Botnets Bouncing Back

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Just weeks after the shutdown of major spam host McColo led to a sharp drop in unwanted e-mails, spammers and malicious botnets are showing signs of returning.

McColo's takedown by its ISPs also hit botnets like Srizbi hard, since they had been hosted on McColo -- and their designs made them especially vulnerable to the loss of their host, according to Derek Manky, lead threat researcher for Fortinet.

"Srizbi, for example, was using hard-coded command-and-control servers hosted at McColo, and when these were taken offline, the botnet was rendered useless," Manky told InternetNews.com in an e-mail.

However, Srizbi, Rustock, Asprox and other botnets are beginning to come back to life, if shakily, experts said. And they may have new allies in the form of cash-strapped ISPs.

That's especially grim news considering the already-troubling scope of the problem posed by these botnets. Srizbi and Rustock are the world's largest and second-largest botnets based on the amount of spam they send, according to Alex Lanstein, senior researcher at security vendor FireEye. Meanwhile, Asprox launches SQL injection attacks and was used in attacks on two of Adobe's (NASDAQ: ADBE) Web sites in October.

Worse, Manky predicted that the bad guys will invest time and effort in creating more robust models that will be more difficult to take down in the future.

The news marks the latest chapter in the ongoing war against spam, botnets and malware hosts. Anti-spam efforts have been going on for years, but they have generally been fragmented, with individual companies and, sometimes, law enforcement, generally going it alone with little support from ISPs.

And while ISPs were a critical component in McColo's shutdown, that may prove to be the exception rather than the rule, thanks to an economic crisis that shows few signs of abating. With financial woes looming, experts warn that there will be no shortage of ISPs lining up to take McColo's place in return for a piece of the spammers' profits.

"There's money to be made in this, and in these turbulent economic times, struggling hosting companies may engage in illicit hosting activities just to stay afloat," Zulfikar Ramzan, technical director at Symantec, (NASDAQ: SYMC) told InternetNews.com.

Inevitable return?

The botnets' return comes as no surprise to the computer security community.

"It was a question of when, rather than if, spammers would be back up after McColo was taken down," Ramzan said.

Making matters worse is that Ramzan and Fortinet's Manky see botnet operators taking steps to make their networks more resilient -- for instance, by adopting peer-to-peer (P2) technology that won't require centralized servers.

However, FireEye's Lanstein told InternetNews.com that he doubts that botnets will migrate to a P2P design, because over a long period, all the computers in a P2P network will talk to each other. As a result, if anti-malware researchers are able to locate one of the botnet's machines, they may be able to trace the others.

In addition to returning with new support from ISPs and more robust networks, botnets' efforts to pump out spam are also on the rise simply because this is the holiday season -- which often sees an increase in spam because people want to shop online, Ramzan said.

Fortinet's Manky added that he has observed an increase in spam using holiday-related phrases since Black Friday, the start of the holiday shopping season.

"When looking at certain keywords, such as 'Christmas,' 'gifts' [and] 'discounts,' spam has risen approximately threefold," he said. "So it looks as though there is an effort in terms of campaigns to leverage this."

This article was first published on InternetNews.com. To read the full article, click here.