Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Another botnet taken down

Another botnet taken down

  • Comments 12

A few weeks ago in the beginning of November, I posted a blog post about the highest number of spamming botnets that we see on our network.  In roughly the following order, the worst botnets were the following:

  1. Rustock
  2. Bagle-cb
  3. Cutwail
  4. Darkmailer
  5. Grum
  6. Donbot
  7. Bobax
  8. Mega-d
  9. Xarvester

I don’t track these botnets every day, though I do collect the statistics.  Every once in a while I take a look to see who’s the worst, and it’s usually Rustock.  But lately, another botnet has exploded and often penetrates the top 3 – the lethic botnet.

While I don’t currently have the stats handy (I’m off work recovering from arthroscopic hip surgery due to that stupid spammer who attacked me in Peru), I do know that lethic has managed to penetrate the number one spot for botnets on some occasions.  It’s not consistent but it does do it.

Over the weekend, on Jan 10, 2010, the lethic botnet was penetrated by the folks over at Neustar.  Following that, spam from lethic plummeted.  Even on our own networks, we saw a massive drop in mail from week-over-week on a Sunday, even though Sunday, July 3 was still in the holiday time.  Indeed, we are still way below our general network averages for the months of December and early January prior to Jan 10.

Similar to what happened to Mega-D last year when FireEye penetrated it, the botnet’s command-and-control structure was infiltrated in order to take it offline.  Disrupting these types of brain mechanisms prevents the botnet from sending out instructions to the worker nodes and sending out spam.  Cutting off the head of the dragon pretty much kills it for a short time.  Unfortunately, like Medusa’s heads, these things keep growing back.

So, should there be more proactive action on the part of the antispam community to take out botnets?  Should there be research into it?  Funding?  Should ISPs take the initiative to take their customers offline if they detect they are C&C centers?

It’s difficult to say but there is certainly no denying that going after the C&Cs work better than almost any other technique.  After McColo, botnets evolved to make their infrastructure more resilient.  It’s nice to see that the anti-abuse community is also evolving.

Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
  • > Unfortunately, like Medusa’s heads, these things keep growing back.

    I think you mean the Hydra.

  • You should try talking to the ISP's in Romania. A lot of spam related command and control assets are based here. Botnet owners, mostly based in ex-soviet states, routinely set up backup C&C over here. Unfortunately, the legislation and know-how is ill prepared to deal with this situation. However, the ISP's might go along with helping you.

  •   After the previous article you mentioned, I did send an email to the whitehouse, saying they should fund efforts like this to take down the botnets.

      I think this is a good cause for the government to spend some money on.

  • Why isn't Interpol (the international criminal police organization) going after these spammers and shutting them down?

    They have the authority and global reach to to go after these criminals.  After a few highly publicized arrests, the rest of them would probably go into another line of business because of the risk.

    Currently they seem to operate with virtual impunity, so it's no wonder there's so much spam and phishing.

  • Thanks for the post. It's nice to see that the good guys are winning some battles.

  • "Why isn't Interpol (the international criminal police organization) going after these spammers and shutting them down?"

    From my point of view new laws should be enacted that target the companies that use spamming services and go after them.  They're a lot easier to identify and locate.  A few prime examples of prosecution of these people may affect other such organizations to the degree that spamming wouldn't be so lucrative to the services

  • I think along with Gov. funding to track them down they need SEVERE criminal charges for the people creating and profiting from them...this slap on the wrist crap is embarrassing.  It should be 100% of their assets are taken (all this $ they've generated) and also a minimum 20 years in prison!  Now what happens?...they earn millions-get caught-spend a year or two at most in jail (usually just probation time & no proison time) then they get out and take their millions and do it again.  Spammers & Virus creators need to be dealt with extremely.  They screw with millions of people and so their punishments should reflect that.  

  • Thanks, Random Classicist.  I did mean "hydra."

  • @Alan8, you do realize that InterPol is powerless to enforce international law. The most that they can do is to investigate where crimes are committed and recommend actions to authorities. If those authorities choose to ignore or don't have the resources then InterPol can't do anything.

  • "So, should there be more proactive action on the part of the antispam community to take out botnets?"

    "Why isn't Interpol (the international criminal police organization) going after these spammers and shutting them down?"

    Same reason anti-malware guys and girls don't do it. It's illegal.

    I've been lurking online for quite a few years now (in my short life) and I've seen not a few references comparing the internet to the American Wild West. There are no laws online, so it's "everyone for themselves". Say a spammer is operating out of the USA on a Russian server, bounced through some server in South Africa. That's a fairly small "bounce", but you've got 3 jurisdictions to go through. Not to mention the lack of laws governing the internet. It's remarkably similar to the Japansese child porn laws. If it's virtual (in a comic), then it's legal because it doesn't really exist in the physical world. Or so the argument goes.

    Because it's not taken that seriously, there isn't enough laws by enough countries for someone like Interpol to take down spammers. The USA only recently (in the past few years) passed anti-spam laws.

    If you want to take down a spammer, malware creator, etc.. Well, you can't. Which is why it's such a popular past-time. =P


    Cyber crimes in general already have harsher laws in most countries than murder gets you. A common joke in my group of friends, it's smarter to steal a movie from the local rental store than to download it. Even with a weapon, the sentence will still be less. While the internet _does_ need policing and laws that are worded properly, it needs to be an international initiative or it won't be effective.

    Lets use Germany as an example. They have extremely harsh cyber crime laws, so much so that I.T. Security professionals are actually limited in what they can do or use. So how does a German security techie who wants to have a site with security tools (blog with links for example) get around it? He hosts his site on an American server. Now German laws don't apply to whatever is on his site.

  • @CJ well said, I am currently living in South Africa and their internet laws are practically non existant.  Not just that, but trying to get an official in South Africa to even understand what a botnet is would take about 2 years, exstensive training and a club.  Well thats not completely true, you would need two clubs, cos you gonna break the first one.

  • Taking the C&C servers down alone will not prevent those work nodes from being recruited by other botnets.  We should make the victims aware that their computers are vulnerable, and they have to remedy that.  This is what is currently missing.  We will never win the war against botnets if we can't get the help from the owners of bot computers.

Page 1 of 1 (12 items)