Botnets on the Brain
Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services
Without a doubt, 2009 was the Year of the Botnet. As reported in the MessageLabs Intelligence Annual Report, by the end of 2009, 83.4 percent of spam originated from botnets. While each botnet varies in size and has its own unique characteristics and capabilities, one thing they share in common is the ability to spam in large quantities.
With approximately 151 billion unsolicited messages each day being distributed by compromised computers, understanding who is responsible for such unprecedented levels is always of interest to MessageLabs Intelligence, much like the threat landscape, the botnet landscape is ever changing.
The top botnets of 2009 are listed in this table with two recent newcomers – Maazben and Festi.
Two of the most notorious botnets of the year were Cutwail and Rustock. When studying the spamming patterns of Rustock, MessageLabs Intelligence learned that in July 2009 it began a predictable spamming pattern. Because it was one of the most dominant botnets of 2009, responsible for 19.3 percent of all spam, the pattern was observed in total daily spam patterns for all spam. Prior to these patterns, Rustock was spamming less frequently but in bigger bursts.
One of the oldest botnets, Cutwail was first identified in January 2007. With between 1.5 and 2 million compromised computers under its control, Cutwail was possibly the largest botnet in history at its peak. Most recently, Cutwail has been responsible for spam emails containing the Bredolab Trojan dropper, which has been used to install malware, adware and spyware on victims’ computers.
Earlier this year, Cutwail had a near-death experience when on June 5, 2009 it experienced several hours of downtime following the shutdown of ISP Pricewert (a.k.a. 3FN and APS Telecom) but recovered in only a few hours. Similarly, when ISP Real Host was taken offline in August 2009, spam volumes dropped by 38 percent and Cutwail’s activity fell by as much as 90 percent, again quickly recovering in a matter of days.
Perhaps the most impressive botnet feat following the onslaught of ISP takedowns in 2009 is their ability to recover fairly quickly – in a matter of hours versus weeks or days. Spammers have clearly made important progress since the McColo shutdown at the end of 2008 learning the importance of having a proper backup strategy for their command and control channels. Moreover, the Trojan technology behind botnet-oriented malware has improved with more rootkit-type kernel drivers becoming the norm.
In 2010 we expect the botnets will continue full throttle with an increase of fast flux techniques. Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious Web sites behind an ever-changing network of compromised hosts acting as proxies.
To download the MessageLabs Intelligence Annual Report in its entirety, please visit: http://www.messagelabs.com/resources/mlireports
Follow us on Twitter: @MessageLabs