A Closer Look at McColo

Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity.

In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it).

For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post.

The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets -- agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets -- again, click on it to enlarge). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.

Bear in mind, this is by no means a comprehensive account of the sites and activity that experts say were funneled through this provider: I have redacted some of the data -- for example, the list of domains accused of hosting child pornography. Others, including additional domains allegedly offering fake anti-virus solutions, simply wouldn't fit on the map.

Additional Source Material:

Host Exploit: McColo Cyber Crime

Fireeye: Srizbi & Rustock

Fireeye: Rustock

SecureWorks: Mega-D

ThreatExpert: Pushdo/Cutwail

SecureWorks: Warezov

Matchent: Asprox

Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts

Dancho Danchev: Fake Security Software, Part 9

Dancho Danchev: A Diverse Portfolio of Fake Security Softwtware - Part Eleven

Robtex: McColo Corp. Autonomous System Report

