and starts making arrests. The CEO and a few others at NastySitesUnlimited get sentenced and thrown in jail. Business at NastySitesUnlimited continues as usual until they are cut off from the Internet a few days later because no one will give them upstream service. It took a little bit longer, but the culprits are in jail and the business has been lynched.

Kee had an excellent question when he asked if anyone tried notifying LE, and the answer to that is probably not. It's hard to tell what would've happened if LE was involved (who knows, maybe SS or FBI were working on it). LE does care, it's just a matter of resources available. If you get the evidence together and in a matter that explains itself, it will get handled effectively (though probably not as fast as "Intercaging" a company).

-- Nick

Nicholas R. Newman
Computer Crimes Specialist
National White Collar Crime Center
1000 Technology Drive, Suite 2130
Fairmont, WV 26554

1-877-628-7674 x2244
nnewman@nw3c.org

Jason Ross wrote:

How many cops does it take to throw a community lynching?

None.
The question that remains is: Why is the community having to resort to lynching?

I think we're using the wrong metaphors here. A community lynching would be storming his datacenter and setting his servers on fire. That didn't happen.

A better metaphor would be a rowdy patron in an upscale bar attempting to deal drugs and being tossed out by the bouncer. Although dealing drugs is illegal, the people in the bar are more concerned about getting rid of the jerk than throwing his butt in jail (although that would be nice as well).

If law enforcement is busy with gang warfare in another part of town, their priority in responding to a rowdy in a bar is going to be low, especially if there's a bouncer who is capable of dealing with the problem.

On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out.
  
Excellent point. Something like the fine folks at http://hostexploit.com/ are doing.

I also believe SANS has some excellent courses on forensics, and things like chain of custody etc. Not sure how much that applies to these sort of scenarios but it can't hurt to package/handle the evidence in as compliant a manner as possible.

Let's compare these two scenarios:

1. The world-wide community of people who essentially run the Internet have
had enough with a nasty webhosting company in California. They've
determined that the majority of spam world-wide originates from this
company offering bullet-proof hosting. So they call the upstream providers
and get them cut off.

2. Some LE agency serves a search warrant for "any digital evidence" and
collects hundreds of terabytes of worth of data. 5 years later....

These aren't mutually exclusive.

nw3c.org

Grr - those stupid DreamWeaver menus that only work in 66% of browsers.

Something to keep in mind. I don't believe it was McColo that was the end provider of "badware" per se (and I could be proven wrong), they simply played the enabling role by hosting it and looked the other way. Now don't get me wrong, they ought to be kicked offline for externalizing their costs on the rest of us, but what criminal charges could be filed here? I'm not a lawyer but the person actually committing the crime and a person who willing provides tools to someone committing a crime are in completely different boats.

We could criminalize hosting malicious tools, but then what of nessus, nmap, wireshark and the host of security tools that are effectively "dual use"? Child porn being an obvious exception of course, but the point remains. Negligence is bad and perhaps there are criminal remedies that can be brought to bear (I'm not a lawyer, I don't play one on the intarwebs) but I would imagine they would be minor in comparison.

That said, of course this information should be turned over to law enforcement. It often is.

j

Charles Wyble wrote:

Personally, I haven't been to any SANS courses, but I have a few coworkers who have and have been nothing but impressed with their material. They have an incident response class that deals with packaging up material for LE (what's important and what's not-so-much, forensic "soundness", and chain-of-custody).

Nicholas R. Newman
Computer Crimes Specialist
National White Collar Crime Center
1000 Technology Drive, Suite 2130
Fairmont, WV 26554

1-877-628-7674 x2244
nnewman@nw3c.org

Law enforcement is almost a complete non-factor in dealing with
online abuse.

Action is erratic, slow and incompetent at best; it tends to only happen
when one of four things is true: (a) someone's running for office
(b) positive PR is needed (c) a government has been publicly embarrrassed and
needs a scapegoat or (d) someone with sufficient political connections,
money, and/or power wants it. And even when it happens, it's ineffective:
for example, token prosecutions of spammers have done nothing to make
the spam problem any better. Multiple spyware vendors have settled
their cases for pitifully small sums and then gone right back to work.

But even if that weren't true, even if law enforcement worldwide had
adequate staff, resources, training, clue, etc. to attempt something
useful -- the necessary legal framework really doesn't exist. Abusers
can dissolve their shadow companies, form new ones, relocate (possibly
across international borders), modify their tactics, etc.

Peer-to-peer action continues to be the best available option -- one
that needs to be exercised far more often.

---Rsk

John Bambenek wrote:

Something to keep in mind. I don't believe it was McColo that was the
end provider of "badware" per se (and I could be proven wrong), they
simply played the enabling role by hosting it and looked the other way.
Now don't get me wrong, they ought to be kicked offline for
externalizing their costs on the rest of us, but what criminal charges
could be filed here?

Aiding and abetting and conspiracy come to mind at the very least.
Knowingly facilitating child porn should have quite a few possiblities too.

But they're really hard things to prosecute on the Internet, in the face
of the plausible deniability shields they work at so carefully to erect.

That said, of course this information should be turned over to law
enforcement. It often is.

Don't assume it hasn't already. Previously. Repeatedly. And I don't
think the dust has quite settled yet.