Date: 15 February 2011

15 February 2011 Author: SecureWorks' Counter Threat UnitSM





Introduction

Spam is one of the biggest drivers of malware proliferation over the past ten years, and no end is in sight. However, there is an overall maturation to the spambot ecosystem these days. We're seeing fewer new spambot families emerge, and only incremental changes in the existing spambot families. Development seems to proceed at a pace corresponding to the size of the botnet and the volume of spam sent by each.

In previous years, we have detailed the top spambot families and have described the characteristics that define them. To continue with that tradition, here is the current lineup of spambots responsible for most of the volume of spam on the Internet today.

Rustock (est. 250,000 bots)

The most prolific spam botnet in existence today is Rustock. In past years, Rustock would sometimes be overtaken for the top spot by other botnets, but these days it has pulled away from the pack with a strong lead. The reasons for this are due to the author's relentless development of stealth tactics that have been added to the Rustock codebase over the years. First and foremost, Rustock was designed as a rootkit, burying its files and activity deep inside the Windows operating system where it can hide from popular anti-malware products and remain on an infected system longer. In addition, Rustock has employed other novel tactics to stay under-the-radar:

Samples with active control servers have been observed waiting for up to five days before spamming

Rustock control servers run a TOR exit node, likely in an attempt to avoid disconnection by network administrators who might think the abuse is originating elsewhere

Rustock uses the HTTP protocol for communication with the controller, but disguises the requests as if they are online forum posts with encrypted content

In an attempt to frustrate takedowns, hostnames associated with the Rustock HTTP communication do not map directly to the IP address of a Rustock controller; instead, the IP address listed in DNS is passed through a custom algorithm to find the true IP address to communicate with

Cutwail (est. 100,000 bots)

Long a contender for the top three in spam botnets, Cutwail is still alive and well. Unlike Rustock, which seems to be a single spamming operation, the Cutwail bot is responsible for many different botnets, each using one of three known major revisions to the code. Like Rustock, Cutwail also uses custom encryption to disguise its communications. In order to defeat certain types of analysis using "sinkhole" SMTP servers, some Cutwail spammers use TCP port 25 for the Cutwail controller communication. This behavior makes a bot under examination inside a sinkhole unable to generate any spam samples, since the control connection itself will go nowhere.

Lethic (est. 75,000 bots)

Most of the top spambot systems use a template-based spamming method; that is, the control server will deliver a spam mail template to each bot, along with a list of email addresses to which the spam should be sent. This is the most efficient use of bandwidth for the spammer, since the real volume of work is done by offloading the individual mailserver sessions onto the infected PC. However, the Lethic bot does not use this approach, instead proxying all of the traffic from the spammer's system all the way to the destination mailserver. In order to eliminate the problem of most modern home PC routers using network address translation (NAT), Lethic uses a "connect-back" scheme that causes the bot to reach out to the Lethic controller to begin receiving traffic. Lethic uses a simple but effective encryption method to keep the communication from being easily detected on the wire.

Lethic has lately been seen being installed by another bot called "Butterfly" or "Bfbot". Frequently spammers will take advantage of an established botnet they already control to seed a new one. In addition, Bfbot can use worm-like methods to spread from PC to PC, giving the botnet an even greater reach. The same Bfbot botnets have been seen installing other spam trojans sending different types of spam, which indicates the specific Bfbot system may be part of a pay-per-install (PPI) system.

Grum (est. 65,000 bots)

Another well-established spambot is Grum. This spambot is another that seems to be in use by multiple spammers and has even been developed as a plugin for the BlackEnergy v2 bot. Like most other spambots, Grum will attempt to send messages from the infected PC directly to the destination mailserver. However, if an ISP is blocking TCP port 25 outbound, Grum can fall back to relaying the messages through the ISP's mailserver, a feature known in spammer circles as "proxylock".

Grum uses HTTP for communication, although it has recently been seen morphing its traffic to avoid existing network detections. Since the source code is apparently in the hands of multiple spammers, we will probably see further development on this front.

Festi (est. 60,000 bots)

Another spambot that has been aggressively taking on the more well-established botnets is Festi. Variants of this bot have recently been seen being seeded by the Virut botnet, which is another pay-per-install system. Virut also has the capacity to spread from PC to PC by infecting executable files. The Virut system is also used by other criminals to seed or add to their botnets, including other spam systems.

Festi has also been developed as a distributed denial-of-service (DDoS) platform, and has been seen in recent weeks launching attacks against other Russian sites.

Maazben (est. 30,000 bots)

There is one other major executable-infecting virus/botnet that is relevant to the spam world, and that is Sality. The sole purpose of Sality these days seems to be to install the Maazben bot, which typically sends spam for online Casinos.

The Rest of the Pack (est. 5,000-30,000 bots each)

The remaining contenders for the list of top spambots seem to have languished somewhat on their growth and development. This may be intentional to an extent, since a larger botnet gets more attention from the anti-spam and anti-malware community. Maintaining a smaller botnet is easier, requiring less development and fewer resources. Ultimately it may be a cost decision.

In some cases, anti-malware forces may be actively interfering with the botnet's operations, causing it to be far less effective than it would be if left alone.

Some notable botnets that are still in operation (some going on eight years) are:

Asprox

Fuflo

Waledac

Fivetoone/DMSpammer

Xarvester

Bobax

Gheg

Bagle

There are several more minor spam bots, most of which are either proxy-based, unnamed or both, and too small to significantly add to the volume of spam seen on the Internet.

End of Mega-D

One of the "top three" botnets of years past was "Mega-D", aka Ozdok. Due to its widespread proliferation, Mega-D became the target of anti-malware efforts by security vendor FireEye, A few months after Mega-D's volume was significantly reduced by this interference, the alleged author of Mega-D was arrested. Since that time, we have not seen any new Mega-D infections and the botnet is for all intents and purposes "dead". However, it is impossible to say who might have the source code to Mega-D and they could revive it in the future.

Summary

Although the numbers show spam botnet sizes and spam volume to be down over last year, one trend that can be seen is spambots piggybacking on existing worms and viruses to extend their reach. In all, IP-based blacklists are now more effective than ever at detecting spambots and listing their IPs to be blocked by anti-spam measures. However, we recently reached a turning point with the end of new IPv4 space to be allocated and an increased focus on IPv6 adoption.

It remains to be seen how the new allocations of IPv6 space will affect the home PC users and ultimately the botnet ecosphere. One of the biggest problems with blacklisting of IPv4 addresses today is DHCP "churn", where an infected PC might change IP addresses several times a day. Depending on how IPv6 is rolled out at the ISP level, this problem may be solved or it could increase.

IP blacklisting is not a panacea for spam, however; spammers have already begun to use "reputation hijacking" as a means to bypass the blocking. This leads to even more potential for problems on the part of the ISP, which could mean increased cost to the consumer. Without more effective international cooperation between ISPs and law-enforcement and more stringent laws against massive malware operations, this cost is likely to continue to increase far into the future.

Advice to CSOs

For a long time, the best-practices approach to malware infections has been to re-format and re-image the infected machine from known clean media. However, there are some corporate security teams that continue to simply run an antivirus product as a way to clean the computer of malware. This is often the case, especially when faced with an infection by "nuisance" malware such as spambots or rogue antivirus programs. The danger in simply running an antivirus product against the machine is that even if the antivirus product cleans the observed infection, how much other malware was installed on the machine that the antivirus engine can't detect?

There are three major factors at play here, which illustrate why running a "cleaner" tool is often not enough:

Malware has become increasingly more sophisticated and capable of hiding from or disabling anti-malware scanners. These days only a forensic-level investigation can detect certain malware under some conditions.

Malware authors now have easy access to tools that let them run their creations through dozens of antivirus engines at once. Some of these tools do not deliver scanned samples to antivirus companies for analysis, so a malware author can simply keep tweaking his/her creation until it is no longer detected, and then deploy it to your network via existing botnets infections, malvertising, spear-phishing, and other attack vectors.

As evidenced by the botnets detailed above, more malware authors are taking advantage of pay-per-install services. These systems will always try to maximize profit and install multiple unique pieces of malware after they initially infect a PC. To date, antivirus has been shown to generally have a 20% or less effectiveness rate against new threats. So for each pay-per-install infection, if you detect one bot, there might be four more installed alongside that aren't detected.

The major risk is that while you might have removed the nuisance malware, something more sinister may still be lying in wait to steal or destroy data. Any compromise of a PC should be treated as if it has the potential to do the maximum damage. One could hire a malware expert to do low-level forensic analysis on the infected system, but in some cases, it comes down to the skill of the expert versus the skill of the malware author - both are essentially unknowns. This is why we repeat the mantra of "re-format/re-image" - it's the only way to effectively mitigate the risk with a high level of assurance.