Plunge in spam volume foreshadows more insidious use of botnets in 2011

January 10th, 2011

After a 16-day hiatus, the Rustock botnet, today began spreading email spam once again.

On Christmas Day,  Rustock suddenly and inexplicably went dark, and stayed off line until now. Lesser botnets, Lethic and Xarvester, also shut down, according to Symantec Hosting Services.

This has caused current spamming levels  to plunge to less that half the typical daily levels seen in 2010.

At its peak, kingpin botnet Rustock controlled as many as  1.7 million infected home PCs; it’s operators probably still control at least one million bots at the present time, says Martin Lee, senior engineer at Symantec hosted services.

The spam Symantec filters from the email systems at large organizations plummeted on 25 Dec. 2010 to 47 billion per day, down from a daily average of 131 billion per day in 2010.  Other email security firms reported a similar drop off.

Eye of the hurricane

Lee

So what comes next?

“We’re in the eye of the hurricane and everything has gone quiet,” says Lee, a senior engineer at antivirus giant Symantec. “We don’t know what will happen next.”

Rustock’s re-emergence today, albeit spreading spam at much lower levels, comes as no surprise.  “If the past is any indication, these guys will regroup and come back,” says Fred Touchette, senior analyst at email security firm AppRiver. “They’re basic formula works too well for them to just ive up and get day jobs.”

However, it is not clear what seismic shift, if any, may be taking place among the operators of the largest botnets. Email spam has become simple to block, and thus  costly to generate the volume of messages needed to saturate filters, says Mikko Hypponen, analyst at antivirus firm F-Secure.

Hypponen

“Traditional spamming for Viagra, make money fast schemes,  etc.  will continue to go on as long as it’s even marginally profitable,” says Hypponen. “This kind of spam is less and less a problem to end users thanks to more effective filtering.”

Law enforcement, Internet service providers and web hosting companies certainly have contributed a deterrent effect.They’ve been getting better at international efforts to shut down spamming operations, says Gary Warner, computer forensics research director at the University of Alabama at Birmingham.

“There is plenty of circumstantial evidence to indicate that spamming is no longer a safe career choice,” says Warner.

Kneber targets fed employees

Yet Rustock and dozens of other large spamming networks remain pervasive and resilient. It’s not very difficult to imagine top botnet operators going back to the drawing board to reassess how to make highest use of valuable assets: millions of infected home PCs that remain at their beck and call.

For example, while Rustock, Lethic and Xarvester shut down spamming activities for the holidays,  operators of another big spam botnet, Kneber, began to refine their normal email spamming campaign to specifically target employees at federal agencies — and to clean out the hard drives of any documents and files stored by the fed worker.

Cox

“My feeling is that this was a fairly unsophisticated operator using a previous generation of ZeuS, and a perl script that has been converted to an standalone piece of malware with a third-party tool,” says Alex Cox, researcher at security firm NetWitness. “Very sophisticated operators tend to create their own malware from scratch. My guess is that they are trying to do two things: feed a market for this information, and get potential intelligence for future spam runs.”

Kneber’s operators, says  Cox, could be planning to “trojanize existing actual documents to deliver malware, then resend them out.”

Re-purposed botnets

Indeed, seasoned botnet operators could very well be plotting ways to re-purpose their hard-won networks of infected PCs to bedevil consumers and companies in lucrative scams in tried-and-true ways.

Ollmann

“There are more profitable ventures with wich professional botnet operatos can reap higher rewards,” says Gunter Ollmann, vice president of research at network security firm Damballa. ”

This could foreshadows an acceleration of  stealthy, insidious ways to put botnets to work including:

  • Black Hat  Search Engine Optimization. Botnets can be assigned to methodically click on designated websites, driving up the search results ranking of the site. Such sites often sell counterfeit goods. Botnets-driven Black Hat SEO attacks are also useful for raising the search-results profile of sites put up by the bad guys and tied to popular queries of the day, such as celebrity news, holiday or big sporting event. Such sites can infect a visitor’s PC with a banking Trojan, designed to swipe cash from online accounts, or an insistent promo for fake antivirus protection.
  • Click fraud. Botnets can be used to click on online ads for which criminals have set up an affiliate relationship with an online ad network. The crooks get paid for each click. “These are technically talented guys using their talents for badness,” says Alex Cox, research at security firm NetWitness.
  • Fraudulent Domain Name changes. Instead of directing infected PCs to carry out an task, a botnet operator can simply alter parameters on each PC he controls. He can change the “domain name” coding for every ad that displays on each infected PC. Legitimately paid-for ads never appear. Instead, the PC user sees ads distributed by an ad network affiliated with the criminals.

“This is part of the evolution of botnets,” says  Ollmann. “If one business model gets too difficult, they simply switch to the next lowest hanging fruit.”

By Byron Acohido

Although that would seem good news for consumers, the nation’s cybersecurity experts have moved to high alert.

“We’re in the eye of the hurricane and everything has gone quiet,” says Martin Lee, a senior engineer at antivirus giant Symantec. “We don’t know what will happen next.”

The spam Symantec filters from the email systems at large organizations has plummeted to 50 billion per day, down from 250 billion. Other email security firms report a similar drop off.

Experts say the Rustock botnet — a network of as many as 1.7 million infected home PCs, and the world’s largest source of email spam — has gone dark, as have two lesser botnets, Lethic and Zarvester.

But Rustock and dozens of other large botnets controlled by organized crime groups in Russia and Eastern Europe are remain pervasive and resilient. “If the past is any indication, these guys will regroup and come back,” says Fred Touchette, senior analyst at email security firm AppRiver.