Spam levels climb as criminals replace crippled botnets

Four weeks after spam levels plummeted when a rogue hosting company was yanked off the Internet, junk mail volumes are again up, a researcher said Tuesday.

According to IronPort Systems Inc., spam volumes have partially recovered since the Nov. 11 takedown of McColo Corp., the California hosting firm that was pulled off the Web by its upstream service providers after security researchers presented them with overwhelming evidence that it was harboring a wide range of criminal activity. Among McColo's clients: cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets in the world.

Monday, approximately 94.6 billion spam messages were sent worldwide, said IronPort, which estimated Tuesday's volume at 96.8 billion. Those numbers were 62% and 63%, respectively, of the 153 billion sent four weeks ago, the day McColo went offline.

Immediately after the takedown, spam levels dropped to 64.1 billion, just 42% of the pre-McColo volume.

Spam's resurgence comes courtesy of several botnets -- some well-known, some not -- that were largely unaffected by McColo's disappearance, said Joe Stewart, director of malware research at SecureWorks Inc.

First of all, reports that the "Srizbi" and "Rustock" botnets have been resurrected are "mostly untrue," said Joe Stewart. "These botnets are not monolithic, especially Srizbi, which is in the hands of a lot of people. Each has a couple of variants [of the bot Trojan], and maybe a few thousand bots. Some have regained control of their botnets, some have not."

In fact, Srizbi and Rustock -- which were the world's largest and third-largest botnets, respectively, before Nov. 11 -- have effectively faded into the background. "It's looking like these botnet spam providers have had their customers jump ship," said Stewart.

Other botnets have stepped up to take their place.

"'Mega-D' has come back to its original strength," Stewart said, referring to another botnet that had been controlled by McColo-hosted servers. "'Cutwail' is running strong, and so is 'Kraken.' Botnets that weren't badly affected [by McColo going offline] seem to have picked up customers."

Other researchers have recently reported Mega-D's restoration. London-based Marshal8e6, for example, said yesterday that Mega-D's controllers have set up new command servers, re-established links with their compromised PCs and have resumed spamming.

The criminals who ran Srizbi and Rustock have had far less success, said SecureWorks' Stewart. "Everyone fully expected Srizbi to come back," he noted, although that's not happened. Srizbi's controllers were stymied for a while by FireEye Inc., which for a time was registering the domain names the bots would use to reconnect with new command servers. FireEye, however, was unable to finance the tactic indefinitely, and stopped.

"We're seeing Srizbi bots that are asking for [routing] domain names that aren't registered to anyone," said Stewart. He was unable to explain why the hackers had walked away from their botnets, but speculated that it was a business decision.

"The longer they left it, the more the botnet diminished," he said, noting that botnets continually lose machines as PCs are cleaned of the malware or taken out of service and replaced by new systems. "They have to make a decision, is it worth it to regain control or just build a new botnet?"

In the meantime, once-smaller players have grown in size as spammers turned to new providers. "'Xarvester' is one," said Stewart, "that has seemed to pick up a lot of traffic. It's somewhere between Mega-D and Cutwail in size, so it's moved into the top three with at least 130,000 bots."

Xarvester and another botnet, which Stewart has dubbed "Gahg," are spamming some of the same types of messages that once came from bots controlled by Srizbi's and Rustock's herders, he added.

"There aren't any new botnets, not so far," Stewart continued. But he warned that the criminals responsible for Srizbi and Rustock could very well be working on new malware and spreading it on vulnerable PCs. "That could be one reason why they haven't restored the [downed] bots, they could be in development right now."


Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon