In the year since the shutdown of notorious Web hosting firm McColo,
spammers are growing strong. In fact, researchers at McAfee reported
that spam accounted for 92 percent of e-mail in the second quarter of
2009.
Part of this is the result of improvements by botnet operators. Like
anyone who is successful what they do, the people controlling the most
powerful botnets in cyber-space learn from their mistakes.
“McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an
immediate hit before recovering over time,” explained Bradley Anstis,
vice president of technical strategy at M86 Security. “One of the
immediate changes was the use of hard coded domains in the malware body
instead of IP addresses. Before, domains could be changed to different
IP addresses to provide a recovery option on their command and
control methods."
“In general,” he continued, “they have improved the availability and
resilience of their command and control servers and in some ways the
McColo take down has driven them more underground and forced them to
use more different methods, making it harder to detect. Some examples
that have already been seen have been the use of Twitter, Google Groups and Facebook.”
In the aftermath of the takedown of McColo – as well as Internet
Service Provider (ISP) Intercage/Atrivio - some security researchers
predicted there were would be an increase in fast-flux botnets. However
those predictions do not appear to have panned out as much as some
thought.
“Fast flux appears to have not been as successful as the spammers
required it to be,” opined Matt Sergeant, Senior Anti-Spam Technologist
for Symantec Hosted Services. “Or perhaps the additional overhead of
requiring fast performing DNS servers as part of the botnet code wasn't
working for them. Either way, it appears to be less of an issue now.”
According to Anstis though, fast-flux is used by up and coming botnets such as Avalanche and is pretty widespread at the moment. Its popularity could easily increase, he said.
Regardless,
the biggest botnets have found other ways to thwart anyone targeting
them. When the FTC shutdown ISP 3FN for example, it disrupted Cutwail
for two days, but the botnet bounced right back, Sergeant noted.
“After
that there was no "ramp-up" time,” he said. “They were just immediately
back to 100 percent operational. They updated their algorithm for
finding new command and control hosts so that it didn’t require a
hard-coded ISP location, and could be very well hidden from anyone
wanting to know where the next C&C (command and control) might be.”
Rustock
meanwhile is probably the leader in terms of modulating the shield
harmonics on an ongoing basis, noted Joe Stewart, Counter Threat Unit
security
researcher at SecureWorks. While botnet operators may change tactics,
he added, that doesn’t mean ISP takedowns should not be a more common
occurrence.
“In
my opinion, any ISP that willfully ignores legitimate abuse complaints
about major criminal botnet operations operating on their networks for
months at a time should have their connection to the Internet severed,”
he said.
IT Security & Network Security News & Reviews News & Reviews 
