3FN Takedown Cripples Cutwail Spam Botnet

Security vendors are starting to release spam statistics after the recent FTC shutdown of 3FN. The most affected spam botnet seems to be Cutwail/Pushdo, but the total impact is far from close to that resulting from the McColo takedown.

In early June, U.S. District Judge Ronald Whyte, for the Northern District of California, issued a temporary restraining order against Pricewert, a company operating the Triple Fiber Network (3FN) Internet service provider.

The restraining order was the result of a complaint against Pricewert filed by the Federal Trade Commission, in which it claimed that the ISP was harboring cybercriminal operations. This is consistent with reports coming from security researchers, who associated massive amounts of malicious activity with 3FN's IP space.

Most of the organizations tracking spam botnets agree that a significant number of command and control servers were hosted at 3FN, the majority of them being for Cutwail. After the shutdown of the McColo rogue ISP back in November 2008, which led to the near-death of Rustock, Cutwail became the world's largest spam-sending botnet.

Following the 3FN depeering, a noticeable decrease in Cutwail-associated spam has been observed. According to SecurityFix, researchers from SecureWorks who were tracking over 400,000 computers infected with Pushdo that were actively sending spam reported that, after the C&C servers hosted at 3FN were knocked offline, the number of botnet clients decreased to around 150,000.

Phil Hay from Marshal8e6 notes that, "Spam originating from the Pushdo botnet indeed seems to be affected. The proportion of spam from Pushdo has dipped, along with Mega-D [a different botnet]." However, the analyst pinpoints that, "In terms of its impact on spam, the event is not quite in the same league as the McColo shutdown [...]."

Researchers from the anti-spam outfit Spamhaus announce that, "The 3FN shutdown caused an immediate precipitous collapse in Cutwail-emitted spam," but point out that, "As it was only one SpamBot family of many, its collapse is not particularly apparent in total spamtrap flow."

Meanwhile, Sophos notes that, "We’ve been noticing a small decline in spam coming to our traps. However, given the regular spam volume fluctuations during week and day time, it’s early to say if the trend is significant enough to connect to the 3FN news."