Two big, bad botnets gone, but replacements step up, says researcher
Srizbi, Storm dead, but Donbot and Xarvester add to spam resurgence
Computerworld - Although the shutdown of a California Web hosting company eradicated several prominent botnets last year, others have stepped up to fill the gaps, a security researcher said today.
Gone from the landscape are "Srizbi" and "Storm," said Joe Stewart, director of research at Atlanta-based SecureWorks Inc. He ranked the botnets as No. 1 and No. 5, respectively, in an April 2008 botnet census.
Srizbi and, to a lesser degree, "Rustock" were crippled two months ago when McColo Corp., a company that has long been hosting botnet command-and-control servers, was cut off from the Internet by its upstream providers after researchers accused it of harboring cybercrime activity. Stewart was one of the researchers who had beaten the McColo drum.
When McColo's connection to the Internet was severed, spam volumes immediately plunged as spammers were unable to use Srizbi or Rustock bots to send their junk mail.
But the relief was short-lived. "There was a time when the bot numbers were diminishing, and we made up some ground," acknowledged Stewart. Now, however, other botnets have come into prominence. Some of them were well-known before the McColo take-down, but had been relatively small, while others have come out of obscurity.
The result? "Spam isn't quite up to the pre-McColo level, but it's easily within the 80%-to-90% range," said Stewart, citing numbers consistent with other estimates. For example, Symantec Corp. estimated this month's spam level at 80% of that before the McColo shutdown.
Botnets have rebounded for several reasons, most notably because they're profitable, said Stewart, who recently repeated his census of April to come up with a new ranking of botnets.
"Cutwail," the biggest beneficiary of the demise of Srizbi, took the top spot in Stewart's revised chart. It boasts an estimated 175,000 compromised PCs, up from 125,000 in April. "Cutwail's spam output actually increased shortly after [McColo], so it probably picked up some customers from other botnets," said Stewart.
As he did last year, Stewart estimated the botnet sizes by first "fingerprinting" each botnet with their implementations of SMTP (Simple Mail Transfer Protocol). Then he took a one-day spam traffic sample from each bot to extrapolate a total number of infected PCs in each botnet.
Although Rustock was also hit by the McColo shutdown, it was able to recover when Srizbi could not. Currently in the No. 2 spot, Rustock controls approximately 130,000 computers, down from the 150,000 it "owned" last April.
Joining Cutwail and Rustock are a pair of new additions to Stewart's list. Until recently, both "Donbot" and "Xarvester" had been minor players in the spam-sending ecosystem. "We have noticed that some botnets picked up traffic significantly," said Stewart, who called out the two as botnets to monitor during 2009.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts