Application security, Threat Management, Security Strategy, Plan, Budget

Spam climbing back up after botnets return online

The amount of unwanted email is again surging after a host of botnets -- led by the high-powered Srizbi network of compromised machines -- have reconnected to internet service providers.

The volume of spam dropped dramatically over the past couple of weeks following the shutdown of a Silicon Valley-based web hosting provider, McColo.

As it turned out, McColo -- which appears to have ceased operating -- provided hosting capabilities for a number of unscrupulous cybergangs, some dedicated to the delivery of spam. After two internet service providers pulled the plug on McColo, the amount of spam fell by as much as 80 percent.

But it is climbing back after the botnets, such as Rustock, Mega-D and Srizbi, have re-established connectivity to their command-and-control centers, said Matt Sergeant, senior anti-spam technologist at MessageLabs, now owned by Symantec.

"When McColo went down, their command-and-control centers went away," Sergeant said. "What that means is the bots weren't getting any new work orders. Without new updates, eventually they just teeter out and die down."

The spammers have apparently been able to get back online thanks to an alternative plan, he said. Instead of relying on McColo's range of IP addresses to host their command-and-control centers, some of the bots contain an algorithm in the binary code that generates a unique domain name at which they can check for instructions.

"[The backup domain names] are automatically generated by the bots," Sergeant said. "The spammer then knows the algorithm used to generate that name and points that domain name at the new command-and-control center."

The Srizbi botnet, responsible for about half of all spam, regained its legs on Tuesday, according to a blog post from security firm FireEye.

"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," said the post. "The worldwide update began just a few hours ago. The new command-and-control servers are located in Estonia, and the domains registered through a registrar in Russia."

The level of spam jumped 112 percent on Tuesday, but still remains well off its highs of earlier in the month, according to IronPort

Sergeant said the drop in spam over the last two weeks soon will be a distant memory. But the spammers surely took a financial hit during that time.

"They have had to find new and presumably more expensive command-and-control hosting," he said. "And it's been basically two weeks without their spam-sending capabilities, so they've lost out on a lot of money there."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.