Feeds

Next-gen botnet armies fill spam void

Out with the old, in with the new

  • alert
  • submit to reddit

Build a business case: developing custom apps

The demise late last year of four of the world's biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half - almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets - massive networks of infected Windows machines that spammers use to blast out billions of junk messages - sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped.

"Several researchers are actively studying the communications, but I don't know if and when it will be broken and hijackable," said Jose Nazario, a security researcher at Arbor Networks. "The guys behind the botnet seems intent on staying up and so evading researchers seems like the most appropriate thing to do."

Waledac has amassed some 10,000 zombie computers so far, a tiny fraction of the bigger botnets. But Stewart expects it to be a major player in the coming months.

Meanwhile, a spam botnet called Xarvester is making similar inroads. It is the world's third-biggest spammer, accounting for over 13 percent of the world's spam, according to Marshall. What's more, its uncanny resemblance to Srizbi has sparked suspicions it is a reincarnation of that notorious botnet. Similarities include an HTTP-based command and control center that uses non-standard ports, encrypted template files used to send spam and configuration files with the common formats and data.

It also has a sophisticated feedback system that helps bot developers squash bugs so the software is harder to detect on a victim's machine.

"Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system," according to this analysis from Marshall. "This is presumably to help the botnet controllers debug their bot software."

Last year represented a bonanza for security watchers, who toiled for years trying to take down the networks. The monster botnet known as Storm was taken out of commission altogether, thanks to security experts who discovered a design flaw that allowed them disrupt it. Bobax, Rustock, and Srizbi were severely impaired - at least for a time - thanks to the shutdown of Atrivo, McColo, and another internet host provider that provided connectivity to the rogue networks, and so far, they have yet to stage much of a comeback.

But more than a defeat, the closures more likely represent an upgrade, in much the way Microsoft and Apple decommission older operating systems to make way for newer ones.

"Ultimately, the authors of Storm, Bobax, and Srizbi chose to stay down for one reason or another," Stewart wrote in an email sent to El Reg. "Sure, we as researchers may have been degrading their ability to keep their botnet as large as they wanted, but they made the choice to not come back online (or chose to upgrade, in the case of Storm)."

At the same time, new botnets are on the rise, Cutwail and several other established spam botnet are also taking advantage of the lull. Stewart has a list of botnets to watch in 2009 here. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?