Spam climbing back up after botnets return online

Share this article:
The amount of unwanted email is again surging after a host of botnets -- led by the high-powered Srizbi network of compromised machines -- have reconnected to internet service providers.

The volume of spam dropped dramatically over the past couple of weeks following the shutdown of a Silicon Valley-based web hosting provider, McColo.

As it turned out, McColo -- which appears to have ceased operating -- provided hosting capabilities for a number of unscrupulous cybergangs, some dedicated to the delivery of spam. After two internet service providers pulled the plug on McColo, the amount of spam fell by as much as 80 percent.

But it is climbing back after the botnets, such as Rustock, Mega-D and Srizbi, have re-established connectivity to their command-and-control centers, said Matt Sergeant, senior anti-spam technologist at MessageLabs, now owned by Symantec.

"When McColo went down, their command-and-control centers went away," Sergeant said. "What that means is the bots weren't getting any new work orders. Without new updates, eventually they just teeter out and die down."

The spammers have apparently been able to get back online thanks to an alternative plan, he said. Instead of relying on McColo's range of IP addresses to host their command-and-control centers, some of the bots contain an algorithm in the binary code that generates a unique domain name at which they can check for instructions.

"[The backup domain names] are automatically generated by the bots," Sergeant said. "The spammer then knows the algorithm used to generate that name and points that domain name at the new command-and-control center."

The Srizbi botnet, responsible for about half of all spam, regained its legs on Tuesday, according to a blog post from security firm FireEye.

"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," said the post. "The worldwide update began just a few hours ago. The new command-and-control servers are located in Estonia, and the domains registered through a registrar in Russia."

The level of spam jumped 112 percent on Tuesday, but still remains well off its highs of earlier in the month, according to IronPort

Sergeant said the drop in spam over the last two weeks soon will be a distant memory. But the spammers surely took a financial hit during that time.

"They have had to find new and presumably more expensive command-and-control hosting," he said. "And it's been basically two weeks without their spam-sending capabilities, so they've lost out on a lot of money there."


Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.