Major Spam Botnets Yet to Recover After Host Shut-Down

Published 21st November 2008

LONDON, 20 November 2008 – One week after the world’s most significant breakthrough in the fight against spam, spam levels are yet to return to their previous levels, according to security experts from the Marshal8e6 TRACE Team. However, it is likely that spam levels will eventually return to their previous high levels in the future.

On November 11, the volume of spam around the world fell by as much as 70 percent due to the shutdown of a major spam hosting network, McColo.

McColo was shut down by its Internet Service Provider after an investigative journalist made enquiries about the web hosting company’s illicit activities. McColo was hosting the command and control infrastructure for three of the world’s most prolific spam botnets; Srizbi, Mega-D and Rustock. When McColo was shut down, the spammers were disconnected from the networks of spam-sending bot computers under their control.

Throughout 2008, the TRACE team has published reports showing just a handful of major spamming botnets are responsible for as much as 90 percent of spam. The TRACE Team has been campaigning within the IT security community for a coordinated effort against the top spamming botnets.

“This is the most significant single event in the fight against spam we have ever seen,” said Phil Hay, lead threat analyst with the TRACE Team.

“It shows that a coordinated effort against spammers by security researchers can have a positive and meaningful impact on global spam levels. It is something that we have been working towards for a long time and it is fantastic to see the flow-on effects on spam levels as a result of targeting the bigger botnets”

“Unfortunately we do not expect this situation to last. The spammers are no doubt already setting up new command and control servers. The challenge for them is to re-establish connections with the thousands of zombie computers still infected with their bot code. We fully expect spam will resume in large volumes eventually. However, almost a week later, the spammers haven’t managed to do that yet,” said Hay.

Marshal8e6 says that the command and control servers play a critical part in managing the hundreds of thousands of infected bot computers, also referred to as ‘zombies’.

“An infected bot computer typically ‘phones home’ to the control servers periodically to get updated instructions and spamming templates. By shutting down McColo the link between the zombie computers and their control servers has effectively been cut off for now,” explained Hay.

The events that led to McColo’s shut down involved months of collaboration and research by a variety of security professionals.

“Last week’s events have proven that by drawing attention to the worst spam offenders, security researchers and law enforcement have the capability to focus their energies on the key players and take action. Five years ago when spam was dominated by numerous small-scale spammers it was extremely difficult to target an individual spammer and have any real effect on spam. Now, because botnets have enabled a handful of major spam players to dominate, the targeted actions of the IT security and law enforcement communities can have an immediate and palpable effect on spam,” said Hay.

Marshal8e6 says the command and control servers for the Srizbi, Mega-D and Rustock botnets were affected by the McColo shut down. According to Marshal8e6’s statistics, just prior to McColo’s shut down, these three botnets were ranked first, second and fifth respectively as the world’s most prolific sources of spam, together responsible for nearly 70% of spam.

“It is a cliché, but the fight against spam is a game of cat and mouse. Over the longer term, the spammers will learn from this incident and probably evolve their botnet control systems. They may adopt a more resilient peer-to-peer or layered model where control servers are harder to access and spread among many hosts. Only time will tell if these botnets recover. The key thing is that the IT security and law enforcement communities learn from last week’s events as well. We have to work together to maintain the pressure on the key spam players,” said Hay.

More Information
Marshal8e6 TRACE Centre Website - http://www.marshal.com/trace/

About Marshal8e6
Marshal8e6 is a global provider of Secure Internet Gateway products for organisations of all sizes. Marshal8e6 is the only security company capable of delivering comprehensive content security across multiple delivery platforms, including software, appliances and Software-as-a-Service (SaaS). The company's complete security portfolio delivers the tools necessary to manage and secure email, Web and the endpoint as well as protect against data leakage. With 20,000 customers and 16 million end users in 96 countries, the company maintains corporate headquarters in Orange, California with international headquarters in London, United Kingdom and regional offices in Atlanta, Houston, Johannesburg, Munich, Paris, Auckland, Sydney and Taipei.

Marshal8e6 is privately held by management and employees, as well as private investors Kelso Place Asset Management, Darwin Group, CX Ventures, Vora Ventures and Updata Partners. For more information about Marshal8e6, please visit www.marshal8e6.com.

About the Marshal8e6 TRACE Team
TRACE (Threat Research and Content Engineering) is a group of Marshal8e6 security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal8e6’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyses spam, phishing and Internet security trends and provides frequent automated updates to Marshal8e6 customers. It also provides “Zero Day” security protection against new email and virus exploits the day they emerge.