Botnets Marching On

By Matthew Hines  |  Posted 2008-07-10 Print this article Print

E-mail security specialists Commtouch Software have released their latest security trends report, which illustrates the major hand that botnet-controlled machines continue to play in the distribution of spam and malware.

According to the company's Q2 2008 E-mail Threats Trend Report, roughly 10 million zombie computers were actively distributing spam and e-mail-based malware on average every single day during Q2, with most of the involved IP addresses being brought in and out of use dynamically to avoid being added to ISPs' black lists of known botnet-owned locations.

"Dynamic control of large numbers of zombie IPs is what allows the continuous delivery of malicious materials across the Internet," Commtouch researchers said in their report. "By the time traditional security solutions identify and block the source of a new threat, the botmaster easily deactivates them and switches to another set of sender IPs under his control."

The employment of dynamic IP address use is keeping the efficacy of blacklists relatively low, allowing the botnet-driven campaigns to flourish onwards as ISPs play it safe and make sure not to block legitimate e-mail, the researchers maintain.

ISPs are being victimized now more than ever as botnet herders increasingly exploit infrastructure either by sending spam directly to the Internet using port 25, or creating child e-mail accounts from legitimate subscriber's machines, Commtouch reported.

"This puts service providers in the challenging position of not only needing to protect their subscribers from inbound spam that fills their inboxes, but they must also defend against being used by zombies to send spam out across the Internet," the experts said.

The security company's Commtouch Zombie Lab consistently finds that the highest volumes of spam are being distributed from IP addresses that belong to ISPs.

In terms of geographic nuance, Turkey took over first place worldwide for the sheer number of botnet-owned IPs, accounting for 11 percent of all those the researchers tracked during Q2, followed closely behind by Brazil and Russia with 8.4 percent and 7.4 percent, respectively.

Perhaps based on the work of security researchers to work more closely with U.S.-based ISPs and hosting companies that had become the nation's leading sources of spam and badware, the United States dropped into ninth place on the worldwide zombie network scene, accounting for just 4.3 percent of all zombie IPs, compared with 5 percent in Q1 2008.

Overall spam levels remained fairly consistent across the three-month period between April and June, accounting for 77 percent of all e-mails monitored by Commtouch, ranging from 64 percent to 94 percent at different intervals. The Q2 average remained on just about the same level as Q1 2008.

In the world of phishing, attackers found new victims in the education segment, specifically among college students, according to the report. After luring college kids into handing over their e-mail credentials, many of the subverted accounts are being used for subsequent phishing and spear-phishing attacks.

Messages designed to look as if they come from Google's AdWords program were another hot area of activity for phishers, and love-themed spam e-mails were also back in vogue.

The big-picture assessment has to be that not much is changing in the world of botnets, spam or phishing, indicating that the schemes/techniques are all still generating plenty of income for the bad guys and that little progress is being made in stopping the problem.

You have to wonder when the ISP crowd is finally going to put the clamps on it all somehow, because it sounds like ultimately they're the ones who are absorbing most of the pain.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel