It has been widely reported that global spam volumes have decreased, especially on October 3 when spam levels dropped to their lowest for some time.
At Symantec Hosted Services we have a wealth of data on spam traffic, and crucially what contribution to global spam each of the major botnets makes. This blog will take a close look at botnet spam, what factors influence botnet output, and will try to explain some of the changes that occurred around October 3.
Botnets drive global spam volumes
Botnets are enormous networks of infected PCs, and under the control of criminal gangs they can be instructed to perform certain tasks on a massive scale. They hide the identity of the attacker, because the machines are owned by innocent users all over the world, they could be in your office, in grandma’s back bedroom, anywhere. And these are people who have at some point been the victim of malware and had their PC turned into a bot. Their distribution is like a rash on the world map: where there are PCs, there are bots.
Botnets are a major element of the shadow economy infrastructure, and a powerful tool, mostly used to send millions of spam/malware/phish e-mails, to insert malicious code into websites, and perform Distributed Denial of Service attacks (DDoS) – to attack websites, servers, and even entire countries.
Botnets send such a vast volume of spam each day that other sources of spam fade into virtual insignificance. If there is a major shift in spam volumes, it is almost certainly due to a change in output of one or more of the major botnets. There are perhaps 10 or 12 botnets that lead the way, with 2 or 3 mega-botnets that out spam all the others.
What have we seen recently, especially around October 3?
Essentially only a few of the most dominant botnets are capable of influencing global spam volumes, the smaller botnets may produce a measureable change but not of a magnitude that would register with many people. The spam level decrease around October 3 was picked up clearly by many security vendors.
Rustock, having enjoyed a rapid rise to dominance during the last 2 years, was by far the dominant botnet in August. However in September, Rustock appeared to hit some turbulence.
Cutwail has consistently represented about 5-10% of spam, and even after the attempted takedown of Cutwail at the end of August, it didn’t take long (a few days) for Cutwail to return to business as usual.
Other than Rustock and Cutwail, Grum was very active at the time, but didn’t show a dip on October 3. Grum showed a small dip the next day, but quickly went on with its normal output soon after.
So why did Rustock and Cutwail reduce their output on October 3, driving a large drop in global spam volumes?
Well many factors influence how much spam a botnet sends but something that has arisen in the news that could be important is the closure of a notorious spam affiliate called ‘Spamit’. (http://www.theregister.co.uk/2010/10/06/spamit_shuts_up_shop/).
Spamit was the mainstay of the so-called ‘Canadian Pharmacy’ business. Approximately two thirds of all spam is related to pharmaceutical products, and a great deal of that is related to Canadian Pharmacy websites and related brands, which sell a variety of pills/drugs for anything from male sexual enhancement, to weight loss, to stress relief. It’s an enormous money making machine in the shadow economy, and spammers line up to work with affiliate schemes such as Spamit, distributing enormous volumes of rapidly changing spam and taking commission for their efforts.
If the spammers using Rustock were heavily reliant on the affiliate Spamit, they would have had quite a shock when Spamit was closed down. Cutwail on the other hand, has its ‘fingers in many pies’ spam wise, sending pharma spam, designer watch spam, phishing and malware among other things. Cutwail spammers would have also had a surprise, but many Cutwail spammers would have happily carried on with business as usual.
Perhaps the heavy reliance of Rustock on pharma spammers, and in turn their reliance on Spamit, was responsible for Rustock’s rapid shutdown on October 3, as they scrambled to roll back planned spam campaigns.
Dan Bleaken, is Senior Malware Data Analyst with Symantec Hosted Services