RSA 2011: The spambot ecosystem revealed

Stewart told his audience in San Francisco that Rustock, Cutwail and Lethic are the biggest spambots out there at the moment

It also, he said, remains to be seen how the new allocations of IPv6 space will affect the home PC users and ultimately the botnet ecosphere.

In his report on the current state of the spambot arena, Stewart said that spam is now one of the biggest drivers of malware proliferation over the past ten years, and no end is in sight.

There is, however, an overall maturation to the spambot ecosystem these days, notes the report.

As a result, Dell SecureWorks is seeing fewer new spambot families emerge, and only incremental changes in the existing spambot families.

Development, says Stewart, seems to proceed at a pace corresponding to the size of the botnet and the volume of spam sent by each.

The most serious botnet - with 250,000 reports - is Rustock, says the report, adding that, in previous years, Rustock would sometimes be overtaken for the top spot by other botnets, but these days it has pulled away from the pack with a strong lead.

"The reasons for this are due to the author's relentless development of stealth tactics that have been added to the Rustock codebase over the years"m says the report.

"First and foremost, Rustock was designed as a rootkit, burying its files and activity deep inside the Windows operating system where it can hide from popular anti-malware products and remain on an infected system longer", the report adds.

The study goes on to say that Rustock has user a number of other novel tactics to stay under-the-radar, such as active control servers waiting for up to five days before spamming, and Rustock control servers running a TOR Project exit node - likely in an attempt to avoid disconnection by network administrators who might think the abuse is originating elsewhere.

The report also notes that, in an attempt to frustrate takedowns, hostnames associated with Rustock do not map directly to the IP address of a Rustock controller.

"Instead, the IP address listed in DNS is passed through a custom algorithm to find the true IP address to communicate with", the report says.

According to Stewart's report, although the numbers show spam botnet sizes and spam volume to be down over last year, one trend that can be seen is spambots piggybacking on existing worms and viruses to extend their reach.

In total, says the research, IP-based blacklists are now more effective than ever at detecting spambots and listing their IPs to be blocked by anti-spam measures.

"However, we recently reached a turning point with the end of new IPv4 space to be allocated and an increased focus on IPv6 adoption", notes the report, adding that it remains to be seen how the new allocations of IPv6 space will affect the home PC users and ultimately the botnet ecosphere.

"One of the biggest problems with blacklisting of IPv4 addresses today is DHCP churn, where an infected PC might change IP addresses several times a day. Depending on how IPv6 is rolled out at the ISP level, this problem may be solved or it could increase", says the report.

IP blacklisting, the report adds, is not a panacea for spam, however; spammers have already begun to use "reputation hijacking" as a means to bypass the blocking.

"This leads to even more potential for problems on the part of the ISP, which could mean increased cost to the consumer. Without more effective international cooperation between ISPs and law-enforcement and more stringent laws against massive malware operations, this cost is likely to continue to increase far into the future," the research concludes.

What’s hot on Infosecurity Magazine?