Media Spotlight Scatters a Botnet Host

A Web host accused of playing a key role in the world’s spam and botnets has been largely yanked from the Internet.

Although ISPs routinely cut off access to sites and Web hosts accused of illegal or disruptive activity, what’s unique about this story is that a mainstream media outlet had a hand in bringing down McColo, the U.S.-based Web host in question.

While digging into the company, Brian Krebs at The Washington Post‘s Security Fix blog prompted two of McColo’s largest ISPs to effectively sever it from the Internet.

In his blog, Krebs wrote:

The badness attributed to McColo was not limited to spam. It included child pornography sites; sites that accepted payment for spam and child porn; rogue anti-virus Web sites; and a huge malicious software operation that apparently stole banking and credit card data from more than a half million people worldwide.

The company was also the subject of a report issued today by security researchers HostExploit. Following a two-year study, the report confirmed many of Krebs’ charges, including that McColo supported pharmaceutical and other kinds of spam, served as command centers for botnets, hosted illegal content and served malware and infected sites.

According to Krebs, McColo’s servers “help manage the distribution of the majority of the world’s junk e-mail.”

Even if that’s the case, the net effect of severing the major connections used by HostExploit — which still maintains a few tenuous links to the Net through other ISPs, HostExploit noted — may be hard to see.

Krebs’ claim hinges on findings like that by HostExploit, Kaspersky Labs and others, who have accused
McColo of not just malfeasance, but of playing a major part in the world’s spam epidemic. In its report, HostExploit’s analysts wrote that “it is clear that McColo has a key role in managing [the] world’s major botnets, and malware warehousing, which has been estimated as partially controlling 50 – 75 percent of the world’s spam.”

As a result, McColo’s alleged bad behavior represents only a portion of a portion of the causes of spam. And with the actual perpetrators — the parties responsible for controlling the botnet command servers that McColo hosted — still at large, and their botnets still intact (if uncoordinated at present,) it’s unclear how great an impact the news might have in even the short term.

The Web host’s site, McColo.com, was down as of press time. E-mails to the address listed in McColo’s WHOIS database entry were not returned.