Botnets Tighten Defenses Year After McColo Shutdown

In the roughly 12 months since the McColo shutdown caused a short but dramatic drop in spam, botnet operators have changed tactics to minimize the impact of authorities shutting down their ISPs. Security researchers discussed how with eWEEK.

In the year since the shutdown of notorious Web hosting firm McColo, spammers are growing strong. In fact, researchers at McAfee reported that spam accounted for 92 percent of e-mail in the second quarter of 2009.

Part of this is the result of improvements by botnet operators. Like anyone who is successful what they do, the people controlling the most powerful botnets in cyber-space learn from their mistakes.

"McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an immediate hit before recovering over time," explained Bradley Anstis, vice president of technical strategy at M86 Security. "One of the immediate changes was the use of hard coded domains in the malware body instead of IP addresses. Before, domains could be changed to different IP addresses to provide a recovery option on their command and control methods."

"In general," he continued, "they have improved the availability and resilience of their command and control servers and in some ways the McColo take down has driven them more underground and forced them to use more different methods, making it harder to detect. Some examples that have already been seen have been the use of Twitter, Google Groups and Facebook."

In the aftermath of the takedown of McColo - as well as Internet Service Provider (ISP) Intercage/Atrivio - some security researchers predicted there were would be an increase in fast-flux botnets. However those predictions do not appear to have panned out as much as some thought.

"Fast flux appears to have not been as successful as the spammers required it to be," opined Matt Sergeant, Senior Anti-Spam Technologist for Symantec Hosted Services. "Or perhaps the additional overhead of requiring fast performing DNS servers as part of the botnet code wasn't working for them. Either way, it appears to be less of an issue now."

According to Anstis though, fast-flux is used by up and coming botnets such as Avalanche and is pretty widespread at the moment. Its popularity could easily increase, he said.

Regardless, the biggest botnets have found other ways to thwart anyone targeting them. When the FTC shutdown ISP 3FN for example, it disrupted Cutwail for two days, but the botnet bounced right back, Sergeant noted.

"After that there was no "ramp-up" time," he said. "They were just immediately back to 100 percent operational. They updated their algorithm for finding new command and control hosts so that it didn't require a hard-coded ISP location, and could be very well hidden from anyone wanting to know where the next C&C (command and control) might be."

Rustock meanwhile is probably the leader in terms of modulating the shield harmonics on an ongoing basis, noted Joe Stewart, Counter Threat Unit security researcher at SecureWorks. While botnet operators may change tactics, he added, that doesn't mean ISP takedowns should not be a more common occurrence.

"In my opinion, any ISP that willfully ignores legitimate abuse complaints about major criminal botnet operations operating on their networks for months at a time should have their connection to the Internet severed," he said.