Kelihos botnet taken down by Microsoft

According to an article on the official Microsoft Blog, the botnet Kelihos, also known as Waledac 2.0, has been taken down on the 27th of September 2011 by Microsoft in an operation codenamed “Operation b79”.

Read the full story.

ISP McColo down, what is the impact so far?

After the take down of the internet connections for the US ISP McColo on November, 11th 2008, spam levels dropped worldwide between 50% and 75% according to some sources. 5 botnets Rustock, Srizbi, Pushdo/Cutwail, Ozdok/Mega-D and Gheg where directly affected because their command and control servers got disconnected from the botnet. What is the impact of this take down after a week?

At MX Lab we could notice a significant drop down in the SMTP connections that contained spam. Our global spam level of around 90% during business days and more than 95% during weekens also had a drop to approx 75% short after the take down of McColo.

During the first weekend this was up again, due to the absence of business emails, to more than 94% in the weekend and during week days around the 80% – 83%.

This graph above shows the global vs domain spam levels for one of my domains As you may notice the spam level for is always rather on the high side because we get a lot of spam compared to business emails.

More important is that MX Lab noticed a global drop down of SMTP connections from spam sources just like any other email security provider. The SMTP connection graph mostly has a curved level going up and down and on occasion a high burst depending on the spam campaign that is running.

When McColo was taken down we can measure a 50% drop in SMTP connections. As you may notice, since Nov 17th, the graph is slightly climing again to a higher level and for today we have the 3rd increase in a row.

As reported earlier, The Rustock botnet admins managed to get their command and control servers to Russia and post an update towards their botnets. Some sources claim that the uptime was too short to fully update the botnet in time.

FireEye Security has detected that 450.000 compromised computers on different IP addresses have been trying to connect to the command and control servers from Sribzi that would have been hosted by McColo until it disappeared. FireEye recommends that admin check firewall logs to trace http traffic opening ports towards IP addresses or The company also posted instructions on how to remove the Sribi rootkit.

On the website of HostExploit you can download PDF documentation regarding the take down of McColo and their brief connection.