(WEB HOST INDUSTRY REVIEW) — The take down of the notorious web host McColo has only offered a short reprise from spam according to the latest botnet report from “Security as a Service” provider SecureWorks (www.secureworks.com), which has found that bots are once again at large.
According to the company’s report “Spam Botnets to Watch in 2009,” published last week, McColo’s collapse severely impacted two of the largest botnets, Rustock and Srizbi, however, botnets not relying on McColo “were suddenly sending much more spam.”
In mid-October, SecureWorks predicted that if McColo were shut down, worldwide spam would be cut in half. Just weeks later, the Washington Post’s Brian Krebs lead an effort to force upstream ISPs to pull the plug on the suspected spam host, causing spam drop of up to 75 percent depending on the source.
The report’s author, SecureWorks malware research director Joe Stewart, notes that this short-lived relief from botnets demonstrated the tenuous link between botnet owners and spammers. Stewart explained that those actually sending the spam are simply relying on the services of criminals who rent the botnet to them.
“Most of the top botnets have easy-to-use HTML-based interfaces, so moving from one spam system to another is incredibly easy, and we believe there was a migration of spammers from the spam botnets that were down to systems that were still up,” Stewart reported.
While many expected these botnets to return to full operation, Rustock, with its bots hard-coded to connect to McColo servers by IP address, had great difficulty returning to normal operation; Srizbi generally had the same problem, but it was also targeted by infosec companies, which have been actively interfering with the domain names used by the bots.
Another major hit to malware Stewart mentioned was the calming of the Storm botnet, which finally died on September 18, 2008 after two years of dominance. Botnet operators gave up on the Storm after academics and professional botnet researchers discovered ways to disrupt the botnet, and Microsoft’s Malicious Software Removal Tool stunted the number infections by the hundreds of thousands.
Taking the place of many of these departed botnets are a number of botnets that are approaching their predecessors’ ability to disrupt and scam.
One of the few major botnets little impacted by McColo’s take down, Cutwail’s spam output increased shortly after that, sending a wide variety of spam, including pharmaceuticals, replica watches, online casinos, phishing mule come-ons and malware. It has approximately 175,000 bots according to SecureWorks, which approaches the 185,000 active bot record set by Bobax (or Kraken), which was forced offline in December after becoming highly publicized in April 2008 and becoming the target of infosec companies.
Even though spam levels are down from this same time last year, the report notes, spammers and bot herders will continue to plague the Internet until those responsible face prosecution for their crimes. For the time being, however, many more institutions are picking up the fight and are actively attempting to counter the botnet threat, in one way or another.
