After brief respite beastly botnets are “back with a vengeance”

Two weeks after a hosting firm’s shutdown sent global spam volumes plummeting, some researchers say spam has already bounced back.

The shutdown of California-based McColo Corp., a company that hosted a staggering variety of cybercriminal activity, on Nov. 11 cut spam by as much as 75 per cent in the first few days after its upstream Internet providers pulled the plug.

The shutdown slashed spam volumes because some of the planet’s biggest spam-sending botnets were controlled from servers hosted by McColo, according to security researchers who had long urged the company’s disconnection from the Web.

While spam initially slid off a digital cliff, two weeks later it’s unclear whether spammers have resumed their usual practices.

A researcher at IronPort Systems Inc., a messaging security company owned by Cisco Systems Inc., today said that spam is still down, if not out.

According to IronPort, Tuesday’s spam volume was approximately 72.7 billion messages, less than half of the 153 billion on Nov. 11, but up from the 64.1 billion of Nov. 13, two days after McColo went off the air.

“We’re seeing small spikes in spam volumes relative to the post-McColo shutdown volumes,” said Nick Edwards, a senior product manager at IronPort, in an e-mail Tuesday explaining the uptick.  

“We believe the spammers are trying other botnets – those whose command-and-control infrastructure and front-end applications were not hosted by McColo.”

They’re not having much luck, Edwards added. “Spam volumes are still down significantly,” he said. “While there was a temporary increase in spam volume [last] Friday and Saturday, spam volumes have not approached levels prior to the McColo shutdown.

The spammers are having a difficult time finding a botnet for lease that they can use effectively.”
Researchers at rival MessageLabs Ltd. – now part of Symantec Corp. -see the situation differently.

According to Matt Sergeant, a senior anti-spam technologist at the company, spam levels have bounced back to about two-thirds of what they were before McColo was yanked off the Internet.

In fact, spam jumped to that volume only today.

On November 11, McColo Corp., a San Jose-based hosting service was kicked offline when its primary Internet providers severed its connection to the Web.

According to newspaper reports McColo’s clients included cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets.

When McColo’s connection to the Internet was severed researchers immediately noted a a major drop in spam volume.

One of those researchers was Nilesh Bhandari, a product manager at IronPort, a messaging security company owned by Cisco Systems Inc.

He said in October, an average of 190 billion spam messages were sent daily.

On November 11 (the day of the shutdown), however, the projected daily total fell to 112 billion, a 41 per cent decline, based on the spam volume that IronPort recorded after McColo was cut off.

“McColo was the hosting firm for some of the biggest spam botnets, including Srizbi and Rustock,” said Bhandari, referring to two notorious bots that infect PCs and turn them into spam-sending machines.

Experts accused McColo of hosting the botnet command-and-control servers, as well as other systems that ran malware distribution points and criminal payment services.

“Botnets hosted by McColo accounted for half of the spam volume worldwide,” Bhandari charged.

Even at the time, however, Bhandari predicted the respite would likely be brief.
“We’re happy about this temporary reprieve – normally, we see a big spike in spam this time of year, so it’s nice to see a dip – but we think it will be truly temporary,” Bhandari said.

In September, after another U.S.-based hosting service suspected of harbouring spammers was shut down, IronPort also saw a significant drop in the number of junk e-mails.

Within three days, however, the dip had disappeared as others stepped in to take up the slack left when Intercage, which had also done business under the name Atrivo, went offline in late September.

“McColo is a little different in where they play in the criminal [ecosystem],” said Bhandari, “so I think it will take a little longer for spam volumes to recover.

But McColo will find another upstream provider or its backers will just move their infrastructure overseas. So in a few days or a few weeks, we’ll see spam return to its usual levels.”

As of midday Wednesday, McColo’s Web site remained offline. The company did not return a call asking for comment on its disappearance from the Internet and the simultaneous drop in spam volume.

Sergeant from MessageLabs wasn’t surprised by the lag time between McColo’s shutdown and a return of spam.

“The Asprox and Rustock botnets are back with a vengeance after having found new command and control [servers],” Sergeant said in an e-mail.

“Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again.”

Sergeant and Edwards, however, agreed on one thing: The Srizbi botnet looks gone for good.

“Srizbi, having once been responsible for 50 per cent of all spam, is now completely defunct,” said Sergeant, who added that without that botnet, “spam levels won’t return to what they had been.”

Edwards confirmed that Srizbi was still offline. “And we have confirmation that McColo traffic has not been re-hosted somewhere else,” he added. “The backers of both are still scrambling.” McColo was still unavailable as of midafternoon Tuesday.

Srizbi, which also goes by “Mailer Reactor,” was among the world’s biggest botnets.

In April, noted botnet researcher Joe Stewart of SecureWorks Inc. estimated Srizbi as composed of 315,000 infected PCs.

The McColo takedown, Stewart said last week, had cut off more than half a million compromised computers — a.k.a. “bots” — from their criminal controllers.

Share on LinkedIn Share with Google+