Two big, bad botnets gone, but replacements step up, says researcher
Srizbi, Storm dead, but Donbot and Xarvester add to spam resurgence
Computerworld - Although the shutdown of a California Web hosting company eradicated several prominent botnets last year, others have stepped up to fill the gaps, a security researcher said today.
Gone from the landscape are "Srizbi" and "Storm," said Joe Stewart, director of research at Atlanta-based SecureWorks Inc. He ranked the botnets as No. 1 and No. 5, respectively, in an April 2008 botnet census.
Srizbi and, to a lesser degree, "Rustock" were crippled two months ago when McColo Corp., a company that has long been hosting botnet command-and-control servers, was cut off from the Internet by its upstream providers after researchers accused it of harboring cybercrime activity. Stewart was one of the researchers who had beaten the McColo drum.
When McColo's connection to the Internet was severed, spam volumes immediately plunged as spammers were unable to use Srizbi or Rustock bots to send their junk mail.
But the relief was short-lived. "There was a time when the bot numbers were diminishing, and we made up some ground," acknowledged Stewart. Now, however, other botnets have come into prominence. Some of them were well-known before the McColo take-down, but had been relatively small, while others have come out of obscurity.
The result? "Spam isn't quite up to the pre-McColo level, but it's easily within the 80%-to-90% range," said Stewart, citing numbers consistent with other estimates. For example, Symantec Corp. estimated this month's spam level at 80% of that before the McColo shutdown.
Botnets have rebounded for several reasons, most notably because they're profitable, said Stewart, who recently repeated his census of April to come up with a new ranking of botnets.
"Cutwail," the biggest beneficiary of the demise of Srizbi, took the top spot in Stewart's revised chart. It boasts an estimated 175,000 compromised PCs, up from 125,000 in April. "Cutwail's spam output actually increased shortly after [McColo], so it probably picked up some customers from other botnets," said Stewart.
As he did last year, Stewart estimated the botnet sizes by first "fingerprinting" each botnet with their implementations of SMTP (Simple Mail Transfer Protocol). Then he took a one-day spam traffic sample from each bot to extrapolate a total number of infected PCs in each botnet.
Although Rustock was also hit by the McColo shutdown, it was able to recover when Srizbi could not. Currently in the No. 2 spot, Rustock controls approximately 130,000 computers, down from the 150,000 it "owned" last April.
Joining Cutwail and Rustock are a pair of new additions to Stewart's list. Until recently, both "Donbot" and "Xarvester" had been minor players in the spam-sending ecosystem. "We have noticed that some botnets picked up traffic significantly," said Stewart, who called out the two as botnets to monitor during 2009.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!