Spam Declines As Botnets Rethink Their Strategies

Even the spammers took a holiday over Christmas. According to Symantec and several other spamwatchers, the level of junk emails fell by over a half.

Recently, three botnets, Rustock, Xarvester and Lethic, that normally spew spam have either stopped or severely reduced their activities. According to a recent blog posting from Symantec: “Since 25th December, Rustock seems to have all but shut down… MessageLabs Intelligence [Symantec Hosted Services] has seen virtually nothing from Lethic since the 28th December, and Xarvester since the 31st December.”

Spamit Closure Disrupted Operations

Paul Wood, senior analyst at Symantec Hosted Services, told eWEEK Europe that, despite its drastically reduced rate of output, Rustock is still responsible for around 0.5 percent of spam (100-500 million spams per day). This is down from 47.5 percent (44 billion spam emails per day) but the other two botnets are completely silent.

According to Wood, one of the most likely reasons for the halt in operations is the closure of the Spamit.com website in October 2010. For years, Spamit, a closely guarded affiliate programme, had paid some of the world’s top botnet controllers to promote its counterfeit pharmacy sites.

Approximately 64 percent of global spam during 2010 was pharmaceutical spam and the “Canadian Pharmacy” operation, linked to the Spamit, was responsible for the vast majority of this. Its main vehicle was the massive Rustock botnet of zombie PCs and the closure of Spamit has meant that Rustock will have to find another customer for its malign services. If spammers are not being paid, they cease their operations because there is little point in risking detection when there is no reward involved.

“Currently, there is no evidence to suggest that any of these botnets have been disrupted by law enforcement or through other interference,” Wood said. “The Rustock bots appear not to have been removed from the botnet and its command and control infrastructure appears to be intact. Research has also shown that the bots are still active in other ways, particularly click-fraud.”

Click-fraud relies on the relationship whereby a site will pay for each visit it receives from a referral site. The fraudulent element is when a rogue affiliated site arranges for referrals of fictitious visitors to be generated. The unsuspecting host site pays for these referrals, totally unaware that it is being scammed.

Sleeping Giant

With between 1.1 million and 1.7 million infected computers under its control, according to Symantec estimates, Rustock still has all the potential for spamming at the pre-Christmas levels if it finds an alternative source of revenue.

“If not, then it may turn its attention elsewhere, possibly increasing the click-fraud it already does to a grander scale, or by renting-out its bots for DDoS [distributed denial of service] attacks, or bullet-proof hosting,” explained Wood. “In that case, I would expect to see the Grum botnet move up [in the spamming league], as it has been consistently in second place for many months now and was responsible for around 8.5 percent of spam – sending approximately eight billion spam emails each day from only 310,000 to 470,000 bots.”

Bullet-proof hosting is the provision of a safe haven for botnet “herders” to run their command and control centres and store their ill-gotten gains – similar to how the Carribean Islands were used by pirates in the 17th and 18th Centuries.

The disappearance of a few of the major botnets has resulted in the creation of a vacuum which will not remain empty for long “Overall, we would expect to see a gradual but steady increase in spam levels over the next few weeks and months as other botnets expand their influence to fill this gap,” Wood warned.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

Recent Posts

Baltic Sea Power Cable Severed In Latest Incident

Undersea internet and power cable in Baltic sea between Finland and Estonia suffers outage. Finland…

12 hours ago

US Begins Investigation Into Legacy Chinese Chips

The Biden Administration has launched a last-minute investigation into older Chinese-made legacy semiconductors - weeks…

15 hours ago

Iran Lifts Ban On WhatsApp, Google Play

State media reports the Iranian regime has lifted the ban on WhatsApp and Google Play,…

16 hours ago

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

4 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

4 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

4 days ago