Spam Zombies: The Good News, and the Bad
In this week's Security Levity , I want to talk more about zombies and botnets, sharing the results of some research we've been doing into this problem. I'll also pass on some encouraging recent news that hasn't gotten the attention it deserves.
I've mentioned zombies and botnets a few times over the past six months of blogging here, but let's first have a very quick refresher...
•· Most spam is sent by botnets.
•· A botnet is a network of zombies.
•· A zombie is a PC that's been infected with a bot.
•· A bot is a type of malware that listens out for commands sent by a botmaster.
•· A botmaster is the controller of the botnet, who sells the evil service to spammers and other internet low-life.
Most zombies are consumer PCs, connected to the internet over domestic DSL or cable broadband. However, some are resident inside companies. As I mentioned two weeks ago, you don't want zombies on your network, or you might find that your legitimate email is filtered as spam.
So where are the zombies? Perhaps unsurprisingly, there's little correlation between the number of PCs a country has and the number of zombies. There's a very definite divide between the countries that are keeping a lid on the problem and those where zombies seem to run free.
As well as the obvious BRIC-like countries with large slices of the pie, there are a few surprises. For example, Germany, which has twice as many zombies as the US.
Clearly, some countries are doing a much better job than others at preventing infection. But there's obviously also a lot of work going on to clean up after an infection. We can see this by the huge number of new zombies that botmasters need to conscript into their botnet armies.
On average, there were a staggering 305,000 zombies per day created during Q1. (For more, see p11 of our Q1 2010 Threat Report.)
And now, the good news story that I promised earlier. Several Australian ISPs have agreed that they'll detect zombies on their networks and block them from connecting to the botnet. This comes after some arm-twisting by the Australian government.
The ISPs are planning a so-called 'walled garden' approach, which would alert the user to a problem by redirecting their web traffic to a special page. This page would tell the user what the problem is and how to fix it. (For more, see p5 of the Q1 report.)
Surprisingly few ISPs do this today, despite encouragement to do so by organizations such as the Messaging Anti-Abuse Working Group. So it's interesting to see a government get serious about the zombie problem.
Perhaps other countries will follow Australia's lead?