Filling The Spam Vacuum

A few weeks ago, web hosting firm McColo was shut down after it was discovered that up to two-thirds of the world’s email spam was originating from its servers. For a while, the number of spam messages being delivered decreased dramatically. However, after this brief reprieve, spam volumes are already increasing again, according to a recent article from BBC News.

The business of spam, like all businesses, is a competitive one. When one large spam gang goes down, it leaves an open opportunity for other spam gangs to gain market share. It’s no surprise to hear that other spam gangs are ramping up their efforts, knowing that there’s money up for grabs. McColo is also likely scrambling to get back online in some shape or form before they lose too much of their market share.

The infrastructure in place today to protect most systems has not changed. The capacity to handle the spam as well as deliver it is still there and the gangs know that they must take advantage quickly. With the economy in a downturn, it’s not likely the people in these gangs will be able to find day jobs…not that they would ever want to.

Some Thoughts on Bots and the Personal Computer

According to the BBC News article, some 450,000 infected computers (or bots) were still trying to connect to the largest of the networks hosted by McColo. How does an innocuous home computer become part of this worldwide network of nuisance?

The process of formatting and re-installing the operating system of a personal computer has been improved slightly over the years but it’s still an arduous task that only real geeks actually enjoy.

I think about my parents’ home computer and how various “uncles” visit with contraband software; how they’ll download and install all sorts of seemingly useless computer software tchotchkes, unaware of any security risks. This is your typical bot PC. As users let their software subscriptions to anti-virus and anti-spam services lapse, their computers are left with minimal protection.

The format and re-install process should really be as simple as hitting the reset button and waiting a couple of hours and voila! Good as new. All PCs should be formatted and all software re-installed at least three times a year. I’m sure this is already a “best practice” out there, but how often does this really happen? Given the size of botnets out there, not often enough.

Can you imagine if all PCs were to be formatted and their software re-installed on the same day? Spam levels could drop by 80% or more in one shot! Let’s have an annual PC reformat day and let’s see what it does to spam levels worldwide! What do you think?

Arthur

According to information from my local newspapers it’s the very same botnet that is now under control by the same people as before. With loosing the McColo hosting they’ve lost their command infrastructure. The bots in the wild try regularly to contact new (new as in generated according to a rule set/hash sequence) domain names for instructions. Those domain names are what a few anti-spammers have bought up in the days before to stop the spammers from regaining control. Now the spammers have managed to register one of those domains and regain control of the bot-net. Would be nice if known lists of such controlling domains could be blocked permanently at registry level. Those domains aren’t worth anything anyway as they look like (and are) a hash value and nothing ayone else would be interested in registering.
http://www.opensrs.com Garrick Lau

Hi Arthur, I believe you are speaking about the Srizbi Botnet. There was an effort lead by FireEye to register the domains before the “bad guys” could but I believe at the rate of 450 domains a week, they ran out of funds to continue the effort after spending around $4,000 in domain registrations.

http://voices.washingtonpost.com/securityfix/2008/11/srizbi_botnet_re-emerges_despi.html?nav=rss_blog

We discussed this internally and have reached out to FireEye to let them know that we would be willing to collaborate in the future and not to hesitate to reach out to us.
Arthur

Ah, yes, I think that’s what the newspaper referred to. I’d say going one step further and pushing the top-level domain registry to block those registrations would be really helpful in such cases. Cheers, Arthur.
Brian Hawthorne

Wow. How about reformatting all those computers and installing a better operating system? My computer is bot-free and virus-free and I have never reformatted it. Of course, I’m running a modern operating system, not a toy from Redmond.
http://www.netmidwest.com/ NetMidWest

I don’t agree that re-formatting and re-installing OS is the cure. Prevention and maintenance is; before there was great software out there to kill spambots, that made sense. Your advice is out of date… all but the very latest trojan and virus creations can be blocked or removed from the PC (That’s PERSONAL computer, don’t let uncle touch it!), and regular updates of the software can insure that the volume is turned down significantly… and it’s much easier to keep up with the updates than to reinstall an OS.

Perhaps education is the real key, anyone with a few hundred bucks can now buy a PC and get online, with no real idea of the domino effect problems that owning a PC can create…
http://www.opensrs.com Garrick Lau

Great comments! Yes, re-installing is more of a corrective approach and I agree wholeheartedly that education will go a long way in prevention.

Corrective is immediate and results driven…

Education is key, but couple that with an easy way to take corrective action and I think we have a winning combination!
Peter Blair

People have been reporting an uptick in spam received from the C&Cs previously hosted at McColo:

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212300170&subSection=Attacks/breaches

Filling The Spam Vacuum

Some Thoughts on Bots and the Personal Computer

Become a Reseller

Categories

Subscription Options

Archive