Two big, bad botnets gone, but replacements step up, says researcher

Computerworld - Although the shutdown of a California Web hosting company eradicated several prominent botnets last year, others have stepped up to fill the gaps, a security researcher said today.

Gone from the landscape are "Srizbi" and "Storm," said Joe Stewart, director of research at Atlanta-based SecureWorks Inc. He ranked the botnets as No. 1 and No. 5, respectively, in an April 2008 botnet census.

Srizbi and, to a lesser degree, "Rustock" were crippled two months ago when McColo Corp., a company that has long been hosting botnet command-and-control servers, was cut off from the Internet by its upstream providers after researchers accused it of harboring cybercrime activity. Stewart was one of the researchers who had beaten the McColo drum.

When McColo's connection to the Internet was severed, spam volumes immediately plunged as spammers were unable to use Srizbi or Rustock bots to send their junk mail.

But the relief was short-lived. "There was a time when the bot numbers were diminishing, and we made up some ground," acknowledged Stewart. Now, however, other botnets have come into prominence. Some of them were well-known before the McColo take-down, but had been relatively small, while others have come out of obscurity.

The result? "Spam isn't quite up to the pre-McColo level, but it's easily within the 80%-to-90% range," said Stewart, citing numbers consistent with other estimates. For example, Symantec Corp. estimated this month's spam level at 80% of that before the McColo shutdown.

Botnets have rebounded for several reasons, most notably because they're profitable, said Stewart, who recently repeated his census of April to come up with a new ranking of botnets.

"Cutwail," the biggest beneficiary of the demise of Srizbi, took the top spot in Stewart's revised chart. It boasts an estimated 175,000 compromised PCs, up from 125,000 in April. "Cutwail's spam output actually increased shortly after [McColo], so it probably picked up some customers from other botnets," said Stewart.

As he did last year, Stewart estimated the botnet sizes by first "fingerprinting" each botnet with their implementations of SMTP (Simple Mail Transfer Protocol). Then he took a one-day spam traffic sample from each bot to extrapolate a total number of infected PCs in each botnet.

Although Rustock was also hit by the McColo shutdown, it was able to recover when Srizbi could not. Currently in the No. 2 spot, Rustock controls approximately 130,000 computers, down from the 150,000 it "owned" last April.

Joining Cutwail and Rustock are a pair of new additions to Stewart's list. Until recently, both "Donbot" and "Xarvester" had been minor players in the spam-sending ecosystem. "We have noticed that some botnets picked up traffic significantly," said Stewart, who called out the two as botnets to monitor during 2009.