IT Security Blog

Apparently you just can't keep a good botnet down.

As expected, the honeymoon that we have been on since the November 11th shutdown of McColo is over.  As we discussed in our previous post about the volume declines after the McColo shutdown, the Rustock botnet was able to update some of its infected machines during an approximately 12 hour period that McColo was brought back online by TeliaSonera, a Swedish ISP.  Rustock has come back and come back strong over the past few days mostly sending out Canadian Pharmacy spam (one of our all time favorites).








Above are traffic graphs for the three major botnets that were affected as a result of the McColo shutdown.  The big dropoffs for Srizbi and Mega-D are both on November 12 (the day after McColo was taken offline).  Traffic from both the Srizbi and Mega-D botnets have been virtually non-existent since the 12th.

The Rustock spike started on November 20, about 5 days after McColo was temporarily brought back online. 

Just to keep us all on our toes, we've even seen some signs of life from the Storm botnet that most of us had written off for dead.  Although it is felt that some of this traffic was coming from poorly configured Barracuda devices, we're still keeping an eye out in the event that there is potential of this botnet coming back.

Despite the resurrection of the Rustock botnet, overall mail volumes are still down about 30-35% from where they were prior to November 11.  Today, Fireeye is reporting that the Srizbi botnet is back under the control of its original owners and that new command and control servers have been registered in Russia.  So, it stands to reason that Srizbi will not be dormant for much longer before we start to see spam volumes increasing again.  The last two weeks has been a nice holiday before the holiday, but it looks like we are very quickly getting back to business as usual....and that's just the way I like it!

Last week we reported the significant decrease in spam volumes as a result of the shutdown of McColo, a hosting provider that was catering to spammers.  I wanted to take a few minutes and lend a bit more color and data to what we originally reported now that we have had a few days to let the real effect soak in.

We continue to see over an over 50% decline in total mail flow (all spam).  In fact, that percentage appears to have leveled off at over 60%.  A bit lower than the 75% reduction some are reporting, but no matter how you slice it the effect has been more than significant.

Below is a graph outlining hourly mail flow patterns since November 1:



The significant drop-off that you see about two-thirds of the way through the graph correlates directly with the McColo shutdown on 11/11.  According to our stats that dropoff occurred during the 1pm MST hour on the eleventh. 

A couple of botnets in particular appear to have been severely debilitated as a result of the McColo shutdown.  Those are the Srizbi, Rustock, and Mega-D botnets.  Traffic associated with the Mega-D botnet (named such because of its advertisement of male enhancement products) has declined over 95% since 11/11 and Srizbi volume has declined by over 80%.






Sophos is reporting that McColo was briefly brought back online this weekend by a Swedish ISP named TeliaSonera.  After receiving many complaints about the matter from security researchers they were taken offline again, but not before the folks responsible for the Rustock botnet were able to release a code update to their bots to point them away from McColo.  It is unclear at this point whether that update was released to a significant base of Rustock infected PCs, but it does breathe new life into a botnet that had briefly been put on life support.  So far today we are not observing any significant effect as a result of the Rustock update. 

Spam percentages have also taken a big hit as a result of the decline in spam volume.  For the past 2 years we have been reporting spam at about 90% of all email traffic on the internet.  Since the McColo shutdown those volumes have occasionally dipped down in the low-to-mid 70 percent range, percentages that we have not seen the likes of which since the first quarter of 2006.

Although the short-term effect of the McColo shutdown has been significant we still do not believe that spam volumes will be affected over the long haul.  Botnets come and go and malware techniques will continue to evolve.  As Storm declined in volume, botnets like Srizbi, Mega-D, Rustock, Cutwail, and others have been more than ready to pick up the slack.  The punch line to all of this remains the same.  The people who can have the most impact in continuing to win battles in the battle against spam are the people who are providing domain registrar service, DNS service, and ultimately bandwidth service to bots and botnet owners.  If bots cannot communicate, they cannot thrive.  The events of the past week have been a perfect example of that.

According to a Brian Krebs blog post a major spam, child porn, fraud, and fake anti-virus hosting facility named McColo has been taken offline. 

According to Brian, McColo (no, it is not owned by McDonalds and they did not offer McServers although they definitely served McSpam :) ) was responsible for more than 75% of the spam email that was propagated to the internet on a daily basis. 

Normally, I would be one of the first to refute such a claim as blowing the results out of proportion, but our own volume numbers today are showing a similar story (although 75% does appear to be a bit high based on our statistics):



This somewhat cryptic graph is a representation of our mail flow over the past 7 days (no, I won't give out the actual numbers).  To help you understand what is being shown here, the higher peaks are weekday mail flow patterns and the lower peaks are weekends. 

The significant dip on the far right is what we have seen today; a 50% reduction in typical Wednesday volume.  The dropoff started at about 1pm MST on 11/11 and leveled off at around 3am today which is where mail flow again started to increase.  Mail flow typically starts its daily increase at 3am, but you can easily see that where we are today is nowhere near where we typically are for a weekday. 

This represents the first time that we have seen immediate, significant, measurable reductions in spam volume as a result of a spammer arrest or registrar/colocation termination.  It also appears that there were a significant number of Srizbi botnet command and control servers being hosted out of McColo as we have similarly observed significant drops in of traffic coming from that botnet today.  We're continuing to monitor to see if this is merely a coincidence or if the two events are related.  More to come as additional information becomes available.

That certainly didn't take long, did it? 

Just hours after Barack Obama was projected by all of the major news outlets to become the 44th President of the United States, cyber criminals have already launched a link-based malware campaign using Obama as a lure.  Uncle Sam wants you to vote.  Spammers want you to join their botnets!

As with most effective malware campaigns, timeliness is everything.  From what we are seeing so far, the social engineering tactic being used coupled with the interest of the election and its outcome, high volumes of this tactic are already being observed as many users are being tricked and infecting their PCs with this malware which will be used to send out more of this type of spam.

Starting at about 8am MST this morning we started to see messages come into our spamtraps purporting to be from various credible news organizations using from addresses like news@bbc.com, news@cnn.com, election@usatoday.com, among others.  The emails have subject lines such as "Barack Obama Wins", "Election Night Results", and "Fear of a Black President".

The messages themselves vary a bit, but the basic premise is the same across the different variants that we have observed so far.

Here is one sample:

-----------------------------------------------
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
------------------------------------------------

As usual, note the grammatical errors.

The link in the message brings the user to a look alike news web site which alleges that the user must download an updated version of flash to view the video of Obama's speech:




Clicking on the download link attempts to download a file called adobe_flash9.exe, which contains the malware.

If early indications are any result of future success, this campaign is going to be a success, but won't win the popular vote (ok, sorry for my bad political humor).  In the first 2 hours we have already seen almost 1M of these messages (over 350k in the 8am MST hour and over 600k in the 9am hour). 

The folks over at Websense reported another Obama malware campaign in Spanish.  This, however appears to be a very low volume, targeted campaign.  We have seen less than 50 of these total, but it underlines the fact that cyber criminals are definitely jumping on the post-election bandwagon and doing it in a big way.  Strangely enough, if this trend continues we might see more post-election spam than we saw pre-election.  Who would've expected that?