back to article Penis pill botnet awakens after McColo shutdown

One of the three botnets cut off by the shutdown of rogue ISP McColo is back in business. The Mega-D botnet is back on its feet and throwing off huge volumes of spam, net security firm Marshal8e6 reports. The botnet - best known for spamvertising adverts for penis pills - has been linked back to a network of compromised zombie …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Paris Hilton

    Penis Bot?

    Pump out the gunk?

    Fnarrr fnarrr

    Paris, Oh please, I *really* don't need to explain that do I?

  2. Paul Murphy

    hmm - let the chase begin anew.

    Hopefully ISPs will start to realise that taking on these people as clients doesn't pay in the long-run.

    I can dream can't I?

    ttfn

  3. Mark Grady

    Thanks God!

    I thought my ISP had cut my email off ...

  4. Anomalous Cowherd Silver badge

    Am I missing something?

    As everyone seems to know the IP of the new C&C host, what's stopping ISPs from blackholing it?

  5. xjy
    Paris Hilton

    Terra firmer

    No firmer terror than these firms, I'd'a thought. Wish someone would tell the Homeland Security (snigger) folks that spam is funded by you-know-who so they'd take the bastards/freedom fighters out with tasers, gas and cluster (geddit?) bombs. Of course our collective dick would shrink, but the price of feedom is eternal detumescence.

    (Paris cos she likes firma things, likes to be taken out, but scratches her *** a bit over the detumescence thingy)

  6. Gordon Grant
    Flame

    spam :|

    Yeah I did notice a fall then a rise again what's much more freaking annoying is that they are using my own isp based e-mail address either directly or adding 1 or 2 characters to it and sending it to me I mean I could send e-mail out on joebloggs@xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.co.uk and it would be from me but it's being sent from catchthismail@xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.co.uk etc to me it's truly funny but annoying / depressing all the same, thankfully I can report it and I could always look back and see where many of the "origininating" was done as well as where the "links" are hosted..

    I seem to remember seeing "cnc-noc" a lot.

    Flame Icon well I have a just cause...

  7. Richard Kay
    Boffin

    3 level network

    I can confirm much of this article from my own weekly automated reports about SSH attacks and spam rejects. The number of spam rejects dropped suddenly to a quarter when the McColo net was taken down. But the number of IP addresses getting locked out for SSH brute force password guesses trying to break into my Linux hosted server quadrupled immediately afterwards. (If your logs show you have this problem, denyhosts is well worth installing). It seems the botnets still under criminal control were being used to try to get more Linux servers under their control as level 2 C+C servers. Level 1 in their C+C network seems to be a few machines under long-term criminal control, presumably in a country where they can bribe the authorities to stay out of their way. Level 3 seems to be compromised Windows PCs, and level 2 are compromised Linux servers. This arrangement presumably allows for more plausible deniability as to the location, use and purpose of the level 1 servers.

    If you get spam from their network it will be from a level 3 machine likely to be located anywhere as they are less likely to want to get their level 2 systems blacklisted.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019