Internet Security Systems - AlertCon(TM)

McColo Takedown: Changes in International Spam Distribution and Asprox Botnet Activity

Posted by Ralf Iffert, John Kuhn, and Holly Stewart on November 25, 2008 at 8:47 AM EST.

Since the takedown of the California-based web hoster (see http://blog.washingtonpost.com/securityfix), McColo, we've noticed some significant changes in our spam and asprox-related botnet activity.

From a spam perspective, everyone has noted the overall drop. After the Nov. 11th takedown, spam volume in our spam traps was down to around 25% of previous levels.  More interesting, perhaps, is the marked change we noticed in the origins of spam (the country location of the spam bot, generally).

The United States has, for years, maintained a top spot in the spam origin list.  Six days before the takedown, it was in the number one spot:

Six days after the takedown, spam production coming out of the US was reduced to a mere 14% of its original capacity.  So, it wasn't a terrible surprise when the US finally lost its top spot on the list on this sixth day after the takedown:

We took a closer look at the impact of spam around the globe, and the McColo takedown had a significant impact on countries that you might not expect.  For example, spam production coming out of Spain, India, Italy, Israel, and Turkey were all reduced to less than 17% of their original production capacity.  Other countries were also affected, albeit to a lesser extent, as shown in the graph below:

Other types of botnets also appear to be effected by the takedown.  Our MSS operations constantly monitors SQL Injection attack activity and have special algorithms that track Asprox-related activity, which has been, at least in part, supported by McColo. On Nov. 13, Asprox sources dropped to 16% of their previous level.  By the end of that week, overall SQL Injection sources were down about 80% over previous weeks.  However, by Nov. 18, Asprox activity had picked up to 45% of previous levels, and by Nov. 23 was back to over 100% capacity.  Interestingly enough, the overall number of SQL Injection attacks was essentially unaffected during this time, and simply continued to climb.

From a SQL Injection standpoint, at least, any McColo-related activity appears to have recovered quite quickly.  It remains to be seen how nimbly they can switch to alternative channels for spam, and, we have to wonder, if we will see more shutdowns of ISPs that don't keep a close eye on their spam traffic.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.