- Date: January 13, 2009
- Author: Joe Stewart, Director of Malware Research, SecureWorks
Introduction
Last year, we reported on the top spam botnets plaguing the world. Since then there have been significant changes to the botnet landscape, so we've decided to issue a new report covering a brief history of spam botnets in 2008, detailing the latest botnet threats.
An End to the Storm
After two years of domination, the Storm botnet finally died on September 18, 2008. Multiple academic and professional botnet researchers had been drawn to study Storm, and because of some mistakes/bad choices in the encryption protocols, some discovered ways to disrupt the botnet. But because of the P2P functionality in the Storm code, it was never fully possible to take over the entire botnet at once. The number of Storm infections was further impacted by Microsoft's Malicious Software Removal Tool (MSRT), taking out hundreds of thousands of bots at a time. Storm's numbers continued to fall off over the course of 2008, before it was apparently abandoned in September.
McColo Takedown
One of the biggest factors in the shifts we've seen is the takedown of the notorious McColo hosting operation. In the second half of last year, we detailed just how many spam botnets were dependent on McColo's connectivity, and we predicted that if McColo were shut down, worldwide spam would be cut in half. Shortly after that, McColo was featured in a blog posting by Brian Krebs, and the attention caused its upstream ISPs to pull the plug. According to various sources, spam dropped by anywhere from 50 to 75 percent on the very same day.
But it was to be a short-lived decrease - although two of the largest botnets, Rustock and Srizbi, were severely impacted, botnets that did not rely on McColo were suddenly sending much more spam. This demonstrates the separation between botnet owners and spammers. The persons actually sending the spam are simply relying on the services of criminals who rent the botnet to them. Most of the top botnets have easy-to-use HTML-based interfaces, so moving from one spam system to another is incredibly easy, and we believe there was a migration of spammers from the spam botnets that were down to systems that were still up.
We expected all of these impacted botnets to return to full operation. Rustock had most of its bots hard-coded to connect to McColo servers by IP address, and had great difficulty returning to normal operation. Srizbi had the same problem in some cases, but in other cases, infosec companies were actively interfering with the domain names used by the bots. Srizbi has still not yet recovered months later - it is possible that we've seen the last of this botnet.
The End of Bobax/Kraken?
Another scourge of the email world which got a lot of attention in 2008 was the botnet known as Bobax (or Kraken). This was one of the longest-lived botnet spam operations we know of, going all the way back to 2004. In April 2008, SecureWorks reported that it was the largest spam botnet with 185,000 active bots. Since becoming highly publicized in April 2008, it has been struggling due to disruption from infosec companies. However, it was able to adapt and continue to be a major player in the world of spam for most of the remainder of the year, although its bot numbers were constantly dwindling. Bobax also relied on a single hosting provider for its connectivity, one that wasn't a criminal operation. On the 18th of December, 2008, that provider killed all the control servers in use by Bobax. We haven't seen any more spam from Bobax since that time, but it might be too early to call this botnet dead.
Botnets to Watch in 2009
| Cutwail | |
|---|---|
| Estimated # of bots: | 175,000 |
| Alternate names: | Pandex, Mutant (related to: Wigon, Pushdo) |
| SMTP engine: | Template-based |
| Control: | HTTP with encryption, multiple TCP ports |
| Rootkit-enabled: | Yes |
| Identifying strings: | Poshel-ka ti na hui drug aver |
| Notes: | Cutwail was one of the few major botnets feeling little impact from the McColo takedown. Cutwail spam output actually increased shortly after that time, so it probably picked up some customers from other botnets. Cutwail has many customers, and can be seen sending a wide variety of spam, including pharmaceuticals, replica watches, online casinos, phishing mule come-ons and malware. |
| Rustock | |
|---|---|
| Estimated # of bots: | 130,000 |
| Alternate names: | RKRustok, Costrat, Meredrop |
| SMTP engine: | Template-based |
| Control: | HTTP with encryption, TCP port 80 |
| Rootkit-enabled: | Yes |
| Identifying strings: | tmpcode.bin, unluckystrings, filesnames |
| Notes: | Not quite back to last year's numbers yet, but still in the top echelon of spam botnets. These days Rustock can be seen sending spam for enlargement products, hidden inside newsletter templates swiped from legitimate companies, in an attempt to bypass content filters. |
| Donbot | |
|---|---|
| Estimated # of bots: | 125,000 |
| Alternate names: | Bachsoy |
| SMTP engine: | Template-based |
| Control: | Custom protocol on high TCP port |
| Rootkit-enabled: | No |
| Identifying strings: | HALLO, ProxyLockList, BlockCatchalls |
| Notes: | Probably not a monolithic botnet, appears to be in the hands of different spammers using different networks. Has been seen sending spam for weight loss drugs, stock pump-and-dump and debt settlement offers. |
| Ozdok | |
|---|---|
| Estimated # of bots: | 120,000 |
| Alternate names: | Mega-D |
| SMTP engine: | Template-based |
| Control: | encrypted, TCP port 443 |
| Rootkit-enabled: | No |
| Identifying strings: | KILL_LAZZY_ON_CONNECT, KILL_LAZZY_MX |
| Notes: | Although Ozdok has a relatively small set of bots compared to some of the other botnets listed here, it is quite capable of pumping out a generous amount of spam, most of it related to enlargement products, but designer knock-offs and other spam are frequently seen. |
| Xarvester | |
|---|---|
| Estimated # of bots: | 60,000 |
| Alternate names: | Rlsloup, RUcrzy |
| SMTP engine: | Template-based |
| Control: | HTTP on high ports |
| Rootkit-enabled: | Yes |
| Identifying strings: | smtp-client-rls.dll, update_load, comgate.xhtml, RUCRZY |
| Notes: | A relatively minor player at the start of 2008, Xarvester apparently picked up a customer or two post-McColo. Currently it is one of the top spamming botnets, sending pitches for pharmaceuticals, diploma mills, replica watches and a fair amount of Russian-language spam |
| Grum | |
|---|---|
| Estimated # of bots: | 50,000 |
| Alternate names: | Tedroo |
| SMTP engine: | Template-based |
| Control: | HTTP on TCP port 80 |
| Rootkit-enabled: | Yes |
| Identifying strings: | Hi all, Already start, $TO_HEXMAIL, /spm/s_alive, /spm/s_tasks |
| Notes: | Grum seems to be all about the erectile dysfunction spam - using newsletter templates to evade content filtering (which may be pointless, since the trademarked name of the ED product is the subject line much of the time). |
| Gheg | |
|---|---|
| Estimated # of bots: | 50,000 |
| Alternate names: | Tofsee |
| SMTP engine: | Template-based |
| Control: | Encrypted, TCP ports 443 and 533 |
| Rootkit-enabled: | No |
| Identifying strings: | ghegdjf, %s\removeMe%i%i%i%i.bat, http%s://%s%s%s%s%s |
| Notes: | Gheg is a swiss-army-knife of spambots. Not only can it do template-based direct-to-MX spam, but it also can route spam through the victim's ISP's mailserver (this ability is known as "proxylock"). It can also act as a conventional socks proxy spambot. |
| Cimbot | |
|---|---|
| Estimated # of bots: | 10,000 |
| Alternate names: | None known/Generic only |
| SMTP engine: | Template-based |
| Control: | Encrypted, TCP ports 80 and 443 |
| Rootkit-enabled: | No |
| Identifying strings: | SendMailHelper, ConnErr, DomainNewAllow |
| Notes: | The spambot component itself is stored on-disk enciphered, and only deciphered when injected into memory by a small dll. Currently sending pharmaceutical spam. In addition, Cimbot sends requests to a fair number of "affiliate click" websites, probably to attract attention away from the real command-and-control requests. The requests to these websites use the user-agent string "Mozilla/5.0 (Macintosh; IS7; PPC Mac OS X; en-US) AppleWebKit/6Y0.0 (KHTML, like Geco, Safari) OmniWeb/vJ01.XV". |
| Waledac | |
|---|---|
| Estimated # of bots: | 10,000 |
| Alternate names: | Waled |
| SMTP engine: | Template-based |
| Control: | AES and RSA-encrypted, encapsulated in HTTP |
| Rootkit-enabled: | No |
| Identifying strings: | taskreq, httpstats, winver, mirabella_site, MyID, RList |
| Notes: | Waledac appears to be a from-scratch rewrite of Storm. Although the code is completely new, it uses many of the old tricks (P2P, encryption, e-card links, spam, DDoS, double fast-flux hosting) and the spam is remarkably similar to that which Storm was sending earlier in the year. Although it seems to have been in development for some number of months, it was massively spammed the week of Christmas 2008 (targeting the best time to social-engineer users into clicking on greeting-card links). It has not grown to substantial numbers as of yet, but we expect it to be a major player in the months to come. |
Conclusion
Even though their numbers are down from this same time last year, the spammers and bot herders continue to be a nuisance on the Internet. It does seem that many more institutions are picking up the fight and are actively attempting to suppress the botnet threat, in one way or another. Nevertheless we are still a long way off from a real, long-lasting impact on (and prosecution of) the individuals responsible for unleashing so much malware and spam over the past few years.