Spam Declines As Botnets Rethink Their Strategies

Even the spammers took a holiday over Christmas. According to Symantec and several other spamwatchers, the level of junk emails fell by over a half.

Recently, three botnets, Rustock, Xarvester and Lethic, that normally spew spam have either stopped or severely reduced their activities. According to a recent blog posting from Symantec: “Since 25th December, Rustock seems to have all but shut down… MessageLabs Intelligence [Symantec Hosted Services] has seen virtually nothing from Lethic since the 28th December, and Xarvester since the 31st December.”

Spamit Closure Disrupted Operations

Paul Wood, senior analyst at Symantec Hosted Services, told eWEEK Europe that, despite its drastically reduced rate of output, Rustock is still responsible for around 0.5 percent of spam (100-500 million spams per day). This is down from 47.5 percent (44 billion spam emails per day) but the other two botnets are completely silent.

According to Wood, one of the most likely reasons for the halt in operations is the closure of the Spamit.com website in October 2010. For years, Spamit, a closely guarded affiliate programme, had paid some of the world’s top botnet controllers to promote its counterfeit pharmacy sites.

Approximately 64 percent of global spam during 2010 was pharmaceutical spam and the “Canadian Pharmacy” operation, linked to the Spamit, was responsible for the vast majority of this. Its main vehicle was the massive Rustock botnet of zombie PCs and the closure of Spamit has meant that Rustock will have to find another customer for its malign services. If spammers are not being paid, they cease their operations because there is little point in risking detection when there is no reward involved.

“Currently, there is no evidence to suggest that any of these botnets have been disrupted by law enforcement or through other interference,” Wood said. “The Rustock bots appear not to have been removed from the botnet and its command and control infrastructure appears to be intact. Research has also shown that the bots are still active in other ways, particularly click-fraud.”

Click-fraud relies on the relationship whereby a site will pay for each visit it receives from a referral site. The fraudulent element is when a rogue affiliated site arranges for referrals of fictitious visitors to be generated. The unsuspecting host site pays for these referrals, totally unaware that it is being scammed.

Sleeping Giant

With between 1.1 million and 1.7 million infected computers under its control, according to Symantec estimates, Rustock still has all the potential for spamming at the pre-Christmas levels if it finds an alternative source of revenue.

“If not, then it may turn its attention elsewhere, possibly increasing the click-fraud it already does to a grander scale, or by renting-out its bots for DDoS [distributed denial of service] attacks, or bullet-proof hosting,” explained Wood. “In that case, I would expect to see the Grum botnet move up [in the spamming league], as it has been consistently in second place for many months now and was responsible for around 8.5 percent of spam – sending approximately eight billion spam emails each day from only 310,000 to 470,000 bots.”

Bullet-proof hosting is the provision of a safe haven for botnet “herders” to run their command and control centres and store their ill-gotten gains – similar to how the Carribean Islands were used by pirates in the 17^th and 18^th Centuries.

The disappearance of a few of the major botnets has resulted in the creation of a vacuum which will not remain empty for long “Overall, we would expect to see a gradual but steady increase in spam levels over the next few weeks and months as other botnets expand their influence to fill this gap,” Wood warned.