Condividi tramite

Another botnet taken down

  • Articolo

A few weeks ago in the beginning of November, I posted a blog post about the highest number of spamming botnets that we see on our network.  In roughly the following order, the worst botnets were the following:

  1. Rustock
  2. Bagle-cb
  3. Cutwail
  4. Darkmailer
  5. Grum
  6. Donbot
  7. Bobax
  8. Mega-d
  9. Xarvester

I don’t track these botnets every day, though I do collect the statistics.  Every once in a while I take a look to see who’s the worst, and it’s usually Rustock.  But lately, another botnet has exploded and often penetrates the top 3 – the lethic botnet.

While I don’t currently have the stats handy (I’m off work recovering from arthroscopic hip surgery due to that stupid spammer who attacked me in Peru), I do know that lethic has managed to penetrate the number one spot for botnets on some occasions.  It’s not consistent but it does do it.

Over the weekend, on Jan 10, 2010, the lethic botnet was penetrated by the folks over at Neustar.  Following that, spam from lethic plummeted.  Even on our own networks, we saw a massive drop in mail from week-over-week on a Sunday, even though Sunday, July 3 was still in the holiday time.  Indeed, we are still way below our general network averages for the months of December and early January prior to Jan 10.

Similar to what happened to Mega-D last year when FireEye penetrated it, the botnet’s command-and-control structure was infiltrated in order to take it offline.  Disrupting these types of brain mechanisms prevents the botnet from sending out instructions to the worker nodes and sending out spam.  Cutting off the head of the dragon pretty much kills it for a short time.  Unfortunately, like Medusa’s heads, these things keep growing back.

So, should there be more proactive action on the part of the antispam community to take out botnets?  Should there be research into it?  Funding?  Should ISPs take the initiative to take their customers offline if they detect they are C&C centers?

It’s difficult to say but there is certainly no denying that going after the C&Cs work better than almost any other technique.  After McColo, botnets evolved to make their infrastructure more resilient.  It’s nice to see that the anti-abuse community is also evolving.

Comments

  • Anonymous
    January 14, 2010
    > Unfortunately, like Medusa’s heads, these things keep growing back. I think you mean the Hydra.

  • Anonymous
    January 14, 2010
    The comment has been removed

  • Anonymous
    January 14, 2010
      After the previous article you mentioned, I did send an email to the whitehouse, saying they should fund efforts like this to take down the botnets.   I think this is a good cause for the government to spend some money on.

  • Anonymous
    January 14, 2010
    The comment has been removed

  • Anonymous
    January 14, 2010
    Thanks for the post. It's nice to see that the good guys are winning some battles.

  • Anonymous
    January 15, 2010
    "Why isn't Interpol (the international criminal police organization) going after these spammers and shutting them down?" From my point of view new laws should be enacted that target the companies that use spamming services and go after them.  They're a lot easier to identify and locate.  A few prime examples of prosecution of these people may affect other such organizations to the degree that spamming wouldn't be so lucrative to the services

  • Anonymous
    January 15, 2010
    The comment has been removed

  • Anonymous
    January 15, 2010
    Thanks, Random Classicist.  I did mean "hydra."

  • Anonymous
    January 15, 2010
    @Alan8, you do realize that InterPol is powerless to enforce international law. The most that they can do is to investigate where crimes are committed and recommend actions to authorities. If those authorities choose to ignore or don't have the resources then InterPol can't do anything.

  • Anonymous
    January 16, 2010
    The comment has been removed

  • Anonymous
    January 18, 2010
    The comment has been removed

  • Anonymous
    February 11, 2010
    Taking the C&C servers down alone will not prevent those work nodes from being recruited by other botnets.  We should make the victims aware that their computers are vulnerable, and they have to remedy that.  This is what is currently missing.  We will never win the war against botnets if we can't get the help from the owners of bot computers.