According to Mathew Nisbet, a malware data analyst with Symantec Hosted Services, these elements – known as the Cutwail botnet – have been one of the most prolific spamming botnets of the last two to three years.
Even before the McColo ISP takedown in November 2008, Nisbet claims that Cutwail generated between 10 and 15% of all global spam.
Cutwail, he says, was almost certainly disrupted by the takedown of McColo, but came back bigger and stronger in response. At its peak at the start of June 2009, he adds, Cutwail was responsible for more than 45% of all spam and had between 1.4 and 2.1 million bots under its control.
Writing in his security blog, the Symantec malware data analyst notes that, between June and August of last year, Cutwail took some more notable hits, as rogue ISPs were identified and shut down.
"We reported what happened to Cutwail as a result of the 3FN takedown in the June 2009 MLI report", he said, adding that, shortly after, MessageLabs Intelligence reported how Cutwail was affected by the takedown of Real Host, a Latvian ISP, in the August 2009 report.
Cutwail, he went on to say, seemed to ride out the storm quite well, but in the year to date, he adds, Cutwail has been much less prolific.
In late August of this year, Nisbet says that LastLine – an academia anti-malware organisation – made an attempt to take down the Cutwail/Pushdo botnet.
"After identifying 30 command and control servers, they contacted the hosting ISPs and attempted to get them disconnected. Despite not all the providers being responsive, the attempt still managed to take down almost 20 of the C&C servers", he said.
Despite that takedown, the overall effect on global spam, he added, was negligible.
That was until quite recently, as the Symantec malware analyst says that Cutwail was sending out huge volumes of spam containing variants of the Bredolab malware until very recently.
"So while the takedown may not have had an appreciable effect on the overall level of global spam, it has certainly crippled the Bredolab distribution efforts of Cutwail", he said.
This was, he explained, possibly because the bots that were being used to spread malware were under the control of the C&C servers that did get disconnected - but the remaining C&C servers that controlled the bots were used mainly for more traditional spam.