IT Security Blog

It has been one month since McColo had its upstream bandwidth cutoff by Global Crossing and Hurricane Electric.  What has changed since? 

As we've previously reported (here and here), immediately after the McColo shutdown we saw a 50-60% decline in spam volume.  This drop carried on for about 9 days even though in the middle of all of this McColo was briefly brought back online by TeliaSonera.  During this brief uptime the Rustock botnet was able to update itself and point its bots to different command and control hosts.  It wasn't until 4 days later that Rustock came back with a vengeance and resumed its normal spamming activities.

Since that time we have also seen the Mega-D botnet come back online as well.  The current net result is still positive as spam volumes are still about 40% lower than what they were prior to McColo.  This is largely due to the fact that the Srizbi botnet still only shows minor signs of life despite reports that Srizbi is back in the hands of its original owners.

I am still surprised that these botnets were so easy to cripple to begin with, even if only temporarily.  What this will end up leading to, however is the bigger, better botnet which will have more redundancy built in, have command and control centers that are live on multiple networks having bandwidth provided by multiple providers and fast fluxes both its nodes and nameservers to create a truly interconnected network that can only be taken down by effectively removing all of the connected, infected machines.  Add in encrypted channel communication between the nodes and some of the DDoS defense mechanisms incorporated by botnets like Storm and your botnet is bulletproof.

As defenses improve, attack tactics evolve.  Just like when Word macro writers realized that they had to move on to the next generation of infection, those who are diligently working on new botnet communication technology are working on the next generation botnets (yes, plural).  Get ready.

Apparently you just can't keep a good botnet down.

As expected, the honeymoon that we have been on since the November 11th shutdown of McColo is over.  As we discussed in our previous post about the volume declines after the McColo shutdown, the Rustock botnet was able to update some of its infected machines during an approximately 12 hour period that McColo was brought back online by TeliaSonera, a Swedish ISP.  Rustock has come back and come back strong over the past few days mostly sending out Canadian Pharmacy spam (one of our all time favorites).








Above are traffic graphs for the three major botnets that were affected as a result of the McColo shutdown.  The big dropoffs for Srizbi and Mega-D are both on November 12 (the day after McColo was taken offline).  Traffic from both the Srizbi and Mega-D botnets have been virtually non-existent since the 12th.

The Rustock spike started on November 20, about 5 days after McColo was temporarily brought back online. 

Just to keep us all on our toes, we've even seen some signs of life from the Storm botnet that most of us had written off for dead.  Although it is felt that some of this traffic was coming from poorly configured Barracuda devices, we're still keeping an eye out in the event that there is potential of this botnet coming back.

Despite the resurrection of the Rustock botnet, overall mail volumes are still down about 30-35% from where they were prior to November 11.  Today, Fireeye is reporting that the Srizbi botnet is back under the control of its original owners and that new command and control servers have been registered in Russia.  So, it stands to reason that Srizbi will not be dormant for much longer before we start to see spam volumes increasing again.  The last two weeks has been a nice holiday before the holiday, but it looks like we are very quickly getting back to business as usual....and that's just the way I like it!