Botnets Bouncing Back


Just weeks after the shutdown of major spam host McColo led to a sharp drop in unwanted e-mails, spammers and malicious botnets are showing signs of returning.

McColo’s takedown by its ISPs also hit botnets like Srizbi hard, since they had been hosted on McColo — and their designs made them especially vulnerable to the loss of their host, according to Derek Manky, lead threat researcher for Fortinet.

“Srizbi, for example, was using hard-coded command-and-control servers hosted at McColo, and when these were taken offline, the botnet was rendered useless,” Manky told in an e-mail.

However, Srizbi, Rustock, Asprox and other botnets are beginning to come back to life, if shakily, experts said. And they may have new allies in the form of cash-strapped ISPs.

That’s especially grim news considering the already-troubling scope of the problem posed by these botnets. Srizbi and Rustock are the world’s largest and second-largest botnets based on the amount of spam they send, according to Alex Lanstein, senior researcher at security vendor FireEye. Meanwhile, Asprox launches SQL injection attacks and was
used in attacks on two of Adobe’s (NASDAQ: ADBE) Web sites in October.

Worse, Manky predicted that the bad guys will invest time and effort in creating more robust models that will be more difficult to take down in the future.

The news marks the latest chapter in the ongoing war against spam, botnets and malware hosts. Anti-spam efforts have been going on for years, but they have generally been fragmented, with individual companies and, sometimes, law enforcement, generally going it alone with little support from ISPs.

And while ISPs were a critical component in McColo’s shutdown, that may prove to be the exception rather than the rule, thanks to an economic crisis that shows few signs of abating. With financial woes looming, experts warn that there will be no shortage of ISPs lining up to take McColo’s place in return for a piece of the spammers’ profits.

“There’s money to be made in this, and in these turbulent economic times, struggling hosting companies may engage in illicit hosting activities just to stay afloat,” Zulfikar Ramzan, technical director at Symantec, (NASDAQ: SYMC) told

Inevitable return?

The botnets’ return comes as no surprise to the computer security community.

“It was a question of when, rather than if, spammers would be back up after McColo was taken down,” Ramzan said.

Making matters worse is that Ramzan and Fortinet’s Manky see botnet operators taking steps to make their networks more resilient — for instance, by adopting peer-to-peer (P2) technology that won’t require centralized servers.

However, FireEye’s Lanstein told that he doubts that botnets will migrate to a P2P design, because over a long period, all the computers in a P2P network will talk to each other. As a result, if anti-malware researchers are able to locate one of the botnet’s machines, they may be able to trace the others.

In addition to returning with new support from ISPs and more robust networks, botnets’ efforts to pump out spam are also on the rise simply because this is the holiday season — which often sees an increase in spam because people want to shop online, Ramzan said.

Fortinet’s Manky added that he has observed an increase in spam using holiday-related phrases since Black Friday, the start of the holiday shopping season.

“When looking at certain keywords, such as ‘Christmas,’ ‘gifts’ [and] ‘discounts,’ spam has risen approximately threefold,” he said. “So it looks as though there is an effort in terms of campaigns to leverage this.”

Striking back

But not all may be lost. FireEye said it’s working to put together a coalition of ISPs and anti-malware vendors to launch some form of action against spammers soon.

FireEye recently made headlines when it began pre-emptively registering domain names that Srizbi was likely to use after cracking the Srizbi algorithm. However, it had to stop doing so because of the cost.

[cob:Special_Report]”We bought up all the Srizbi command and control servers, and also registered some names for Rustock and Mega-D [another botnet], but we couldn’t keep buying domains from now until infinity,” Lanstein said. “We’re now working with a number of major players to keep Srizbi offline.”

The group’s first target is the Srizbi botnet, because it uses an algorithm to automatically generate new command and control servers when existing ones are taken down, FireEye’s Lanstein said. That process of generating specific domain names makes it an easier target than other botnets, he added.

Lanstein declined to provide additional details on the project, citing a need to avoid giving too many details to spammers.

Yet spammers, have been making their own gains in recent weeks. For example, anti-spam group Spamhaus last week named Microsoft (NASDAQ: MSFT) as one of the world’s top five spam-friendly hosts, despite assurances by officials at that software giant that it’s proactive in stamping out illicit accounts.

News Around the Web