November 25, 2008, 9:42 PM — On Oct. 14, the U.S. Federal Trade Commission, with help from the U.S. Federal Bureau of Investigation and New Zealand police, announced that it had shut down a vast international spam network known as HerbalKing.
It was a triumphant moment for the FTC, which said that the group had been linked to as much as a third of the junk e-mail on the Internet. In an interview with The New York Times, FTC Commissioner Jon Leibowitz was modest in his appraisal of the situation. "They were sending extraordinary amounts of spam," he said. "We are hoping at some level that this will help make a small dent in the amount of spam coming into consumers' in-boxes."
The FTC's HerbalKing operation grabbed a lot of headlines, but it didn't do much to reduce the amount of spam on the Internet, researchers say. Within a week, spam was as big of a problem as ever.
Instead, it took another operation, two weeks later, against the ISP (Internet service provider) McColo in San Jose, California, to really reduce the amount of spam. But although McColo appears to have been a playground for Internet criminals, no federal agency, not the FTC, not the FBI, not the Secret Service or the Department of Justice, was involved in shutting it down.
With McColo, Internet researchers and Washington Post reporter Brian Krebs essentially shamed ISPs Global Crossing and Hurricane Electric into dropping service for McColo, whose network had been associated with a range of illegal activity from hacked botnet computers to spam and even child pornography.
Unlike HerbalKing, the results after McColo's takedown were dramatic. About half of the spam on the Internet disappeared.
Cisco Systems' IronPort division says that though there have been some brief spikes in activity, spam is still down significantly from where it was prior to the McColo takedown. McColo could not be reached for comment on this story.
But two weeks after McColo was dropped by its network providers, the company's data center remains untouched. That frustrates some security researchers who say that the servers used to control these operations could provide a treasure trove of evidence about cybercriminals.
"It doesn't surprise me, although it does disappoint me," said Richard Cox, CIO with the antispam group Spamhaus. Cox, who works with law enforcement on spam cases, says that while federal investigators may understand how an operation like McColo works, getting their bosses to agree to take action can be difficult. "The people in the trenches are being directed by people who think they're politicians," he said.
McColo was on the federal government's radar, as are dozens of other service providers worldwide that are known providers of so-called bulletproof hosting services, which are never taken down, despite complaints, according to a source in a federal law enforcement agency who spoke on condition of anonymity because he was not authorized to speak to the press.
While researchers may feel they have a case against McColo, it's another thing entirely to convince a U.S. Department of Justice attorney to ask for a warrant to seize hundreds of servers, and even harder to get a federal judge to authorize this. "There's a reason why we didn't just go and grab all the servers," he said. "If you want a warrant for hundreds of servers... that's very difficult."
The DOJ and the FBI declined to comment on McColo.
Another problem: The criminals associated with McColo are thought to live in Russia and eastern Europe, where computer crimes are rarely prosecuted. So a successful prosecution would require extradition and that could be very hard to pull off, observers say. "You take down McColo and what you've actually got is one hell of a load for the lawyers at the Department of Justice and very little return, because you've actually got to go outside of the U.S. to pick up the actual culprits," Cox said.
While there's no doubt that the activities associated with McColo are illegal under U.S. law, the idea that you could prosecute an ISP for abetting illegal activity is largely unproven, so any prosecutor that took on this case would be taking a big risk that the case would be tossed out of court.
There is at least one precedent however. On Feb. 14, 2004, the FBI shut down operations at a small Ohio ISP called Creative Internet Techniques in an event the FBI dubbed the Cyber Saint Valentine's Day Massacre. At the time, it was the largest FBI takedown in the organization's history. Nearly 300 servers were seized after Creative Internet, also known as FooNet, was linked to distributed denial of service attacks.
The reason why some security experts have called for a similar takedown at McColo has, in part, to do with the sneaky way that McColo's customers were disrupted. Researchers say that McColo computers weren't actually sending out spam, just running the command and control servers that marshalled an estimated half-million infected botnet computers. These infected machines would take their instructions from servers on McColo's network, but should those computers ever be knocked offline, they were given several other backup Internet domains to check for commands.
To keep things secret, the criminals hadn't registered these domains, but they had coded several hundred of them into their botnet software. But the researchers learned these domain names by looking at the botnet code to find out what the hacked computers would do when McColo went down. Shortly before the McColo network was knocked offline by Global Crossing and Hurricane Electric, researchers registered the hundreds of backup domains themselves.
When the botnets couldn't go to McColo's IP (Internet Protocol) space for instructions, they started looking for their backup domains, but these were controlled by security researchers. Now, disconnected from their control servers, and unable to connect to a backup, two of the Internet's worst botnets, Srizbi and Rustock, have been decapitated.
"There have got to be hundreds of thousands of bots out there that aren't phoning home right now" said Joe Stewart, a botnet expert with SecureWorks who has tracked the McColo situation.
These bots might well be disabled for good, provided McColo's computers do not get brought back online. But that's exactly what happened a week ago, when a reseller of Swedish ISP TeliaSonera reconnected McColo temporarily.
The mistake was quickly noted, and TeliaSonera quickly disconnected McColo. But security vendor FireEye reckons that the bad guys were able to regain control of thousands of botnet computers during this brief window of opportunity. When McColo went back on the Internet, its IP address space worked again and cybercriminals were able to send instructions to their botnet computers. They would not have been able to do this had the FBI been able to shut down McColo's San Jose, California, data center, as it did with Creative Internet.
Creative Internet was exceptionally brazen about its activities and that type of raid is unlikely to happen again, said Spamhaus' Cox. "You can't prove those sort of cases to a sufficient level to get it to a grand jury," he said. ISPs are almost always given a pass when this type of activity is discovered on their network because they can plausibly deny that they knew anything about it.
The FTC would like to change that, however. In April, the FTC asked Congress for changes to the FTC Act that would allow it to pursue those who aided and abetted in fraud, which would allow it to go targets such as bad actor ISPs who have helped fraudulent businesses.
Congress has already granted the FTC a similar authority to go after brokers who knowingly provide lists to telemarkerters, said Steven Wernikoff, a staff attorney with the FTC. "It's hard to see why people who facilitate fraud via the Internet should get a pass," he said.
The structure of cybercrime operations has morphed in recent years and will need to be prosecuted more like long-running Mafia investigations than one-off actions against individual spammers, observers say.
"Ultimately, the problem is that we're still in the process of building a mature cybercrime enforcement process," said Jon Praed, a founding partner of Internet Law Group, who has litigated against spammers on behalf of major companies such as Verizon Online and AOL. "Criminal prosecutions require a lot of resources and prosecutors are unlikely to go after someone unless they know they're going to get a conviction."
Praed would like to see the companies that are affected by spam work together to go after the criminals. He would like to see companies share information about bad actors and bring more civil actions against spammers and their enablers. If companies could keep cybercriminals from using legitimate businesses, they could change the fundamental economics of the spam industry, and make it too expensive for many players.
"All those bad guys need enabling services," he said. "They're not flying on the criminal airlines. They're buying their computers from reputable sources. They're using off-the-shelf business software, and they use credit cards and cell phones just like you and me. That means corporate America collectively holds a tremendous amount of information about the bad guys in its own hands....but it isn't using that information to stop this illegal activity."
He added, "Good companies are starting to realize they can reduce costs and attract customers by being more proactive against cybercrime."