Spam levels climb as criminals replace crippled botnets
Four weeks after McColo takedown, spam back to 63% of earlier volume
Computerworld - Four weeks after spam levels plummeted when a rogue hosting company was yanked off the Internet, junk mail volumes are again up, a researcher said today.
According to IronPort Systems Inc., spam volumes have partially recovered since the Nov. 11 takedown of McColo Corp., the California hosting firm that was pulled off the Web by its upstream service providers after security researchers presented them with overwhelming evidence that it was harboring a wide range of criminal activity. Among McColo's clients: cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets in the world.
Yesterday, approximately 94.6 billion spam messages were sent worldwide, said IronPort, which estimated today's volume at 96.8 billion. Those numbers were 62% and 63%, respectively, of the 153 billion spam messages sent four weeks ago, the day McColo went offline.
Immediately after the takedown, spam levels dropped to 64.1 billion, just 42% of the pre-McColo volume.
Spam's resurgence comes courtesy of several botnets -- some well-known, some not -- that were largely unaffected by McColo's disappearance, said Joe Stewart, director of malware research at SecureWorks Inc.
First of all, reports that the "Srizbi" and "Rustock" botnets have been resurrected are "mostly untrue," said Joe Stewart. "These botnets are not monolithic, especially Srizbi, which is in the hands of a lot of people. Each has a couple of variants [of the bot Trojan], and maybe a few thousand bots. Some have regained control of their botnets, some have not."
In fact, Srizbi and Rustock -- which were the world's largest and third-largest botnets, respectively, before Nov. 11 -- have effectively faded into the background. "It's looking like these botnet spam providers have had their customers jump ship," said Stewart.
Other botnets have stepped up to take their place.
"Mega-D has come back to its original strength," Stewart said, referring to another botnet that had been controlled by McColo-hosted servers. "Cutwail is running strong, and so is Kraken. Botnets that weren't badly affected [by McColo going offline] seem to have picked up customers."
Other researchers have recently reported Mega-D's restoration. London-based Marshal8e6, for example, said yesterday that Mega-D's controllers have set up new command servers, re-established links with their compromised PCs and have resumed spamming.
The criminals who ran Srizbi and Rustock have had far less success, said SecureWorks' Stewart. "Everyone fully expected Srizbi to come back," he noted, although that's not happened. Srizbi's controllers were stymied for a while by FireEye Inc., which for a time was registering the domain names the bots would use to reconnect with new command servers. FireEye, however, was unable to finance the tactic indefinitely, and stopped.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts