Spam and Fraud Activity Trends | Analysis of Spam Activity Trends | Analysis of Spam Activity by Geography, Industry Sector and Company Size | Analysis of Spam Delivered by Botnets | Spam Botnet Analysis – A Strategic Viewpoint | Significant Spam Tactics | Spam by Language | Spam by Category | Future Spam Trends: BGP Hijacking | Phishing Activity Trends | Analysis of Phishing Activity by Geography, Industry Sector and Company Size
Spam Botnet Analysis – A Strategic Viewpoint
BackgroundMost previous studies on spamming botnets have primarily focused on identifying botnet characteristics and signatures, but not on understanding the community behavior of spam botnets. In this analysis Symantec has looked at the global behavior of spam botnets by correlating their spam campaigns through multiple characteristics. The goal is to better understand the modus operandi of spammers controlling those botnets and how these are used for spam campaign operations.
Using the same methodology, we looked at the impact of the Rustock take-down on the botnet ecosystem.
MethodologySymantec used a three month-data set collected by our spam traps, comprising approximately 1 million spam messages. Twelve characteristics were extracted from the email headers and message bodies, which in turn were correlated to classify spam messages that were likely to have originated from the same spammer operation. These characteristics include attributes such as the character set used, the Subject: lines, the From: domains, the URIs appearing in the message bodies.
Where a large number of characteristics were shared, these indicated common traits that suggested the same botnet or spam operation were involved.
Data and Commentary
Correlating interconnections between botnet spam campaigns
- Research shows that different botnets may perform very similar spam campaigns in the same period of time, and are strongly interconnected through several characteristics of spam messages.
- For example, Figure C.8 visualizes approximately 1,200 spam campaigns sent through Rustock, Grum, Cutwail and Mega-D. The small nodes in the center of the graph indicate bot host names that are shared among 2 or more botnets. Similar interconnections were obtained for other characteristics as well, such as the Subject: lines, From: domains, URLs, etc.
- The analysis hypothesized there were three possible explanations for these interconnections between different botnets:
- (i) Certain computers can be compromised by more than one bot and are used in parallel by different spammers to perform similar-looking spam campaigns;
- (ii) Spammers controlling those botnets are collaborating (e.g., load balancing various spam campaigns on two or more botnets); and
- (iii) Botnet signatures may sometimes fail to identify bots with 100% of accuracy.
- Figure C.9, below, shows another example of a spam campaign sent through Lethic and Maazben on 3 consecutive dates, and involving shared URLs, Subject: lines, character sets and host names. At the time of analysis, all URIs were redirecting to the same website, which was distributing fake pharmaceutical products. A number of From: domains used in this campaign were also shared by the two botnets, but not shown on the graph.
Dynamics of spam campaigns
- Symantec research has showed that spam campaigns sent through Rustock/Grum botnets are rather long-lived and stable, whereas campaigns distributed through Lethic and Maazben are instead short-lived (they last on average between 2 and 7 days), and have a more polymorphic behavior with respect to certain features, such as the frequent use of different disposable URLs and From: domains, which are being changed every day.
Impact of the Rustock take-down
- On March 16th -17th 2011, Rustock C&C servers located in the U.S. were seized by federal law enforcement agents, thanks to a coordinated anti-botnet action led by the security industry and U.S. federal authorities. As a result of this action (dubbed Operation b107), the botnet was almost completely shut down.
- Looking at global spam volumes, Bagle apparently stepped up to service the spammers. However, this relative increase in spam activity from Bagle was not a direct consequence of the Rustock takedown.
- Instead, our research shows that Grum has much more likely taken over (at least in part) Rustock activities. We found that the two botnets were strongly interconnected by a number of common elements, such as the Subject: lines, the From: domains used to send spam, the charset, and more importantly, the URIs embedded in the messages. Perhaps even more conclusively, those shared URIs were pointing to different domains registered by the same person (according to WHOIS data registry).
- All those interconnections between the two botnets lead us to think that part of Rustock activity was likely to have been offloaded to Grum shortly after its takedown.