The brief global reprieve in the flow of spam from infected computers is nearly over, with new and more resilient botnets filling the void since the shutdown of Internet Service Provider (ISP) McColo last November, according to experts.
When hosting providers agreed to cut off McColo, that severed the Srizbi command centre from its legion of zombies (or infected computers) — and this immediately cut in half the volume of e-mail spam flowing across the Internet. But spam levels are back to 74.6 per cent of all e-mails sent in January, which is about 90 per cent of the spam levels in November, according to a new report from security vendor MessageLabs.
“We always knew that when the McColo shutdown happened it wasn’t the end of spam,” says Matt Sergeant, senior anti-spam technologist at MessageLabs, now part of Cupertino, Calif.-based Symantec Corp. “The people making money from this aren’t going to just lie down and stop.”
Botnets or short for “robots” are networks of c ompromised computers that are then usedby cyber criminals to flood e-mail Inboxes with spam advertisements. Instead of relying on their own servers to send out the deluge of e-mails, “bot masters” (those who control botnets) use the infected and compromised computers of unsuspecting consumers and businesses. Once a computer is infected, it becomes a “zombie” that serves its bot master – sending out massive amounts of spam.
The security research community won a minor victory when McColo was shutdown. The Srizbi botnet suffered a technical problem that meant it couldn’t move to another host to talk to its zombies. But now those same spammers have created new botnets, and other existing botnets have become more active.
“The shutdown of McColo was really just a temporary setback for spammers,” says Jim Lippard, director of information security at Global Crossing, a Hamilton, Bermuda-based global telecommunications provider. “I doubt that anyone is going to rely on a single Web host for their command and control host anymore.”
New botnets won’t be as easily shutdown as Srizbi. Spammers are using new techniques to regain connection with zombies even if their hosting service is shut down.
The recent nasty Windows worm Downadup demonstrated such an ability, though the malware hasn’t been used as a botnet, Lippard says. It is able to generate domain names that appear random, but are set to match the date the worm lost contact with its host server. That way, controllers of the malware can set up another domain that will talk to the same infected PCs again.
“This way, they’re not relying on a single host or a single domain,” he says. “Things have been made a bit more difficult.”
In the wake of the McColo shutdown, the new botnet landscape is currently dominated by a single main player and several botnets that could potentially explode, according to MessageLabs.
The top spammer is now the Mega-D or Ozdok botnet. With 660,000 zombies at its disposal, it is sending out an average of more than 26.5 million spam messages a minute. That makes it the most efficient spamming network around.
Mega-D was somewhat disrupted when its host was shutdown before McColo, Sergeant says. But now it’s back and stronger than before.
“They’ve expanded their botnet even further and they’ve acquired the customers that were using Srizbi,” he says.
Meanwhile, the Srizbi botnet masters are likely behind a new botnet dubbed Xarvester, Sergeant adds. “You can tell because of the way the e-mail headers are constructed, and some other similar patterns in the e-mails being sent.”
Despite being new, Xarvester is already the fourth most-spamming botnet. It has infected 260,000 computers had sends out an average of 3 million messages per minute. It could be a competitor with the Mega-D network if it continues to grow.
With new and tougher botnets looking to recruit an army of zombie computers, it may be up to end users and businesses to be vigilant about keeping their computers clean of infection. The security research community worked for years before McColo was shut down. Now shutting down an ISP might not even make a dent in spam messages.
Businesses can take some simple steps to ensure they aren’t part of the problem, Lippard says.
“If you suddenly see a diverse number of sources on your network hit a URL that it hasn’t before, that should raise a red flag,” he says.
Web filtering services can help weed out Web addresses known to be malicious or unwanted. Many companies use these services to police their corporate network, and they are becoming more important as botnets use Web ports for communication, as opposed to the IRC ports used in the past.
Another port that organizations should be blocking is port 25, Sergeant says. Used for e-mail communications, botnets will be trying to access it directly to send out spam. Legitimate e-mail can be let in through SMTP and exchange servers, or exceptions to the filter.
“Every single e-mail goes out over port 25, so by blocking it, you’re blocking out all botnets,” he says.
Blocking the port is a good piece of advice, Lippard agrees. But it’s not foolproof. Spammers have sometimes adapted by sending out mail on the accepted servers in order to bypass the filter.
“It’s a never ending arms race. For every vulnerability they exploit, there’s a counter-measure, and then another way around the counter-measure,” he says.
Another botnet to watch in 2009 is the Cutwail or Pandex botnet. The network is composed of the most infected computers, yet it sends out a reduced rate of 5 million spam messages per minute.
But if the botnet operators find more business or decide to update their malware, that sort of throughput could go up considerably.