Application security, Malware

Analysis finds little movement in “spambot ecosystem”

The days of massive – and new – spambots may be over for now, but that doesn't mean the fight against unwanted mail is, according to research released Wednesday by Dell SecureWorks.

Joe Stewart, who heads the company's Counter Threat Unit, said that beginning in 2008, he began trying to connect malware used to compromise machines to send spam with its purveyors.

He figured that the research would turn up several new spambots, but he instead found that many of the players from two years ago are still on the scene. As a result, much of Stewart's investigation focused on defining the current characteristics of each zombie network so they can be more effectively stopped.

“Everything that is spamming now was spamming two years ago, but in different quantities,” Stewart said.

He attributed the decline in large spambots – in years past, it was not uncommon to see a few each carrying hundreds of thousands of nodes – and the lack of new ones to be an indication of a few things.

For one, blacklists may be getting more effective. Also, too large of spambots may generate unwanted attention for their controllers. Too, botmasters may have determined that owning too many IP addresses may not necessarily be cost effective.

Indeed, security firm M86 released a report this week that pointed to spam volume significantly falling, down to one-third the level at the end of 2010 when compared to six months prior. Some of that decline is attributable to one prolific spambot, Mega-D, no longer being on the radar, after its operator was arrested late last year.

But there still are many spambots to fill its place.

Rustock, with an estimated 250,000 nodes, remains the most innovative of the group, Stewart said. It contains advanced rootkit functionality and uses encryption that resembles a legitimate HTTP connection in an attempt to cloak its communication with its command-and-control hub.

Rustock, in fact, is programmed to know that researchers such as Stewart want to study it. So when Stewart purposely infected a test machine with the bot malware, he noticed that the computer didn't start spewing spam for five days.

“They know there are people trying to get spam patterns out of it,” he said. ,

Other botnets, such as Lethic and Festi, made up of about 60,000 or 70,000 nodes each, have grown their arsenal in recent years.

Festi, in particular, could be one to watch because it has been developing a distributed denial-of-service platform, meaning computers under its control could be used to launch attacks against websites of its controller's choosing.

“If you're putting a DDoS engine into your botnet, you're saying you're unabashedly aggressive,” Stewart said.

But better defenses against IP addresses under a botnet's control could be fast coming.

There is reason to believe blacklists will become even more effective in coming years as the dominant IP standard becomes IP version 6 (IPv6). That would mean an increase in IP addresses, so service providers will be more inclined to assign static IP addresses instead of ones that incrementally change.

As for advice for security professionals, when a compromised computer is spotted in the workplace, practitioners best advised to reformat and reimage that machine, Stewart said.

That is because even if an anti-virus program was able to clean the client of infection, it is possible that because the machine already was owned, it may have been infected by malware from another family through what is known as “pay-per- install.”

“That one piece of malware is like the tip of the iceberg,” Stewart said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.