Feeds

Next-gen botnet armies fill spam void

Out with the old, in with the new

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

The demise late last year of four of the world's biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half - almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets - massive networks of infected Windows machines that spammers use to blast out billions of junk messages - sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped.

"Several researchers are actively studying the communications, but I don't know if and when it will be broken and hijackable," said Jose Nazario, a security researcher at Arbor Networks. "The guys behind the botnet seems intent on staying up and so evading researchers seems like the most appropriate thing to do."

Waledac has amassed some 10,000 zombie computers so far, a tiny fraction of the bigger botnets. But Stewart expects it to be a major player in the coming months.

Meanwhile, a spam botnet called Xarvester is making similar inroads. It is the world's third-biggest spammer, accounting for over 13 percent of the world's spam, according to Marshall. What's more, its uncanny resemblance to Srizbi has sparked suspicions it is a reincarnation of that notorious botnet. Similarities include an HTTP-based command and control center that uses non-standard ports, encrypted template files used to send spam and configuration files with the common formats and data.

It also has a sophisticated feedback system that helps bot developers squash bugs so the software is harder to detect on a victim's machine.

"Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system," according to this analysis from Marshall. "This is presumably to help the botnet controllers debug their bot software."

Last year represented a bonanza for security watchers, who toiled for years trying to take down the networks. The monster botnet known as Storm was taken out of commission altogether, thanks to security experts who discovered a design flaw that allowed them disrupt it. Bobax, Rustock, and Srizbi were severely impaired - at least for a time - thanks to the shutdown of Atrivo, McColo, and another internet host provider that provided connectivity to the rogue networks, and so far, they have yet to stage much of a comeback.

But more than a defeat, the closures more likely represent an upgrade, in much the way Microsoft and Apple decommission older operating systems to make way for newer ones.

"Ultimately, the authors of Storm, Bobax, and Srizbi chose to stay down for one reason or another," Stewart wrote in an email sent to El Reg. "Sure, we as researchers may have been degrading their ability to keep their botnet as large as they wanted, but they made the choice to not come back online (or chose to upgrade, in the case of Storm)."

At the same time, new botnets are on the rise, Cutwail and several other established spam botnet are also taking advantage of the lull. Stewart has a list of botnets to watch in 2009 here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.