McColo
Encyclopedia
San Jose, California
San Jose is the third-largest city in California, the tenth-largest in the U.S., and the county seat of Santa Clara County which is located at the southern end of San Francisco Bay...
-based web hosting
Web hosting service
A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet...
service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
. In late 2008, the company was shut down by the two upstream providers, Global Crossing
Global Crossing
Global Crossing Limited was a telecommunications company that provides computer networking services worldwide. It maintained a large backbone and offered transit and peering links, VPN, leased lines, audio and video conferencing, long distance telephone, managed services, dialup, colocation and...
and Hurricane Electric
Hurricane Electric
Hurricane Electric is a global Internet backbone , with a specific focus on IPv6. Hurricane Electric operates datacenters in the San Francisco Bay Area, primarily within the city of Fremont...
, because a significant amount of malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
s had been trafficking from the McColo servers.
History
McColo was formed by a 19-year-old Russian hacker and student named Nikolai. Nikolai's nickname was "Kolya McColo;" hence the name of the provider.Malware traffic
At the time of termination of its upstreamUpstream server
In computer networking, upstream server refers to a server that provides service to another server. In other words, upstream server is a server that is located higher in the hierarchy of servers. The highest server in the hierarchy is sometimes called the origin server...
service on November 11, 2008, it was estimated that McColo customers were responsible for a substantial proportion of all email spam then flowing and subsequent reports claim a two-thirds or greater reduction in global spam volume. This reduction had been sustained for some period after the takedown. McColo was one of the leading players in the so-called "bulletproof hosting
Bulletproof hosting
Bulletproof hosting is a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute...
" market — ISPs that will allow servers to remain online regardless of complaints.
According to Ars Technica
Ars Technica
Ars Technica is a technology news and information website created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews and guides on issues such as computer hardware and software, science, technology policy, and video games. Ars Technica is known for its features, long articles that go...
and other sources, upstream ISPs Global Crossing and Hurricane Electric terminated service when contacted by Brian Krebs
Brian Krebs
Brian Krebs is an American journalist specializing in cybercrime and computer security. His father worked in the intelligence industry and his mother was a homemaker...
and The Washington Post
The Washington Post
The Washington Post is Washington, D.C.'s largest newspaper and its oldest still-existing paper, founded in 1877. Located in the capital of the United States, The Post has a particular emphasis on national politics. D.C., Maryland, and Virginia editions are printed for daily circulation...
’s Security Fix blog, but multiple reports had been published by organisations including SecureWorks
SecureWorks
SecureWorks, Inc Headquartered in Atlanta, Georgia, SecureWorks, Inc. is a U.S.-based managed security services provider that provides information security services and protection of computer, network and information assets from malicious activity or cybercrime for its customers...
, FireEye
FireEye, Inc.
FireEye is a Milpitas, California-based network security company that provides dynamic malware protection and automated threat forensics. Its main product line is the Malware Protection System with versions for Web security, Email security, and Malware Analysis researchers.-History:FireEye was...
and ThreatExpert, all naming McColo as the host for much of the world's botnet traffic. According to Joe Stewart, director of malware research for SecureWorks, the Mega-D
Mega-D botnet
The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending between 30% and 35% of spam worldwide....
, Srizbi, Pushdo, Rustock and Warezov botnets all hosted their master servers at McColo; numerous complaints had been made but McColo simply moved offending servers and sites to different subnets. Spamhaus.org reportedly finds roughly 1.5 million computers infected with either Srizbi or Rustock sending spam in an average week.
Following the shut down, details began to emerge of the ISP's other clients, which included distributors and vendors of child pornography and other criminal enterprises, including the notorious Russian Business Network
Russian Business Network
The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale...
.
McColo gained reconnection briefly on November 19, 2008 via a backup connection agreement common in the industry, but was rapidly shut down again.
The McColo takedown especially affected Srizbi, the world's largest botnet, with around 500,000 infected nodes as of November 2008. The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more than half of the global total of 100 billion.
Symantec's
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
monthly state of spam report for April 2009 stated that spamming was now back to what it was before McColo was taken offline. Due to botnets being created and old ones being brought back online, it estimated that about 85 percent of all email traffic is spam.
External links
- McColo, company website (offline) (mirror)
- Washington Post "Security Fix" blog