14 DAY TRIAL // As the security researchers speculated back in November, the happy times when fewer junk mails hit our inboxes were not bound to last. Dropping to under 40% of what they were before the takedown of infamous hoster McColo, the spam levels are now at over 60 percent.
On November 11, following a collaborative effort from security groups, spam-fighting organization and journalists, the ISPs decided to pull the plug on McColo, a company hosting the control and command severs for several of the biggest botnets. This caused a severe drop in e-mail spam distribution and represented, along with the demise of Atrivo and EstDomains, one of the biggest victories of the security community in its fight against cybercriminals in 2008.
Even so, not everyone jumped to pop the champagne after the resounding victory, many declaring themselves skeptical in regards to the long-term implications. These were the people who remained alert and made significant moves to prevent the bot herders from relocating their infrastructure and regaining control over their armies of zombie PCs. Nevertheless, this almost happened with Srizbi and Rustock, the first and third largest botnets in the world.
The Rustock gang was able to push updates to an unknown number of drones when McColo resumed operations for a limited time of a few hours, while the Srizbi owners temporarily succeeded to set up a new control server in Estonia, only to be shut down by a local ISP. Fortunately, none of these attempts were successful enough in order to revive the once-powerful botnets, as this would be harder to achieve due to their inflexible infrastructure design.
However, this cannot be said for all botnets previously controlled from McColo. Such is the case of Mega-D (a.k.a Ozdok), a previously smaller botnet that not only resumed full operation, but even increased its activity. “Initially we saw some revived activity from Rustock, which now appears to have gone quiet. On the other hand, Mega-D has bounced back and is now spamming heavily,” researchers from Marshal8e6's TRACE Center announced.
This is likely to be caused by the sudden disappearance of the big players from the “market,” which forced the spammers to “contract” other botnets such as Mega-D to distribute their junk. Marshal8e6 researchers also pointed out that Mega-D was recently pushing spam previously attributed to Rustock. Other botnets such as Cutwail, Xarvester, or Kraken, that were not hosted on McColo, have been increasing their activity as well, and seem to have picked up Srizbi and Rustock's previous clients.
The experts warn that spam levels are likely to return to “normal” in time and that the malware developers behind the botnets that were left for dead could be in the process of developing new threats. Giving up on their armies of infected PCs might prove to be a business decision, since adopting a new, more dynamic infrastructure design might be a better choice in the long run than trying to resurrect something that might be susceptible to similar takedowns.
