New Botnets Replace Vanquished Pests
Although the shutdown of a California Web hosting company eradicated several prominent botnets last year, others have stepped up to fill the gaps, a security researcher says.
Gone from the landscape, said Joe Stewart, director of research at Atlanta-based SecureWorks Inc., are "Srizbi" and "Storm," the botnets Stewart ranked as No. 1 and No. 5, respectively, in an April 2008 botnet census.
Srizbi, and to a lesser degree "Rustock," were crippled two months ago when McColo Corp., a company that has long been hosting botnet command-and-control servers, was cut off from the Internet by its upstream providers after researchers accused it of harboring cybercrime activity. Stewart was one of the researchers who had beaten the McColo drum.
When McColo's connection to the Internet was severed, spam volumes immediately plunged as spammers were unable to use Srizbi or Rustock bots to send their junk mail.
But the relief was short-lived. "There was a time when the bot numbers were diminishing, and we made up some ground," acknowledged Joe Stewart, director of research at Atlanta-based SecureWorks Inc. Now, however, other botnets have come into prominence. Some of them were well-known before the McColo take-down, but had been relatively small, while others have come out of obscurity.
The result? "Spam isn't quite up to the pre-McColo level, but it's easily within the 80% to 90% range," said Stewart, citing numbers consistent with other estimates. Symantec Corp. , for example, estimated this month's spam level at 80% of that before the McColo shut-down.
Botnets have rebounded for several reasons, most notably because they're profitable, said Stewart, who recently repeated his census of April to come up with a new ranking of botnets.
"Cutwail," the biggest beneficiary of the demise of Srizbi, took the top spot in Stewart's revised chart. It boasts an estimated 175,000 compromised PCs, up from 125,000 in April. "Cutwail's spam output actually increased shortly after [McColo], so it probably picked up some customers from other botnets," said Stewart.
As he did last year, Stewart estimated the botnet sizes by first "fingerprinting" each botnet with their implementations of SMTP (Simple Mail Transfer Protocol), then took a one-day spam traffic sample from each bot to extrapolate a total number of infected PCs in each botnet.
Although Rustock was also hit by the McColo shut-down, it was able to recover when Srizbi could not. Currently in the No. 2 spot, Rustock, controls approximately 130,000 computers, down from the 150,000 it "owned" last April.
Joining Cutwail and Rustock are a pair of new additions to Stewart's list. Until recently, both "Donbot" and "Xarvester" had been minor players in the spam-sending ecosystem. "We have noticed that some botnets picked up traffic significantly," said Stewart, who called out the two as botnets to monitor during 2009.
Donbot, he said, was once a one-trick pony that stuck to spamming Russian recipients, but now "it's spamming for everything under the sun." Stewart estimated Donbot's size as 125,000 compromised PCs, putting it in third place behind Cutwail and Rustock. "It was flying under the radar in 2008, but it seems to have grown pretty quickly," he said.
Also on his watch list is Xarvester, a botnet of approximately 60,000 machines that also apparently picked up spam customers after the junk mailers had to switch providers because of McColo.
And one botnet that died during 2008 -- the once notorious Storm -- may be back from the dead under a different name, said Stewart.
Dubbed "Waledec," there are too many similarities to the now-defunct Storm to be coincidence, he argued. "If it's not the same people, they would have had to study Storm intensively to match the functionality," Stewart said. "It's so similar that it's unlikely to be a different group."
Waledec is comparatively small -- just 10,000 bots so far -- but it could easily grow, said Stewart, who noted that this from-scratch rewrite uses much more powerful encryption than did Storm. That, he said, will make it nearly impossible for investigators to poke into the malware's innards for hints on how it works.
With the demise of some botnets, and the surge of others, it would be easy to see the task as Sisyphean. Stewart acknowledged that it can be disheartening at times. "We are still a long way off from a real, long-lasting impact on the individuals responsible for unleashing so much malware and spam," he said.
Part of the problem is that all the criminals need is one widespread vulnerability that they can exploit to grow their botnets dramatically.
Stewart cited two "zero-day" bugs that Microsoft had to patch in Windows last October and Internet Explorer in December with emergency updates as examples. In fact, the Windows vulnerability has been aggressively exploited by attackers using the "Downadup" worm, which has infected an estimated 9 million PCs in the last two weeks, although there's no evidence thus far that the worm is building a botnet.
"We have to keep hammering," said Stewart, saying that the only thing researchers can do is maintain the pressure. "[Botnet makers] might not have another good exploit the next time, and maybe we will knock them back."