Recapping briefly… last weekend, we discovered the SetSlice 0-day in use in both some of the St Petersburg Iframers websites, and in what I call the CoolWebSearch websites. By Monday, I was pleasantly surprised to find they’d been shut down. I figured that they’d made someone really grumpy.
It turns out that the grumpy ones were Spamhaus! Actually, I doubt they were really grumpy, because I doubt they take this stuff personally… but I digress… Spamhaus saw my warning about the CoolWebSearch sites using the SetSlice zero-day, and took the potentially original step of complaining to the ISP, variously known as EstHost or InHoster, and shockingly, EstHost/InHoster actually shut down those websites and a bunch of related websites immediately.
So why is this shocking? Isn’t that what ISPs are supposed to do? Well, yes, but CoolWebSearch has been serving up Windows Metafile exploits with impunity since January! 48 hours of SetSlice, and whap!…. half their network is gone.
One of four things has happened. Either …
(1) The ISP has suddenly become more responsible. Kudos to them if they have, and perhaps this is a harbinger of better days ahead, or,
(2) The ISP decided it didn’t like the heat of being associated with a zero-day. In other words, it’s fine to serve up mouldy old exploits, but not zero-days, or,
(3) The ISP is simply scared of Spamhaus, or,
(4) All of the above.
Spamhaus has been under siege lately, and I think it would behoove us all to understand and remember that they have nipped a potentially huge problem right in the bud.
Folks, do what you can to support Spamhaus.