• Date: January 13, 2009
  • Author: Joe Stewart, Director of Malware Research, SecureWorks

Introduction

Last year, we reported on the top spam botnets plaguing the world. Since then there have been significant changes to the botnet landscape, so we've decided to issue a new report covering a brief history of spam botnets in 2008, detailing the latest botnet threats.

An End to the Storm

After two years of domination, the Storm botnet finally died on September 18, 2008. Multiple academic and professional botnet researchers had been drawn to study Storm, and because of some mistakes/bad choices in the encryption protocols, some discovered ways to disrupt the botnet. But because of the P2P functionality in the Storm code, it was never fully possible to take over the entire botnet at once. The number of Storm infections was further impacted by Microsoft's Malicious Software Removal Tool (MSRT), taking out hundreds of thousands of bots at a time. Storm's numbers continued to fall off over the course of 2008, before it was apparently abandoned in September.

McColo Takedown

One of the biggest factors in the shifts we've seen is the takedown of the notorious McColo hosting operation. In the second half of last year, we detailed just how many spam botnets were dependent on McColo's connectivity, and we predicted that if McColo were shut down, worldwide spam would be cut in half. Shortly after that, McColo was featured in a blog posting by Brian Krebs, and the attention caused its upstream ISPs to pull the plug. According to various sources, spam dropped by anywhere from 50 to 75 percent on the very same day.

But it was to be a short-lived decrease - although two of the largest botnets, Rustock and Srizbi, were severely impacted, botnets that did not rely on McColo were suddenly sending much more spam. This demonstrates the separation between botnet owners and spammers. The persons actually sending the spam are simply relying on the services of criminals who rent the botnet to them. Most of the top botnets have easy-to-use HTML-based interfaces, so moving from one spam system to another is incredibly easy, and we believe there was a migration of spammers from the spam botnets that were down to systems that were still up.

We expected all of these impacted botnets to return to full operation. Rustock had most of its bots hard-coded to connect to McColo servers by IP address, and had great difficulty returning to normal operation. Srizbi had the same problem in some cases, but in other cases, infosec companies were actively interfering with the domain names used by the bots. Srizbi has still not yet recovered months later - it is possible that we've seen the last of this botnet.

The End of Bobax/Kraken?

Another scourge of the email world which got a lot of attention in 2008 was the botnet known as Bobax (or Kraken). This was one of the longest-lived botnet spam operations we know of, going all the way back to 2004. In April 2008, SecureWorks reported that it was the largest spam botnet with 185,000 active bots. Since becoming highly publicized in April 2008, it has been struggling due to disruption from infosec companies. However, it was able to adapt and continue to be a major player in the world of spam for most of the remainder of the year, although its bot numbers were constantly dwindling. Bobax also relied on a single hosting provider for its connectivity, one that wasn't a criminal operation. On the 18th of December, 2008, that provider killed all the control servers in use by Bobax. We haven't seen any more spam from Bobax since that time, but it might be too early to call this botnet dead.

Botnets to Watch in 2009

Cutwail
Estimated # of bots: 175,000
Alternate names: Pandex, Mutant (related to: Wigon, Pushdo)
SMTP engine: Template-based
Control: HTTP with encryption, multiple TCP ports
Rootkit-enabled: Yes
Identifying strings: Poshel-ka ti na hui drug aver
Notes: Cutwail was one of the few major botnets feeling little impact from the McColo takedown. Cutwail spam output actually increased shortly after that time, so it probably picked up some customers from other botnets. Cutwail has many customers, and can be seen sending a wide variety of spam, including pharmaceuticals, replica watches, online casinos, phishing mule come-ons and malware.

 

Rustock
Estimated # of bots: 130,000
Alternate names: RKRustok, Costrat, Meredrop
SMTP engine: Template-based
Control: HTTP with encryption, TCP port 80
Rootkit-enabled: Yes
Identifying strings: tmpcode.bin, unluckystrings, filesnames
Notes: Not quite back to last year's numbers yet, but still in the top echelon of spam botnets. These days Rustock can be seen sending spam for enlargement products, hidden inside newsletter templates swiped from legitimate companies, in an attempt to bypass content filters.

 

Donbot
Estimated # of bots: 125,000
Alternate names: Bachsoy
SMTP engine: Template-based
Control: Custom protocol on high TCP port
Rootkit-enabled: No
Identifying strings: HALLO, ProxyLockList, BlockCatchalls
Notes: Probably not a monolithic botnet, appears to be in the hands of different spammers using different networks. Has been seen sending spam for weight loss drugs, stock pump-and-dump and debt settlement offers.

 

Ozdok
Estimated # of bots: 120,000
Alternate names: Mega-D
SMTP engine: Template-based
Control: encrypted, TCP port 443
Rootkit-enabled: No
Identifying strings: KILL_LAZZY_ON_CONNECT, KILL_LAZZY_MX
Notes: Although Ozdok has a relatively small set of bots compared to some of the other botnets listed here, it is quite capable of pumping out a generous amount of spam, most of it related to enlargement products, but designer knock-offs and other spam are frequently seen.
   
Xarvester
Estimated # of bots: 60,000
Alternate names: Rlsloup, RUcrzy
SMTP engine: Template-based
Control: HTTP on high ports
Rootkit-enabled: Yes
Identifying strings: smtp-client-rls.dll, update_load, comgate.xhtml, RUCRZY
Notes: A relatively minor player at the start of 2008, Xarvester apparently picked up a customer or two post-McColo. Currently it is one of the top spamming botnets, sending pitches for pharmaceuticals, diploma mills, replica watches and a fair amount of Russian-language spam
Grum
Estimated # of bots: 50,000
Alternate names: Tedroo
SMTP engine: Template-based
Control: HTTP on TCP port 80
Rootkit-enabled: Yes
Identifying strings: Hi all, Already start, $TO_HEXMAIL, /spm/s_alive, /spm/s_tasks
Notes: Grum seems to be all about the erectile dysfunction spam - using newsletter templates to evade content filtering (which may be pointless, since the trademarked name of the ED product is the subject line much of the time).
Gheg
Estimated # of bots: 50,000
Alternate names: Tofsee
SMTP engine: Template-based
Control: Encrypted, TCP ports 443 and 533
Rootkit-enabled: No
Identifying strings: ghegdjf, %s\removeMe%i%i%i%i.bat, http%s://%s%s%s%s%s
Notes: Gheg is a swiss-army-knife of spambots. Not only can it do template-based direct-to-MX spam, but it also can route spam through the victim's ISP's mailserver (this ability is known as "proxylock"). It can also act as a conventional socks proxy spambot.
Cimbot
Estimated # of bots: 10,000
Alternate names: None known/Generic only
SMTP engine: Template-based
Control: Encrypted, TCP ports 80 and 443
Rootkit-enabled: No
Identifying strings: SendMailHelper, ConnErr, DomainNewAllow
Notes: The spambot component itself is stored on-disk enciphered, and only deciphered when injected into memory by a small dll. Currently sending pharmaceutical spam.

In addition, Cimbot sends requests to a fair number of "affiliate click" websites, probably to attract attention away from the real command-and-control requests. The requests to these websites use the user-agent string "Mozilla/5.0 (Macintosh; IS7; PPC Mac OS X; en-US) AppleWebKit/6Y0.0 (KHTML, like Geco, Safari) OmniWeb/vJ01.XV".
Waledac
Estimated # of bots: 10,000
Alternate names: Waled
SMTP engine: Template-based
Control: AES and RSA-encrypted, encapsulated in HTTP
Rootkit-enabled: No
Identifying strings: taskreq, httpstats, winver, mirabella_site, MyID, RList
Notes: Waledac appears to be a from-scratch rewrite of Storm. Although the code is completely new, it uses many of the old tricks (P2P, encryption, e-card links, spam, DDoS, double fast-flux hosting) and the spam is remarkably similar to that which Storm was sending earlier in the year. Although it seems to have been in development for some number of months, it was massively spammed the week of Christmas 2008 (targeting the best time to social-engineer users into clicking on greeting-card links). It has not grown to substantial numbers as of yet, but we expect it to be a major player in the months to come.

 

Conclusion

Even though their numbers are down from this same time last year, the spammers and bot herders continue to be a nuisance on the Internet. It does seem that many more institutions are picking up the fight and are actively attempting to suppress the botnet threat, in one way or another. Nevertheless we are still a long way off from a real, long-lasting impact on (and prosecution of) the individuals responsible for unleashing so much malware and spam over the past few years.