Kelihos botnet taken down by Microsoft

According to an article on the official Microsoft Blog, the botnet Kelihos, also known as Waledac 2.0, has been taken down on the 27th of September 2011 by Microsoft in an operation codenamed “Operation b79”.

Read the full story.

Botnet Rustock is no longer

As you may have read on several news sites, the botnet Rustock, one of the world’s most active spam-generating networks, is no longer since last week (R.I.P. ;-)) on March 16th, 2011.

The Microsoft Digital Crimes Unit (or DCU), together with other agencies and organisation like the U.S. Marshalls, started an operation, under the name “Operation b107”, to take out the C&C servers at multiple locations in the US, which are responsible for managing the infected zombie computers in the botnet, leading the botnet decapitated.

The Rustock botnet was one of the major players on the internet when it comes to spam and infected zombie computers. With an estimated account of approx 1 million infected computers it had a capacity for sending out up to 30 billion spam messages per day ranging from fake Microsoft lottery scams and offers for prescription drugs.

It was not the first attempt of Microsoft to take down an botnet organisation. Earlier on, in February 2010, Microsoft did managed to get hands on +250 domains  that where used in the Waladec botnet.


Read more about Rustock and the take down:

Microsoft: Taking Down Botnets: Microsoft and the Rustock Botnet

Wall Street Journal:  Spam Network Shut Down

FireEye: An overview of Rustock

Krebs On Security: Rustock Botnet Fed by U.S. Firms

Bredolab botnet taken down

According to the news site Softpedia, a 27-year-old man was arrested at the Yerevan airport, Armenia, yesterday who is suspected of being the Bredolab botnet runner.

Authorities believe he is the person who was responsible for creating and managing the Bredobal botnet that was capable of sending out 3.5 billion spam messages per day. 143 Bredolab CnC servers, server that give the instructions to the zombies in the botnet, hosted by a LeaseWeb reseller have been taken down.

The people of FireEye are monitoring the activities of the botnet and can confirm that the CnC servers are offline except one CnC server that is located in Russia.

Non-authoritative answer:

If this take down will have an effect on the spam levels will be clear during the following days.

Rustock is back online, spam levels rise again

UPDATE, Nov 27th: One of the new CnC servers, ‘’ was resolving to at LayeredTech. FireEye sent an abuse notification to LayeredTech when the CnC servers went online and they have pulled out the server.


Yesterday, Nov 24, 2008, I noticed a sudden spam rise. When checking some samples I found that the ‘Canadian Pharmacy’ spam is back and some new image based spam campaigns have been launched.

But the ‘Canadian Pharmacy’ spam is where we should focus on. These spam campaigns are being sent by Rustock, so the conclusion is that these guys are back online and in business.

With subjects like Obama.s new plan, Food crisis in California or Bush.s last words they try to get their email opened to see the ‘Canadian Pharmacy’ advertisment. URLs, like hxxp:// or hxxp:// will redirect you to hxxp:// where the Canadian Pharmacy web site is hosted.

When looking for more information if Rustock is back I found that the Company FireEye Security has posted more details on their blog.

As expected, the bot admins learned from the shut down of McColo. They can now simply change DNS to make sure that their command and control server still can be accessed.

The new Rustock spam campaign is already having an impact on the spam levels. The image below is the graph for one of my domains and you can see the spam level drop when McColo was taken down. The red line is the global spam level.

We have a peak during the weekend, the absence of business emails, and a global spam level between 75% and 85% during the week. Yesterday we had a spam level of 89,4% and at the time of writting this article we are back at 93%. You can see the graph going up again after the re-activation of the Rustock C&C servers.

McColo up and down again, C&C servers to Russia

McColo, the ISP that has been taken down because of their malicious activities, was back online during a brief period thanks to the Swedish ISP TeliaSonara AB that has a router in San Jose. The peering was revoked after complaints to the abuse email address by security from Sophos and security researcher Atif Mushtaq.

During this time Rustock admins did had time to update the Command And Control server with an IP of at McColo to a new host in Russia.

With the takedown of McColo the drop of spam volumes worldwide is still continuing but as we can see the botnet admins are gettings thing up and running again. It is my belief that sooner or later, perhaps sooner, the spam levels will rise again and tradionally the end of the year is very attractive for spammers.

The botnet admins will learn a lesson of this and make their systems more redundant with fall back servers and we could even see systems where the centralized Command And Control server is replaced by a structure more based on P2P. Taking down the command center will become more difficult.

Spam drops after McColo Corp taken offline

SMTP connections that involves spam have dropped 50% at MX Lab since yesterday. At first, we thought we faced a technical problem and all systems where checked to be sure but there where less SMTP conenctions that contained spam. Today we still noticed a very low level of spam volume.

Several news sites report that the San-Jose, California, US based hosting firm McColo Corp. has been taken offline when its primary Internet providers severed its connection to the web.

McColo’s clients included cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets. McColo hosts the botnet command-and-control servers (Rustock, Srizbi, Pushdo/Cutwail, Ozdok/Mega-D and Gheg)  as well as other systems that ran malware distribution points and criminal payment services. McColo could be responsible for approx. 75% of all the spam traffic according to several sources.

Security Fix has gathered data about the activities of McColo over the past four months and has handed over some critical information towards the ISPs that offer the internet connection for McColo.

Hurricane Electric, one of the major Internet providers for McColo, has shut down the internet connection towards the hosting provider within the hour.

In September another U.S.-based hosting service Intercage, also active under the name Atrivo, suspected of harboring spammers was shut down. Within three days, the dip had disappeared as others stepped in. So it is expected that the spam level will return to its usual levels within the next few days.