Spammers And Botnets Change Tactics

A year after the closure of a notorious web hosting firm, botnet operators and spammers have changed their tactics and are growing stronger, security researchers have told eWEEK.

A year ago, web hosting firm McColo was shut down, causing a short but dramatic drop in spam. Now spammers are strong again, with researchers at McAfee reporting that spam accounted for 92 percent of email in the second quarter of 2009.

This is partly due to improvements by botnet operators. Like anyone who is successful at what they do, the people controlling the most powerful botnets in cyber-space learn from their mistakes.

“McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an immediate hit before recovering over time,” explained Bradley Anstis, vice president of technical strategy at M86 Security. “One of the immediate changes was the use of hard coded domains in the malware body instead of IP addresses. Before, domains could be changed to different IP addresses to provide a recovery option on their command and control methods.”

“In general,” he continued, “they have improved the availability and resilience of their command and control servers and in some ways the McColo take down has driven them more underground and forced them to use more different methods, making it harder to detect. Some examples that have already been seen have been the use of Twitter, Google Groups and Facebook.”

(Facebook recently won a £430 payout against “Spam King” Sanford Wallace, but is unlikely to be able to collect.)

In the aftermath of the takedown of McColo – as well as Internet Service Provider (ISP) Intercage/Atrivio – some security researchers predicted there were would be an increase in fast-flux botnets. However those predictions do not appear to have panned out as much as some thought.

“Fast flux appears to have not been as successful as the spammers required it to be,” opined Matt Sergeant, Senior Anti-Spam Technologist for Symantec Hosted Services. “Or perhaps the additional overhead of requiring fast performing DNS servers as part of the botnet code wasn’t working for them. Either way, it appears to be less of an issue now.”

According to Anstis though, fast-flux is used by up and coming botnets such as Avalanche and is pretty widespread at the moment. Its popularity could easily increase, he said.

Regardless, the biggest botnets have found other ways to thwart anyone targeting them. When the FTC shutdown ISP 3FN for example, it disrupted Cutwail for two days, but the botnet bounced right back, Sergeant noted.

“After that there was no “ramp-up” time,” he said. “They were just immediately back to 100 percent operational. They updated their algorithm for finding new command and control hosts so that it didn’t require a hard-coded ISP location, and could be very well hidden from anyone wanting to know where the next C&C (command and control) might be.”

Rustock meanwhile is probably the leader in terms of modulating the shield harmonics on an ongoing basis, noted Joe Stewart, Counter Threat Unit security researcher at SecureWorks. While botnet operators may change tactics, he added, that doesn’t mean ISP takedowns should not be a more common occurrence.

“In my opinion, any ISP that willfully ignores legitimate abuse complaints about major criminal botnet operations operating on their networks for months at a time should have their connection to the Internet severed,” he said.

The UK’s Serious Organised Crime Agency (SOCA) has also suggested that Internet registrars which provide Internet addresses to rogue ISPs are also to blame for the problem.