McColo was back online for about 12 hours last weekend following their disconnection a week earlier. The spam-sending botnet that was controlled from servers located at McColo was sent new instructions, and it is reported that a large amount of data was transferred to servers in Russia.
This appears to have been a backup plan that has been prepared earlier; the connection was supplied by TeliaSonera via a third party, and has reportedly been available for use for at least several months. It is very likely that it was brought online during the weekend to avoid a quick disconnection, but fortunately Telia responded very quickly when they were contacted about this issue.
Hostexploit has a very good summary, including an explanation about the way Telia became involved:
Security departments of many carriers, including Telia make thorough checks as to reputation of regular and long term clients. However, bandwidth resales are often temporary and it is assumed the reseller has checked on the reputation. Therefore, the bad guys take advantage of the bandwidth reselling, in this case Giglinx in LA. To add these temporary contracts can also be quite old, and have never been used or used infrequently.
This un-vetted bandwidth reselling would appear to be an „Achilles heel‟ for many of the larger carriers, allowing cyber criminal groups to get under the radar.
Because they were disconnected so quickly, it is likely that only a small fraction of the botnet has been updated to point to a new command and control server. So far, spam levels remain very low:
Thanks to projects like Hostexploit and the increasing media interest, it is becoming harder to host malware and command and control servers for botnets. Besides temporarily decreasing the amounts of spam that is sent, this also forced cybercriminals to change hosts faster. Hopefully, everyone that has unknowingly provided resources for this will become more aware of the need for securing their systems and actively blocking or preventing malicious traffic from their network. This will eventually make the internet a better place.