So Much Spam From One Place?
Washingtonpost.com today published a follow-up story to the pieces we ran last week on the unplugging of a California Web hosting company and the subsequent worldwide drop in spam levels. Today's piece tries to answer the question we heard from so many readers: "How Can So Much Spam Come From One Place?"
Some of the less newsy but just as interesting stuff was cut from the piece for space and story flow reasons. One of those was a section on what security experts think the incident will mean for the evolution of botnet technology and its use by the bad guys:
Security experts worry that botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature.
As the incident in my story demonstrates, botnets that have their control servers at a single hosting provider are at constant risk of being shut down, because that host or the host's Internet providers can always pull the plug. But Storm lacked this single point of failure in part because information relayed by the bot masters about new spam runs to execute or malicious software updates to install could be passed from one bot to the next, without the need for the bots to check in at a central server.
This type of peer-to-peer information sharing technology is not new, but it is still relatively rare to find in spam botnets. The development and public adoption of P2P technology first took off after the recording industry took on music swapping service Napster. Soon after legal pressure from the Recording Industry Association of America (RIAA) forced Napster offline in 2001, a host of P2P software titles and networks sprang up to fill the void, allowing users to share music, movies and files online without ever having to connect to a central server.
Then in January 2007, the Storm worm emerged and quickly became one of the largest botnets ever built, infecting millions of PCs almost overnight. The Storm worm used the "Overnet" protocol, a P2P communications medium that powered the popular Overnet and eDonkey music and file-trading networks.
In late 2006, the Web sites where users could download new copies of the file-trading software for both Overnet and eDonkey were forced offline, once again by RIAA. Yet, the Storm worm was able to continue using the Overnet communications language to pass new updates and communications among infected nodes, until its authors inexplicably allowed the botnet fizzle out in September.
Adam O'Donnell, director of emerging technologies at Cloudmark, an e-mail security company in San Francisco says the recording industry was directly responsible for the rapid evolution of P2P technology, and by extension the abuse of the technology by virus writers and spammers.
"The RIAA provided the evolutionary pressure for something that otherwise probably would have taken a lot longer to evolve," O'Donnell said. "If you want to see what the future of botnet command and control infrastructure is going to look like, it will probably be whatever the kids are using to trade music."
Vincent Weafer, director of development for Symantec Security Response, said the success of Storm, combined with so many criminal operations having been burned by the McColo takedown, strongly suggests botnets are going to continue adopting P2P technology.
"This incident will drive the botnet developers toward the continued use of peer-to-peer botnets, which are more resilient to any single point of failure," Weafer predicts.
November 18, 2008; 5:11 PM ET
Categories: Cyber Justice , Fraud , From the Bunker , Latest Warnings , Piracy , U.S. Government , Web Fraud 2.0
Save & Share: Previous: 'Network Identity Theft' Politely Avenged
Next: Web Fraud 2.0: Faking Your Internet Address
Posted by: smthmort | November 19, 2008 10:40 AM | Report abuse
Posted by: Heron | November 19, 2008 11:20 AM | Report abuse
Posted by: morrisj | November 19, 2008 2:44 PM | Report abuse
Posted by: moike | November 19, 2008 5:09 PM | Report abuse
Posted by: Heron | November 19, 2008 6:15 PM | Report abuse
The comments to this entry are closed.