Wednesday, March 03, 2010

Spamming Botnets - Strategies welcome

Several mailing lists have been buzzing in the aftermath of the recent shutdown attempts against the Waledac network. The results of this shutdown can best be seen by visiting the Waledac tracker run by our friend Jeremy at SudoSecure.

Prior to the action of Microsoft's Digital Crimes Unit in their Operation b49, Waledac was propagating itself with more than 200 Chinese-registered domain names, and was found just in December to have sent more than 651 million emails just to recipients! In response to their action in court, "Microsoft Corporation v. John Does 1-27", the unusual motion was granted to have Verisign terminate the domains in light of the refusal of China Springboard to cooperate. In the days immediately following this action, the final few domain names were terminated, most recently "" and "".

Waledac was a peer-to-peer / P2P botnet that uses fast-flux hosting of Chinese registered domain names in order to guarantee long-life to itself. Waledac was often called the successor to the Storm botnet because the bots do not communicate directly with the "true" Command & Control, but rather have a "peer list" which they are in constant contact with. Bots make queries either to their hard-coded peers, or by asking one of the bot-controlled domain names for a file, usually a .gif, .jpg, or .png file. Instead of receiving back a graphics file however, they receive back a custom-coded reply which either gives them an instruction, or causes them to update their spam template or receiving email list.

Some excellent research has been performed on Waledac in recent months, including the "Walowdac" research project lead by Thorsten Holz and researchers at the University of Mannheim and the University of Vienna (Ben Stock, Jan Gobel, Markus Engelberth, Felix Freiling). Their custom-crafted Waledac clone was able to fully communicate with the botnet, but did not send spam. They found that Waledac had an average size of 55,000 active bots on any given day (August 6, 2009 - September 1, 2009).

At UAB we had mostly focused on alerting the public of various attempts by the Waledac network to spread itself via email, including:

- 2009 New Years greetings
- Fake coupon offers
- Fake Reuters story about a Terrorist bomb
- an SMS Spy program
- Independence Day Fireworks
- 2009 Christmas / 2010 New Year's cards

What Next?

Unfortunately, while Waledac was at various times in the past year a "Top Ten Spam Botnet", the biggest botnets are orders of magnitude larger and still spamming like crazy.

Michael Kassner and Terry Zink have both been blogging on the current situation. Kassner gave a list of the Top 10 spam botnets: New and Improved over at TechRepublic, largely based on Terry's series Which botnet sends the most spam? over on MSDN in his Anti-malware Blog.

The Top Ten list, from their perspective, includes:

Bot Names# of BotsSpam Per Day
Grum600,00040 billion
Bobax (aka Kraken)100,00027 billion
Pushdo/Cutwail/Pandex?19 billion
Rustock2,000,00017 billion
Bagle/Beagle/Mitglieder500,00014 billion
Mega-D/Ozdok50,00011 billion
Maazben300,0002.5 billion
Xarvester60,0002.5 billion
Donbot100,000800 million
Gheg60,000400 million

Are those numbers "true"? Every security company has a different opinion on the size and strength and spam volume of the various botnets. What I can say is "their estimates are based on sound logic".

One of my personal favorites for sizing spamming botnets is the guys over at M86 Security with their weekly chart called Tracking Spam Botnets. Here's their most recent graphic:

Looking at the historical data over at their website, although we can talk about the Top Ten, Rustock has been the top spamming botnet since at least July, and currently is responsible for 50.7% of all the spam on the planet! I've challenged this over-emphasis on Rustock with their researchers, actually while they were still "Marshal", and as I said above, "their estimates are based on sound logic".

Another of my favorite spam trackers is MessageLabs. These guys produce fantastic intelligence that is quite accessible in their monthly Messagelabs Intelligence Reports. I'll call special attention to their 2009 Annual Security Report which had as a major theme "Botnets Bounce Back with Sharpened Survival Skills".


Those of you have heard me speak in person know that I believe the answer to these botnets and their continued survival must be the Criminal Justice process. When McColo was shut down (see Analyzing the Aftermath of the McColo Shutdown or Brian Krebs' Major Source of Online Scams and Spams Knocked Offline) spam had a significant world-wide drop in volume, but it rebounded. Why? Because no bad guys went to jail.

Our friends at FireEye are doing amazing botnet work (see their blog @ FireEye Malware Intelligence Lab, but without convictions, even the successful botnet takedowns, like their work on Smashing the Mega-D/Ozdok Botnet eventually rebound.

(by the way - FireEye has the best low-down on the Pushdo/Cutwail botnet and its current Command & Control structure.)

Cautions are already being expressed as a result of the Waledac take-down, that by using TECHNOLOGY to do the takedowns instead of CRIMINAL JUSTICE APPROACHES that we are just helping to rapidly evolve the capabilities of the various cyber criminals who make their living through spam.

We have to move from DISABLING the C&C networks, to MONITORING the C&C networks. Bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door. Its why we do what we do the way we do at UAB. Our Computer Forensics Research program partners the Computer & Information Sciences department with the Justice Sciences department, and draws heavily on graduate students and faculty members from both departments to help make a better informed and better equipped cybercrime investigator with the goal of changing the way we fight cybercrime.


Today Panda Labs released details of the takedown of the Mariposa Botnet. This botnet, run by the DDP Team (Días de Pesadilla Team), had a shocking discovery at the end - TWELVE MILLION IP addresses were making regular contact with the C&C servers! From the article:
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010."

The AP also issued a story about the arrests: Authorities bust 3 in infection of 13M computers. Fox News also ran a story, Malicious Botnet Found in 50 of Fortune 100.

Congratulations to the Spanish Civil Guard, Panda Labs, and the other members of the Mariposa Working Group (Defence Intelligence, and the Georgia Tech Information Security Center)

A technical analysis of the Mariposa botnet is available from Defence Intelligence.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.