Network News

X My Profile
View More Activity

So Much Spam From One Place? today published a follow-up story to the pieces we ran last week on the unplugging of a California Web hosting company and the subsequent worldwide drop in spam levels. Today's piece tries to answer the question we heard from so many readers: "How Can So Much Spam Come From One Place?"

Some of the less newsy but just as interesting stuff was cut from the piece for space and story flow reasons. One of those was a section on what security experts think the incident will mean for the evolution of botnet technology and its use by the bad guys:

Security experts worry that botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature.

As the incident in my story demonstrates, botnets that have their control servers at a single hosting provider are at constant risk of being shut down, because that host or the host's Internet providers can always pull the plug. But Storm lacked this single point of failure in part because information relayed by the bot masters about new spam runs to execute or malicious software updates to install could be passed from one bot to the next, without the need for the bots to check in at a central server.

This type of peer-to-peer information sharing technology is not new, but it is still relatively rare to find in spam botnets. The development and public adoption of P2P technology first took off after the recording industry took on music swapping service Napster. Soon after legal pressure from the Recording Industry Association of America (RIAA) forced Napster offline in 2001, a host of P2P software titles and networks sprang up to fill the void, allowing users to share music, movies and files online without ever having to connect to a central server.

Then in January 2007, the Storm worm emerged and quickly became one of the largest botnets ever built, infecting millions of PCs almost overnight. The Storm worm used the "Overnet" protocol, a P2P communications medium that powered the popular Overnet and eDonkey music and file-trading networks.

In late 2006, the Web sites where users could download new copies of the file-trading software for both Overnet and eDonkey were forced offline, once again by RIAA. Yet, the Storm worm was able to continue using the Overnet communications language to pass new updates and communications among infected nodes, until its authors inexplicably allowed the botnet fizzle out in September.

Adam O'Donnell, director of emerging technologies at Cloudmark, an e-mail security company in San Francisco says the recording industry was directly responsible for the rapid evolution of P2P technology, and by extension the abuse of the technology by virus writers and spammers.

"The RIAA provided the evolutionary pressure for something that otherwise probably would have taken a lot longer to evolve," O'Donnell said. "If you want to see what the future of botnet command and control infrastructure is going to look like, it will probably be whatever the kids are using to trade music."

Vincent Weafer, director of development for Symantec Security Response, said the success of Storm, combined with so many criminal operations having been burned by the McColo takedown, strongly suggests botnets are going to continue adopting P2P technology.

"This incident will drive the botnet developers toward the continued use of peer-to-peer botnets, which are more resilient to any single point of failure," Weafer predicts.

By Brian Krebs  |  November 18, 2008; 5:11 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker , Latest Warnings , Piracy , U.S. Government , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: 'Network Identity Theft' Politely Avenged
Next: Web Fraud 2.0: Faking Your Internet Address



Spam is not the only problem with Yahoo, if you happen to use them for e-mail. Virtually everything is a problem, and they take extraordinary liberties once they have you in their system. Here are some examples:
1. When I signed up with them, they managed somehow to invalidate all of my ID's to other e-mail services, so I could only sign in to Yahoo. I had to change ID's for e-mail, and all web-sites I depend on for information that require them and and passwords.

2. They installed a little messenger bot in my system that constantly reminded to "Verify your new Yahoo ID." I must have tried to do that 20 times with no success -finally, I figured out a way to destroy the little ba- bot.

3. They have no real customer service. If you have a problem, no matter how serious it may be, the best you get is an automated message from "Yedda," another idiot bot, telling you that an answer is forthcoming within 48 hours. The answer never comes.

4. I am now attempting to cancel out of Yahoo. This is a scary process, filled with all sorts of veiled threats, and takes 3 months to process.

This is a cheap and dirty operation from bottom to top. They try to throw you little bones to keep you happy, like emoticons on composed e-mail. Gee, when did they think of that?

My advice - stay away from Yahoo.
ML Smith
The Weekly Beat

Posted by: smthmort | November 19, 2008 10:40 AM | Report abuse

Is it worth reporting spam to the FTC and/or Spam Cop? Or is it better to just delete the stuff? Having to open spam messages in order to forward them makes me nervous, though I do use Firefox with Ad Blocker Plus and NoScript.

Posted by: Heron | November 19, 2008 11:20 AM | Report abuse


For the last week or so, your's are the only links that work for me in my Post emails.

Keep getting 'waiting for reply' with all the others while the screen browser (ie6)hangs. Any ideas?


Posted by: morrisj | November 19, 2008 2:44 PM | Report abuse

> Is it worth reporting spam to the FTC and/or Spam Cop?

SpamCop -> definitely, because it notifies the ISP at the source of the spam that the owner of that IP is infected with a spambot. Even if the owner of the network is unknown, SpamCop will still eventually add that IP address to a blacklist.

Posted by: moike | November 19, 2008 5:09 PM | Report abuse

Thank you, moike. Should I let SpamCop send a notice to each email address it harvests from the message headers? If not, how should I choose the addresses to which the notices will be sent? Finally (assuming you use the service), do you ever hear back from the ISPs?

Posted by: Heron | November 19, 2008 6:15 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company