Spam Botnets Are Declining, But Likely Not For Long

The size and volume of spam botnets are down over the last year, and much of this can be attributed to the effectiveness of IP-based blacklists. However, this defense method is no panacea as scammers have found new methods like reputation hijacking to circumvent these roadblocks, and bots continue to extend their reach by piggybacking on existing worms and viruses.

New research from Dell's Secureworks Counter Threat Unit detailing the evolution of spambots in 2011 showed that Rustock, with some 250,000 bots, is the world’s most prolific spambot. In recent years it has shared the top spot with others, but because of the unrelenting addition of stealth tactics added to Rustock’s code base, which allow it to hide deep inside the Windows operating system where anti-malware products won’t find it, it is now uncontested as the world’s number one bot.

Among the bot's cloaking methods are: waiting days after infection before starting to spam; avoiding disconnect by network admins by running a Tor exit node; disguising requests as  online forum posts with encrypted content by using HTTP to communicate with controllers; and by not mapping directly to the IP address of the Rustock controller to avoid takedowns.

Cutwail came in at second place with an estimated army of 100,000 bots. Cutwail is similar to Rustock in that it uses custom encryption to disguise its communications, but differs in that it is in essence a conglomeration of botnets adhering to one of three major coding revisions.

In third place is the 75,000 strong Lethic botnet. Lethic, which was reportedly shut down last January, is a unique bot because it strays away from the traditional template-based spamming method that delivers a spam mail template to each bot, along with a list of email addresses to which the spam should be sent. While less efficient than the previous method, Lethic uses a connect-back scheme that causes the bot to reach out to the Lethic controller to begin receiving traffic. It then uses a simple encryption method to avoid detection. Lethic is also being installed to help seed up-and-coming bots like Butterfly.

Close behind Lethic with 65,000 bots is the Grum Bot. It attempt to send messages from the infected PC directly to the destination mailserver, but Grum falls back on a feature known as proxylocking, or falling back to relaying the messages through the ISP's mailserver if an ISP is blocking TCP port 25 outbound. Like Rustock, Grum uses HTTP for communication, but it has been morphing traffic to avoid detection of late.

The last of the really big botnets is Festi, with 60,000 bots. This bot has been aggressively establishing itself by seeding with another pay-per-install bot, Virut. Festi has also been developed as a distributed denial-of-service platform, and has been seen in recent weeks launching attacks against Russian sites.

The remaining botnets operate with under 30,000 bots. Noteworthy among them are the Maazben, Asprox, Fuflo, Waledac, Fivetoone/DMSpammer, Xarvester, Bobax, Gheg, and Bagle bots. Dell’s research indicates that their tapering off in size may be intentional because smaller bots demand less attention from the anti-malware community and in general fewer resources to stay afloat. This may also be the reason that some of these bots have had marathon careers of as long as eight years.

For years, the Mega-D botnet had an enormous presence in the community. And it was perhaps this high profile position that led to the arrest of its founder and its subsequent deterioration.

Commenting on this Article is closed.