Inside Cyber Warfare - Jeffrey Carr [78]
And, finally, in order to avoid what happened to Atrivo/Intercage when its plug got pulled, this company has a network of hundreds of proxy servers distributed across 15 networks in multiple nations.
Lesson learned.
McColo: Bulletproof Hosting for the World’s Largest Botnets
The McColo story is even more instructive for cyber-conflict policymakers than Atrivo/Intercage. It perfectly illustrates the key role that US-based businesses play in providing protected platforms for Russian organized crime enterprises that, in turn, are utilized as attack platforms by nonstate actors in nationalistic and religious actions.
McColo was formed by a 19-year-old Russian hacker and college student named Nikolai, aka Kolya McColo. Upon his death in a car accident in Moscow in September, 2007, the McColo company was taken over by McColo’s friend “Jux,” a “carder” (carders make their money in the underground market for stolen credit card data). The amount of money being made by McColo makes it likely that it attracted the attention of Russian mobsters, which puts an entirely new spin on the possible cause for Kolya McColo’s car accident.
The graphic in Figure 8-4, created by Brian Krebs, illustrates the extremely broad scope of McColo’s collection of botnets and bad hosts in terms of spam and cyber crime. The following is Krebs’s explanation of what the graphic depicts:
The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets—agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world’s spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com’s current view of the share of spam attributed to the top botnets). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.
Figure 8-5 shows an expanded view of the upper-right corner of this graphic, which lists the botnet command and control servers (C&C) hosted on networks provided by McColo. It controls the world’s largest botnets, which collectively run millions of infected hosts (individual computers infected by malware) that generate an estimated 75% of the world’s spam according to TraceLabs, a division of the UK security firm Marshall.
Figure 8-4. McColo hosting of cyber bad actors
Figure 8-5. Botnet C&C servers hosted on McColo
When McColo was de-peered (i.e., dropped by its Internet backbone providers, Global Crossing, Hurricane Electric, and Telia), worldwide spam rates dropped by 67% overnight.
According to the FBI, US losses to Internet crime in 2008 amounted to $246.6 million. Since spam is the principal source of income for cyber criminals, McColo going offline represented a significant loss of revenue to criminal organizations, but it didn’t last long.
The authors of the botnets simply found other bandwidth resellers to take McColo’s place. In fact, the entire issue of unvetted bandwidth reselling represents a serious national security risk that must be addressed if nations want to begin to stem the tide of distributed denial of service (DDoS) attacks generated by botnets against their websites. This is particularly true for the US government.
Russian Organized Crime and the Kremlin
David Satter is a recognized authority on Russian organized crime, and I highly recommend his book Darkness at Dawn (Yale University Press).
Satter recently wrote an article on the suspected ties between Russian organized crime and the Russian police as seen in the rising unsolved murder rate of journalists in the Russian Federation