Thursday, November 20, 2008

Major Spam Botnets Yet to Recover After Host Shut-Down

/PRNewswire/ -- One week after the world's most significant breakthrough in the fight against spam, spam levels are yet to return to their previous levels, according to security experts from the Marshal8e6 TRACE Team. However, it is likely that spam levels will eventually return to their previous high levels in the future.

On November 11, the volume of spam around the world fell by as much as 70 percent due to the shutdown of a major spam hosting network, McColo.

McColo was shut down by its Internet Service Provider after an investigative journalist made inquiries about the Web hosting company's illicit activities. McColo was hosting the command and control infrastructure for three of the world's most prolific spam botnets: Srizbi, Mega-D and Rustock. When McColo was shut down, the spammers were disconnected from the networks of spam-sending bot computers under their control.

Throughout 2008, the TRACE team has published reports showing that just a handful of major spamming botnets are responsible for as much as 90 percent of spam. The TRACE Team has been campaigning within the IT security community for a coordinated effort against the top spamming botnets.

"This is the most significant single event in the fight against spam we have ever seen," said Phil Hay, lead threat analyst with the TRACE Team. "It shows that a coordinated effort against spammers by security researchers can have a positive and meaningful impact on global spam levels. It is something that we have been working towards for a long time and it is fantastic to see the flow-on effects on spam levels as a result of targeting the bigger botnets."

"Unfortunately we do not expect this situation to last," he continued. "The spammers are no doubt already setting up new command and control servers. The challenge for them is to re-establish connections with the thousands of zombie computers still infected with their bot code. We fully expect spam will resume in large volumes eventually. However, almost a week later, the spammers haven't managed to do that yet."

Marshal8e6 says that the command and control servers play a critical part in managing the hundreds of thousands of infected bot computers, also referred to as 'zombies'.

"An infected bot computer typically 'phones home' to the control servers periodically to get updated instructions and spamming templates. By shutting down McColo, the link between the zombie computers and their control servers has effectively been cut off for now," explained Hay.

The events that led to McColo's shut down involved months of collaboration and research by a variety of security professionals.

"Last week's events have proven that by drawing attention to the worst spam offenders, security researchers and law enforcement have the capability to focus their energies on the key players and take action," said Hay. "Five years ago when spam was dominated by numerous small-scale spammers it was extremely difficult to target an individual spammer and have any real effect on spam. Now, because botnets have enabled a handful of major spam players to dominate, the targeted actions of the IT security and law enforcement communities can have an immediate and palpable effect on spam."

Marshal8e6 says the command and control servers for the Srizbi, Mega-D and Rustock botnets were affected by the McColo shut down. According to Marshal8e6's statistics, just prior to McColo's shut down, these three botnets were ranked first, second and fifth respectively as the world's most prolific sources of spam, together responsible for nearly 70 percent of spam.

"It is a cliche, but the fight against spam is a game of cat and mouse," said Hay. "Over the longer term, the spammers will learn from this incident and will probably evolve their botnet control systems. They may adopt a more resilient peer-to-peer or layered model where control servers are harder to access and spread among many hosts. Only time will tell if these botnets recover. The key thing is that the IT security and law enforcement communities learn from last week's events as well. We have to work together to maintain the pressure on the key spam players."

Fayette Front Page
Georgia Front Page

No comments: