Spam levels climb as criminals replace crippled botnets
Four weeks after McColo takedown, spam back to 63% of earlier volume
Computerworld - Four weeks after spam levels plummeted when a rogue hosting company was yanked off the Internet, junk mail volumes are again up, a researcher said today.
According to IronPort Systems Inc., spam volumes have partially recovered since the Nov. 11 takedown of McColo Corp., the California hosting firm that was pulled off the Web by its upstream service providers after security researchers presented them with overwhelming evidence that it was harboring a wide range of criminal activity. Among McColo's clients: cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets in the world.
Yesterday, approximately 94.6 billion spam messages were sent worldwide, said IronPort, which estimated today's volume at 96.8 billion. Those numbers were 62% and 63%, respectively, of the 153 billion spam messages sent four weeks ago, the day McColo went offline.
Immediately after the takedown, spam levels dropped to 64.1 billion, just 42% of the pre-McColo volume.
Spam's resurgence comes courtesy of several botnets -- some well-known, some not -- that were largely unaffected by McColo's disappearance, said Joe Stewart, director of malware research at SecureWorks Inc.
First of all, reports that the "Srizbi" and "Rustock" botnets have been resurrected are "mostly untrue," said Joe Stewart. "These botnets are not monolithic, especially Srizbi, which is in the hands of a lot of people. Each has a couple of variants [of the bot Trojan], and maybe a few thousand bots. Some have regained control of their botnets, some have not."
In fact, Srizbi and Rustock -- which were the world's largest and third-largest botnets, respectively, before Nov. 11 -- have effectively faded into the background. "It's looking like these botnet spam providers have had their customers jump ship," said Stewart.
Other botnets have stepped up to take their place.
"Mega-D has come back to its original strength," Stewart said, referring to another botnet that had been controlled by McColo-hosted servers. "Cutwail is running strong, and so is Kraken. Botnets that weren't badly affected [by McColo going offline] seem to have picked up customers."
Other researchers have recently reported Mega-D's restoration. London-based Marshal8e6, for example, said yesterday that Mega-D's controllers have set up new command servers, re-established links with their compromised PCs and have resumed spamming.
The criminals who ran Srizbi and Rustock have had far less success, said SecureWorks' Stewart. "Everyone fully expected Srizbi to come back," he noted, although that's not happened. Srizbi's controllers were stymied for a while by FireEye Inc., which for a time was registering the domain names the bots would use to reconnect with new command servers. FireEye, however, was unable to finance the tactic indefinitely, and stopped.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts