Spam levels climb as criminals replace crippled botnets

Computerworld - Four weeks after spam levels plummeted when a rogue hosting company was yanked off the Internet, junk mail volumes are again up, a researcher said today.

According to IronPort Systems Inc., spam volumes have partially recovered since the Nov. 11 takedown of McColo Corp., the California hosting firm that was pulled off the Web by its upstream service providers after security researchers presented them with overwhelming evidence that it was harboring a wide range of criminal activity. Among McColo's clients: cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets in the world.

Yesterday, approximately 94.6 billion spam messages were sent worldwide, said IronPort, which estimated today's volume at 96.8 billion. Those numbers were 62% and 63%, respectively, of the 153 billion spam messages sent four weeks ago, the day McColo went offline.

Immediately after the takedown, spam levels dropped to 64.1 billion, just 42% of the pre-McColo volume.

Spam's resurgence comes courtesy of several botnets -- some well-known, some not -- that were largely unaffected by McColo's disappearance, said Joe Stewart, director of malware research at SecureWorks Inc.

First of all, reports that the "Srizbi" and "Rustock" botnets have been resurrected are "mostly untrue," said Joe Stewart. "These botnets are not monolithic, especially Srizbi, which is in the hands of a lot of people. Each has a couple of variants [of the bot Trojan], and maybe a few thousand bots. Some have regained control of their botnets, some have not."

In fact, Srizbi and Rustock -- which were the world's largest and third-largest botnets, respectively, before Nov. 11 -- have effectively faded into the background. "It's looking like these botnet spam providers have had their customers jump ship," said Stewart.

Other botnets have stepped up to take their place.

"Mega-D has come back to its original strength," Stewart said, referring to another botnet that had been controlled by McColo-hosted servers. "Cutwail is running strong, and so is Kraken. Botnets that weren't badly affected [by McColo going offline] seem to have picked up customers."

Other researchers have recently reported Mega-D's restoration. London-based Marshal8e6, for example, said yesterday that Mega-D's controllers have set up new command servers, re-established links with their compromised PCs and have resumed spamming.

The criminals who ran Srizbi and Rustock have had far less success, said SecureWorks' Stewart. "Everyone fully expected Srizbi to come back," he noted, although that's not happened. Srizbi's controllers were stymied for a while by FireEye Inc., which for a time was registering the domain names the bots would use to reconnect with new command servers. FireEye, however, was unable to finance the tactic indefinitely, and stopped.