This week, I spoke to Scott Cutler of anti-spam and email security company
AppRiver - a fact mentioned in my
previous blog entry, and alluded to by his repeated reference in a
feature posted this afternoon.
It was a very long and interesting interview, and it included a much broader discussion of the world of spam than could fit into a feature, or the tail end of a blog posting on SSL certificates, and I thought this might be a good place to expose a couple of interesting points from that interview that deserved to be seen, but didn't make their way into either of the afformentioned items.
In particular, we discussed botnet technology and its effectiveness in foiling the efforts of both those who would block spam (such as AppRiver), and those who would identify the spammers themselves.
The effort to build botnets these days is so intense that virus writers build controls into their programs that scan a newly infected machine for the presence of competing viruses, and wipe them away before installing new malicious code.
The more interesting aspect of the botnets, however, is that they distribute the commands and controls in such a way as to make it impossible to trace the source of those commands.
(Admittedly, the nuts and bolts of this begin to get beyond me.)
According to Cutler:
"The risk for the botnet creators is that if I were to capture one of these PCs that was infected and look at the code, I would be able to decipher where those instructions were coming from, and I could go upstream from there and shut down the whole network.
But they have a cellular structure to them. So the actual bot on the PC, it can look upstream to a number of places that can give it the instructions as to the next spam it's going to send out. Let's say it's grabbing that from a Web site in some Web hosting company in China. And it's been reliably doing that for a few days. If the Web hosting company in China discovers that one of the servers in its network has been compromised by one of these botnet management [groups], and the hosting company discovers this and shuts the server down, the botnet is smart enough to go find another source in order to continue doing its work. And it constantly updates the places it can go look, but it doesn't have the whole variety.
So apparently, the way the structure is built is that you could grab any one, or any 10, of these PCs that are part of the wider botnet, but you could never find all of the PCs and you could never find all of the command and controls upstream from them. So trying to shut down one of these botnets is amazingly hard. They're extremely fault tolerant."
Interestingly, the gravity of the spammers' control over the botnet situation and the possibility of unraveling or reversing that scheme was revealed by what was supposed to be a breakthrough in fighting spam.
(Granted, this is sort of speculative hearsay type talk, but think of it as a folk take if it helps you. It's illustrative of a more significant point.)
"I heard, and I don't remember where I heard it, there was a group of folks that was trying to unpack the botnet. And they were pretty excited about it. They thought they were going to figure it out. And when they peeled the onion back one more layer, they figured out that they weren't even close, and they're never going to be able to figure out how the botnet works.
And the group that had said that - this is a little while ago now - said the fact of the matter is, after our whole research project, we think the spammers are probably three to five years ahead of the anti-spammers.
And my personal view is that that's probably true."
There are no comments for this entry.
[Add Comment]