Major spam network silenced mid-campaign

Go down

Major spam network silenced mid-campaign

Post  Michela on Thu Mar 17, 2011 8:11 am

The sudden drop in activity of a major spam producer looks to be the result of the largest co-ordinated attack on spammers.

At 15:30 GMT on 16 March, a network of spam-producing computers, known as Rustock, suddenly stopped.

It also appears that the infrastructure needed to control the spam network has been disrupted.

Security researchers said that would make it the largest ever take down of a cyber crime network.

In 2010, the Rustock botnet - a collection of infected machines - was the most prolific producer of spam on the internet, at its peak accounting for nearly half of all spam sent globally - some 200 billion messages a day.

Prolific spammer
The volume of spam coming out of Rustock has fluctuated wildly recently, so sudden drops in activity are not uncommon.

But usually, the spikes in activity last for 12 to 16 hours, Vincent Hanna of anti-spam group Spamhaus told BBC News.

"When Rustock stopped yesterday it was in mid-campaign," he said.

Furthermore, the botnet seems to be unable to communicate with its command and control infrastructure, he said.

Computers within botnets are controlled by other machines which send out instructions of when to instigate spam campaigns or other attacks.

But disrupting the command and control infrastructure is a Herculean task.

It requires the co-ordination of security groups with insight in to how the botnet operates, the participation of law-enforcement agencies, domain name registrars and internet service providers that can potentially be located in different time zones, said Paul Wood, a security researcher at

Other botnets have been taken down before, but none the size of Rustock, which is thought to comprise close to a million infected computers.

Temporary relief?
But no-one has yet confirmed that silencing Rustock was the result of co-ordinated activity, Mr Wood said.

"One of the problems for law enforcers is deciding when to take action," he said.

Once police know enough about a botnet to be able to take it down, they can collect an awful lot of intelligence about its owners, he added.

Previous attempts to take down botnets have enjoyed mixed success.

When security firm FireEye disabled the Mega-D botnet's command and control infrastructure in early November 2009, its owners were able to resume their activities within a month.

"Many of these botnets are run as businesses, so they have back-up plans in place," said Mr Wood.

Persistent menace
Often the infected computers that form a botnet are programmed to seek out websites where they can download new instructions, in the event that the command and control systems are breached.

"The botnet controllers can use legitimate websites - such as headlines from news sites - to identify where the new instructions can be found," said Mr Wood.

So even when a botnet is disabled, it may be back up and running in days.

"Only time will tell if we will see [Rustock] coming back," said Mr Hanna.

Nevertheless, the spread of botnets looks set to continue, as the cyber crooks grow increasingly sophisticated in their ability to infect machines.

"The malware used embeds itself deep in the operating system, making it difficult to identify," said Mr Wood.

And new types of malware are proliferating rapidly, making it harder for computer users to ensure their systems are fully protected.

There were 26% more incidences of new types of malware in the first three months of 2011 than in the final three months of 2010, according to anti-virus firm Panda Security.

A large number of botnets are devoted to stealing online banking credentials or launching denial of service attacks, said Luis Corrons Granel, technical director of PandaLabs, the research arm of Panda Security.


Posts : 26
Join date : 2011-02-16

View user profile

Back to top Go down

Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum