McColo was a US-based
web hosting
A web hosting service is a type of Internet hosting service that hosts websites for clients, i.e. it offers the facilities required for them to create and maintain a site and makes it accessible on the World Wide Web. Companies providing web ho ...
service provider
A service provider (SP) is an organization that provides services, such as consulting, legal, real estate, communications, storage, and processing services, to other organizations. Although a service provider can be a sub-unit of the organization t ...
that was, for a long time, the source of the majority of spam-sending activities for the entire world.
In late 2008, the company was shut down by two upstream providers,
Global Crossing
Global Crossing Limited was a telecommunications company that provided computer networking services and operated a tier 1 carrier. It maintained a large backbone network and offered peering, virtual private networks, leased lines, audio and vid ...
and
Hurricane Electric
Hurricane Electric is a global Internet service provider offering Internet transit, tools, and network applications, as well as data center colocation and hosting services at one location in San Jose, California and two locations in Fremont, Cal ...
, because a significant amount of
malware
Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
and
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...
s had been trafficking from the McColo servers.
History
McColo was formed by a 19-year-old Russian hacker and student named Nikolai. Nikolai's nickname was "Kolya McColo"; hence the name of the provider.
Malware traffic
At the time of termination of its
upstream service on November 11, 2008, it was estimated that McColo customers were responsible for a substantial proportion of all
email spam
Email spam, also referred to as junk email, spam mail, or simply spam, refers to unsolicited messages sent in bulk via email. The term originates from a Spam (Monty Python), Monty Python sketch, where the name of a canned meat product, "Spam (food ...
then flowing and subsequent reports claim a two-thirds or greater reduction in global spam volume. This reduction had been sustained for some period after the takedown. McColo was one of the leading players in the so-called "
bulletproof hosting
Bulletproof hosting (BPH) is technical infrastructure service provided by an internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cybera ...
" market — ISPs that will allow servers to remain online regardless of complaints.
According to ''
Ars Technica
''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
'' and other sources, upstream ISPs Global Crossing and Hurricane Electric terminated service when contacted by
Brian Krebs
Brian Krebs (born 1972) is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals.Perlroth, Nicole.Reporting From the Web's Underbelly. ''The New York Times''. Retrieved February 2 ...
and ''
The Washington Post
''The Washington Post'', locally known as ''The'' ''Post'' and, informally, ''WaPo'' or ''WP'', is an American daily newspaper published in Washington, D.C., the national capital. It is the most widely circulated newspaper in the Washington m ...
''’s ''Security Fix'' blog, but multiple reports had been published by organizations including
SecureWorks
Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries.
It became part of Dell, Dell ...
,
FireEye
Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company that was founded in 2022. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and ana ...
and
ThreatExpert
PC Tools (formerly known as WinGuides) was a software company founded in 2003 and acquired by Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, th ...
, all naming McColo as the host for much of the world's botnet traffic. According to Joe Stewart, director of malware research for SecureWorks, the
Mega-D,
Srizbi,
Pushdo,
Rustock
The Rustock botnet was a botnet that operated from around 2006 until March 2011.
It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 Spam (electronic), spam messages per hour from an infected PC. At the hei ...
and
Warezov
Stration (also known as Stratio and Warezov) is a family of computer worms that can affect computers running Microsoft Windows, disabling security features and propagating itself to other computers via e-mail attachments. This family of worms is u ...
botnets all hosted their master servers at McColo; numerous complaints had been made but McColo simply moved offending servers and sites to different subnets.
Spamhaus.org reportedly finds roughly 1.5 million computers infected with either Srizbi or Rustock sending spam in an average week.
Following the shut down, details began to emerge of the ISP's other clients, which included distributors and vendors of child pornography and other criminal enterprises, including the
Russian Business Network
The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of the PHP-based malware kit MPack and ...
.
McColo gained reconnection briefly on November 19, 2008 via a backup connection agreement common in the industry, but was rapidly shut down again.
The McColo takedown especially affected
Srizbi, one of the world's largest
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...
s, controlling 500,000 infected nodes as of November 2008.
Symantec's monthly state of spam report for April 2009 stated that spamming was now back to what it was before McColo was taken offline. Due to botnets being created and old ones being brought back online, it estimated that about 85 percent of all email traffic is spam.
State Of Spam for April 2009
/ref> By November 2009 the IP space used by McColo was still largely unused, as much of it was unattractive to buyers due to being widely blacklisted.
See also
* Botnet
A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...
* Oleg Nikolaenko, whose arrest also reduced worldwide spam
*Rustock botnet
The Rustock botnet was a botnet that operated from around 2006 until March 2011.
It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam messages per hour from an infected PC. At the height of its activiti ...
, one of the largest spambots ever built
* Zombie (computer science)
External links
'' Washington Post'' "Security Fix" blog
References
{{DEFAULTSORT:Mccolo
Cybercrime
Internet service providers of the United States
Companies based in San Jose, California
Companies disestablished in 2008