Security researchers have had a number of victories to celebrate recently. First Atrivo and now McColo have been disconnected from the Internet. This was done not by law enforcement or other governmental action, but rather by the concerted efforts of the Internet community. The Internet is made up of privately owned networks that are voluntarily connected. The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet.

Removing those two companies from the Internet has also removed large amounts of botnet and spam infrastructure. Several sources have reported seeing spam drop as much as 60-70% following McColo’s loss of connectivity. There was a similar, but smaller drop when Atrivo was taken offline. Of course, one of the reasons that the McColo disconnect reduced spam more than Atrivo, is that some of the spammers simply moved from Atrivo to McColo.

Back in October, my colleague Joe Stewart documented the Warezov botnet moving to McColo and also predicted (quite correctly as it turned out) that disconnecting McColo would reduce spam by one-half world wide. A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo.

It’s clear that this infrastructure remains in place. Over the weekend McColo was able to temporarily find a new upstream provider. Thankfully, they were quickly shut down again. However, this did allow botnet C&C platforms in McColo to connect to their bots, updating software and rerouting the bots to new C&C servers located elsewhere. This has been seen to be happening with Srizbi, where researchers were able to register domains used as a fallback C&C mechanism.

Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?