Botnets, the ever-present threat

Every day, the M86′ Security Labs analyzes over 7 million distinct email messages, looking for patterns and emerging trends. In their recently published report covering the last six months of 2009, the figure of 200 billion of spam messages per day is considered a fair estimate of the global situation.

The great majority of these messages are sent by botnets. Rustock and Pushdo (Cutwail) head the list, followed by Mega-D, Grum and Lethic. This continuing monitoring and analysis of botnet activity is crucial to botnet takedowns, which concentrate on shutting down the control servers.

There were three major botnet takedowns during this period: in June, a rogue ISP known for hosting malicious content and botnet control servers was disconnected from the Internet, resulting in affected spam output for the Cutwail botnet. In November, Mega-D’s control servers suffered the same fate, as well as Lethic’s in January this year.

This were all really just stopgap measures, it can drop the level of spam for a short while, but cannot close down the botnet’s activities. They are kind of like the mythological Hydra – you cut one head, two more spring in its place.

The gangs controlling them use sophisticated mechanisms to spring back when one of their control servers gets shut down: lists of domains instead of one, hard-coded DNS servers, domain generation algorithms and alternative communication protocols for command and control architecture.

There are many types of spam, but pharmaceutical spam regularly tops the list – 74 percent of all spam in Q3 and Q4 2009 was peddling fake prescription drugs.

In the minority of cases (3 billion out of 200 billion), the spam you receive is trying to make you open an attachment carrying malware, or direct you to a website where you’ll get infected with the same. This kind of spam is aimed at more than just getting your money. You’ll probably be infected with some kind of password-stealing Trojan, but your computer can, in addition, become a bot in the very same botnet that sent the malicious email in the first place, or be infected with downloader Trojans that will pave the way for further malware installation.

There still aren’t effective ways to fight a botnet. A lot of infections can be prevented by teaching people what to look for and how resolve the situation to their own advantage, but the problem is that bot herders are a group of people that has demonstrated its inventiveness and an ability to adapt very quickly to changes, which really cannot be said of the general public.

Botnet masters and cyber criminals in general are just that – masters at their work, while most computer and Internet users really don’t want to care about security. But with the ever rising tide of online threats, they will, in time, be forced to learn how to keep their head above the water.