Meet the New Bots: Will We Get Fooled Again?
The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets -- massive groups of hacked PCs used for spamming -- have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come.
* In September, the shuttering of Northern California based host Atrivo/Intercage was the final nail in the coffin for the Storm worm, widely considered one of the most ingenious spam botnets ever created.
* In November, the unplugging of Silicon Valley hosting provider McColo -- a network experts say absorbed many of the refugees from Atrivo's shutdown -- spelled the beginning of the end for "Srizbi," which was until recently considered the most massive spam botnet with an estimated 450,000 infected computers.
* In late December, the world saw what is likely to be the final spam run from Bobax, a botnet that once rivaled Srizbi in size and longevity, if not also in sophistication.
But according to noted botnet expert Joe Stewart, director of malware research for Atlanta based SecureWorks, the demise of these networks has given rise to a new breed of botnets, and has helped to boost the ranking of a much lesser botnet to its present status as the world's largest collection of spam zombies.
More sophisticated botnets mean that they are harder for security experts and law enforcement to shut down, which generally translates to more spam and malicious software attacks landing in your inbox.
Stewart said the chief beneficiary of the McColo takedown was a botnet known as "Cutwail," (a.k.a. "Pushdo"), which according to Stewart now stands as the world's largest botnet, with some 175,000 sickened PCs in its thrall. Stewart said the Cutwail botnet is divvied up and rented out to many spammers, who can be seen sending a variety of spam, including pharmaceuticals, replica watches, online casinos, phishing scams and malicious software.
"Rustock," a sophisticated botnet that uses rootkit techniques to hide on host systems, also took a hit from the McColo shutdown. While this botnet hasn't yet recovered completely from that setback, Stewart estimates some 130,000 Microsoft Windows systems remain infected with this bot family.
Another prevalent bot, which SecureWorks is calling Donbot," has claimed more than 125,000 PCs, Stewart said. It is popular among spammers sending junk e-mail for weight loss drugs, stock investment scams and debt settlement offers.
A botnet that is 60,000 PCs-strong, nicknamed "Xarvester" by anti-virus companies, appears also to have grown in size since the vacuum created by McColo's dismantling, Stewart said. In addition to the usual pharma spam, Xarvester is notable for sending lots of junk mail for fake diplomas, as well as Russian-language spam.
By virtue of its relative stealth and sophistication, a newer botnet known as "Cimbot" has already infected about 10,000 machines, but may be poised to rise in the ranks this year, Stewart said. Unlike many bot programs that run as regular Windows processes, Cimbot runs only in system memory, and may be harder for traditional anti-virus technology to spot.
Another up-and-coming botnet, called "Waledec," is one Stewart and other security experts suspect is a from-scratch rewrite of Storm, mainly due to their similar distribution methods: Bogus holiday e-card greetings (blasted out over the past few weeks) and communications technology (infected systems exchange updates and spamming instructions via an encrypted, decentralized, peer-to-peer technology). Stewart estimates Waledec has infected some 10,000 systems to date.
Storm suffered mightily at the hands of security researchers in 2008. Toward the end of 2007, Microsoft included Storm in its Malicious Software Removal Tool, which by nearly all accounts kneecapped the Storm network virtually overnight. Then, in early 2008, Stewart unlocked and published the encryption key needed to intercept communications between PCs infected with Storm, unleashing a flurry of activity from researchers and security activists alike aimed at infiltrating and ultimately weakening the spam network.
Assuming for the moment that the same authors are behind Waledec, they appear to have learned from their mistakes, Stewart said. For one thing, communications between infected nodes on the Storm network are now encrypted with a 1024-bit RSA encryption key, which is unlikely to be broken anytime soon, let alone ever.
While many experts heralded Storm's tactics as a sign of things to come, the advanced P2P spreading and communications techniques it was known for have not taken hold amongst other botnets.
"I think in theory P2P is a great idea for botnets, but only a limited number of people can pull it off and make it scalable, because this isn't a beginner or intermediate type of programming we're talking about to build a P2P botnet," Stewart said. In other words, if the old tricks still work, why invest in innovations?
Still, Stewart said, the complexity of techniques used by bot programs to hide on infected PCs and spread to new ones is a decent measure of how long the botnet's authors have been plying their craft.
"As these guys progress through the game and learn what it is people like me do and how they end up losing their bots, they start looking at ways of keeping the security companies from taking them out," Stewart said. "To the extent they adopt these [defensive techniques], it gives you a sense of how long they've been in the game."
But for all these new spam botnets, the question remains: Are we any worse off than we were last year, in terms of the volume of junk e-mail? According to at least two sources, spammers are still recovering from McColo's clobbering. In its January Spam Report (PDF), McAfee reports that while current spam levels have shown a significant increase in the last few weeks, they are still 40 percent lower than levels prior to the demise of McColo. Symantec, in its State of Spam report (PDF) for January, says spam levels are now at 80 percent of their pre-McColo-shutdown levels.
January 13, 2009; 12:30 PM ET
Categories: Fraud , From the Bunker , Web Fraud 2.0
Save & Share: Previous: Tiny Charges Often Precede Big Trouble
Next: Microsoft Plugs Three Windows Security Holes
Posted by: skipper7 | January 13, 2009 12:48 PM | Report abuse
Posted by: mdsails | January 13, 2009 2:37 PM | Report abuse
Posted by: Heron | January 14, 2009 9:28 AM | Report abuse
Posted by: OneilPeat | January 14, 2009 12:05 PM | Report abuse
Posted by: steve-o2 | January 15, 2009 10:24 AM | Report abuse
Posted by: BTKrebs | January 15, 2009 2:57 PM | Report abuse
Posted by: pga6 | January 15, 2009 5:01 PM | Report abuse
Posted by: dan39 | January 16, 2009 9:03 AM | Report abuse
Posted by: BTKrebs | January 16, 2009 10:27 AM | Report abuse
The comments to this entry are closed.