Two big, bad botnets gone, but replacements step up, says researcher
Srizbi, Storm dead, but Donbot and Xarvester add to spam resurgence
Computerworld - Although the shutdown of a California Web hosting company eradicated several prominent botnets last year, others have stepped up to fill the gaps, a security researcher said today.
Gone from the landscape are "Srizbi" and "Storm," said Joe Stewart, director of research at Atlanta-based SecureWorks Inc. He ranked the botnets as No. 1 and No. 5, respectively, in an April 2008 botnet census.
Srizbi and, to a lesser degree, "Rustock" were crippled two months ago when McColo Corp., a company that has long been hosting botnet command-and-control servers, was cut off from the Internet by its upstream providers after researchers accused it of harboring cybercrime activity. Stewart was one of the researchers who had beaten the McColo drum.
When McColo's connection to the Internet was severed, spam volumes immediately plunged as spammers were unable to use Srizbi or Rustock bots to send their junk mail.
But the relief was short-lived. "There was a time when the bot numbers were diminishing, and we made up some ground," acknowledged Stewart. Now, however, other botnets have come into prominence. Some of them were well-known before the McColo take-down, but had been relatively small, while others have come out of obscurity.
The result? "Spam isn't quite up to the pre-McColo level, but it's easily within the 80%-to-90% range," said Stewart, citing numbers consistent with other estimates. For example, Symantec Corp. estimated this month's spam level at 80% of that before the McColo shutdown.
Botnets have rebounded for several reasons, most notably because they're profitable, said Stewart, who recently repeated his census of April to come up with a new ranking of botnets.
"Cutwail," the biggest beneficiary of the demise of Srizbi, took the top spot in Stewart's revised chart. It boasts an estimated 175,000 compromised PCs, up from 125,000 in April. "Cutwail's spam output actually increased shortly after [McColo], so it probably picked up some customers from other botnets," said Stewart.
As he did last year, Stewart estimated the botnet sizes by first "fingerprinting" each botnet with their implementations of SMTP (Simple Mail Transfer Protocol). Then he took a one-day spam traffic sample from each bot to extrapolate a total number of infected PCs in each botnet.
Although Rustock was also hit by the McColo shutdown, it was able to recover when Srizbi could not. Currently in the No. 2 spot, Rustock controls approximately 130,000 computers, down from the 150,000 it "owned" last April.
Joining Cutwail and Rustock are a pair of new additions to Stewart's list. Until recently, both "Donbot" and "Xarvester" had been minor players in the spam-sending ecosystem. "We have noticed that some botnets picked up traffic significantly," said Stewart, who called out the two as botnets to monitor during 2009.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts