Spam climbing back up after botnets return online

Share this article:
The amount of unwanted email is again surging after a host of botnets -- led by the high-powered Srizbi network of compromised machines -- have reconnected to internet service providers.

The volume of spam dropped dramatically over the past couple of weeks following the shutdown of a Silicon Valley-based web hosting provider, McColo.

As it turned out, McColo -- which appears to have ceased operating -- provided hosting capabilities for a number of unscrupulous cybergangs, some dedicated to the delivery of spam. After two internet service providers pulled the plug on McColo, the amount of spam fell by as much as 80 percent.

But it is climbing back after the botnets, such as Rustock, Mega-D and Srizbi, have re-established connectivity to their command-and-control centers, said Matt Sergeant, senior anti-spam technologist at MessageLabs, now owned by Symantec.

"When McColo went down, their command-and-control centers went away," Sergeant said. "What that means is the bots weren't getting any new work orders. Without new updates, eventually they just teeter out and die down."

The spammers have apparently been able to get back online thanks to an alternative plan, he said. Instead of relying on McColo's range of IP addresses to host their command-and-control centers, some of the bots contain an algorithm in the binary code that generates a unique domain name at which they can check for instructions.

"[The backup domain names] are automatically generated by the bots," Sergeant said. "The spammer then knows the algorithm used to generate that name and points that domain name at the new command-and-control center."

The Srizbi botnet, responsible for about half of all spam, regained its legs on Tuesday, according to a blog post from security firm FireEye.

"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," said the post. "The worldwide update began just a few hours ago. The new command-and-control servers are located in Estonia, and the domains registered through a registrar in Russia."

The level of spam jumped 112 percent on Tuesday, but still remains well off its highs of earlier in the month, according to IronPort

Sergeant said the drop in spam over the last two weeks soon will be a distant memory. But the spammers surely took a financial hit during that time.

"They have had to find new and presumably more expensive command-and-control hosting," he said. "And it's been basically two weeks without their spam-sending capabilities, so they've lost out on a lot of money there."


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.