From the shutdown of McColo to last week’s disruption of the Pushdo botnet, spammers have continually found ways to stay in business.
Nearly 20 of the 30 command and control (CnC) servers associated with Pushdo were taken offline last week due to efforts by security vendor LastLine. The servers were supported by eight hosting providers, some of which did not respond to the vendor’s requests for action.
According to Thorsten Holz, senior threat analyst with LastLine, the goal of the company’s research was not to completely take down the botnet, but to gain insight into Pushdo’s CnC infrastructure. At full strength, the botnet was believed to be responsible for between 7 and 10 percent of all spam.
“We worked with different hosting providers and [got] a quick response from many of them, but unfortunately not all providers reacted on our abuse requests,” he said. “Especially the hosting providers from China did not react at all, which is kind of disappointing.
“Better cooperation and coordination would help in the future; we are in the process of building better relationships with more hosting providers,” Holz added.
While roughly two-thirds of Pushdo’s servers were knocked offline, spam from the botnet is recovering, according to M86 Security. In addition, Matt Sergeant, senior anti-spam technologist with Symantec Hosted Services, said overall spam levels today stand relatively unchanged.
“Considering the fact that the entire botnet was not taken down thanks to these bulletproof hosting companies, it appears that the botnet was still able to operate and create a good deal of traffic,” said Fred Touchette, senior security analyst at AppRiver. “Virus levels are down overall on the other hand, but not much, and it’s unclear whether or not this is due to the takedown efforts.”
In order for a botnet shutdown to be effective, all CnC servers have to be taken down simultaneously, said Gunter Ollmann, vice president of research at Damballa.
“If even one single CnC server is left up, the botnet will still be operational,” Ollmann said. “Then, once the botnet operator has spun up some of his spare or reserve CnC servers, he simply pushes a configuration file update down to all the victim computers within the botnet with the list of the new CnC servers. The only other way to permanently shut down a botnet is to locate and remove the operators themselves-but even this has problems as evidenced in the almost comic way in which the botnet operators behind the Mariposa botnet were able to resume control [temporarily] after being arrested.”
In response to the takedown, Touchette expects those in control of Pushdo will continue to spread their control servers across various countries and hosting companies to guarantee uptime.
“They may even begin to develop new code for their botnets which change the way they can communicate with each other in order to protect their numbers,” he said. “Something like a peer-to-peer communication between the bots themselves would eliminate the need for centralized command and control servers.”
The list of command and control servers is not static, added Ollmann, and can be dynamically changed at any time.
“Most botnet operators factor in a certain degree of attrition to their CnC infrastructure and are therefore experienced in quickly spinning up new and additional CnC servers rapidly,” he said.