Network News

X My Profile
View More Activity

Meet the New Bots: Will We Get Fooled Again?

The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets -- massive groups of hacked PCs used for spamming -- have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come.

* In September, the shuttering of Northern California based host Atrivo/Intercage was the final nail in the coffin for the Storm worm, widely considered one of the most ingenious spam botnets ever created.

* In November, the unplugging of Silicon Valley hosting provider McColo -- a network experts say absorbed many of the refugees from Atrivo's shutdown -- spelled the beginning of the end for "Srizbi," which was until recently considered the most massive spam botnet with an estimated 450,000 infected computers.

* In late December, the world saw what is likely to be the final spam run from Bobax, a botnet that once rivaled Srizbi in size and longevity, if not also in sophistication.

But according to noted botnet expert Joe Stewart, director of malware research for Atlanta based SecureWorks, the demise of these networks has given rise to a new breed of botnets, and has helped to boost the ranking of a much lesser botnet to its present status as the world's largest collection of spam zombies.

More sophisticated botnets mean that they are harder for security experts and law enforcement to shut down, which generally translates to more spam and malicious software attacks landing in your inbox.

Stewart said the chief beneficiary of the McColo takedown was a botnet known as "Cutwail," (a.k.a. "Pushdo"), which according to Stewart now stands as the world's largest botnet, with some 175,000 sickened PCs in its thrall. Stewart said the Cutwail botnet is divvied up and rented out to many spammers, who can be seen sending a variety of spam, including pharmaceuticals, replica watches, online casinos, phishing scams and malicious software.

"Rustock," a sophisticated botnet that uses rootkit techniques to hide on host systems, also took a hit from the McColo shutdown. While this botnet hasn't yet recovered completely from that setback, Stewart estimates some 130,000 Microsoft Windows systems remain infected with this bot family.

Another prevalent bot, which SecureWorks is calling Donbot," has claimed more than 125,000 PCs, Stewart said. It is popular among spammers sending junk e-mail for weight loss drugs, stock investment scams and debt settlement offers.

A botnet that is 60,000 PCs-strong, nicknamed "Xarvester" by anti-virus companies, appears also to have grown in size since the vacuum created by McColo's dismantling, Stewart said. In addition to the usual pharma spam, Xarvester is notable for sending lots of junk mail for fake diplomas, as well as Russian-language spam.

By virtue of its relative stealth and sophistication, a newer botnet known as "Cimbot" has already infected about 10,000 machines, but may be poised to rise in the ranks this year, Stewart said. Unlike many bot programs that run as regular Windows processes, Cimbot runs only in system memory, and may be harder for traditional anti-virus technology to spot.

Another up-and-coming botnet, called "Waledec," is one Stewart and other security experts suspect is a from-scratch rewrite of Storm, mainly due to their similar distribution methods: Bogus holiday e-card greetings (blasted out over the past few weeks) and communications technology (infected systems exchange updates and spamming instructions via an encrypted, decentralized, peer-to-peer technology). Stewart estimates Waledec has infected some 10,000 systems to date.

Storm suffered mightily at the hands of security researchers in 2008. Toward the end of 2007, Microsoft included Storm in its Malicious Software Removal Tool, which by nearly all accounts kneecapped the Storm network virtually overnight. Then, in early 2008, Stewart unlocked and published the encryption key needed to intercept communications between PCs infected with Storm, unleashing a flurry of activity from researchers and security activists alike aimed at infiltrating and ultimately weakening the spam network.

Assuming for the moment that the same authors are behind Waledec, they appear to have learned from their mistakes, Stewart said. For one thing, communications between infected nodes on the Storm network are now encrypted with a 1024-bit RSA encryption key, which is unlikely to be broken anytime soon, let alone ever.

While many experts heralded Storm's tactics as a sign of things to come, the advanced P2P spreading and communications techniques it was known for have not taken hold amongst other botnets.

"I think in theory P2P is a great idea for botnets, but only a limited number of people can pull it off and make it scalable, because this isn't a beginner or intermediate type of programming we're talking about to build a P2P botnet," Stewart said. In other words, if the old tricks still work, why invest in innovations?

Still, Stewart said, the complexity of techniques used by bot programs to hide on infected PCs and spread to new ones is a decent measure of how long the botnet's authors have been plying their craft.

"As these guys progress through the game and learn what it is people like me do and how they end up losing their bots, they start looking at ways of keeping the security companies from taking them out," Stewart said. "To the extent they adopt these [defensive techniques], it gives you a sense of how long they've been in the game."

But for all these new spam botnets, the question remains: Are we any worse off than we were last year, in terms of the volume of junk e-mail? According to at least two sources, spammers are still recovering from McColo's clobbering. In its January Spam Report (PDF), McAfee reports that while current spam levels have shown a significant increase in the last few weeks, they are still 40 percent lower than levels prior to the demise of McColo. Symantec, in its State of Spam report (PDF) for January, says spam levels are now at 80 percent of their pre-McColo-shutdown levels.

By Brian Krebs  |  January 13, 2009; 12:30 PM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Tiny Charges Often Precede Big Trouble
Next: Microsoft Plugs Three Windows Security Holes


Now I understand why my office e-mail (but not any of my personal addresses) received 100s of holiday spam greeting cards. Our company IT department seemed to be stumped by this as some messages were quarantined while other got through. At one point I had about 200 on my Blackberry.

I was wondering whether there is any way for a technology mortal such as myself to find out whether my laptop or home computer is infected with one of these bots. My sense is that it goes well beyond my anti-virus application.

Posted by: skipper7 | January 13, 2009 12:48 PM | Report abuse

What do you recommend using to find out whether we are infected or to keep us from getting infected?

Posted by: mdsails | January 13, 2009 2:37 PM | Report abuse

skipper7 and mdsails, those are good questions. Could you please pose them to BK during his next Security Fix live discussion?

Posted by: Heron | January 14, 2009 9:28 AM | Report abuse

Brian -- did you see this on Hack Attack by some group called AstalavistaTeam? /Peat/

Posted by: OneilPeat | January 14, 2009 12:05 PM | Report abuse

skipper7, mdsails:

*Sigh*'s called Google.

Not trying to be rude, but the answer to those questions can easily be found with a few clicks of the Google search button or even just by going to Microsoft's (since I take it you are PC users) website and reading through their sections regarding security at home.

PCs are not appliances. You will at some point need to do your homework and learn how to effectively use your PC on your own.

Posted by: steve-o2 | January 15, 2009 10:24 AM | Report abuse

@skipper, mdsails: There was a time not long ago where a user whose Windows system was infected with a bot might see signs of slowness, system crashes or other oddities that might hint at a bot infection.

But these days, the bot malware is written by such professionals that it is unlikely to cause the average user to notice anything awry, unless perhaps they are using an older PC, or perhaps the bot software tries to limit the sites the user can go to. Typically, the big spam based bots do not do this, b/c it's a sure-fire giveaway to the owner of the host system that something is not right.

That is why I spend so much time on this blog trying to impart the idea of keeping your system secure, since it's far easier to prevent a PC from becoming a bot than it is diagnosing a bot infection or cleaning one up after the fact.

The best way to keep your system secure?

-Download program updates only from the maker's Web site (this includes but is not limited to browser plug-ins and things like Adobe reader and Flash Player)

-Never open attachments sent in emails you were not expecting.

-Be extremely judicious about the software you chose to install on your system.

-Run up-to-date antivirus software, but don't count on it to protect you from insecure/unsafe behavior online.

-Avoid downloading software from P2P networks/crack sites

-Keep third-party and Windows software up to date with the latest patches.

-If you run Windows XP, consider using a limited user account. If you run Vista, the UAC should warn you if anything tries to install software.

-Use a software firewall. If you can afford one, get a hardware router (wireless or wired): these included firewalls as well.

Those are a few tips. If you follow those, you will be more secure than 95 percent of all Windows users out there.

Good luck

Posted by: BTKrebs | January 15, 2009 2:57 PM | Report abuse


Don't mean to take you to task for your response, but someone could as easily download something malicious by just "Google-ing" for it. A relative of mine downloaded the useless security software "Antivirus 2009" because she didn't want to bother anyone by asking questions.

While Security Fix blogposts might not seem like a good place to ask what we might think are "simple" questions, it certainly does no good to (virtually) slap someone for asking them.

Posted by: pga6 | January 15, 2009 5:01 PM | Report abuse

I'm sorry. I have to comment on the very clever headline of this article. The Who is my favorite band and the headline fits perfectly. In response: "Same as the old bots?"

Posted by: dan39 | January 16, 2009 9:03 AM | Report abuse

@Dan39 -- I'm glad you caught that. I was afraid no one was going to recognize the reference. :)

Posted by: BTKrebs | January 16, 2009 10:27 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company