2010 proves to be the year of the botnet, with new disguise and dropping capabilities expected in 2011

News by Dan Raywood

Botnets remained strong in 2010 but new tactics are expected next year.

Botnets remained strong in 2010 but new tactics are expected next year.

According to the MessageLabs Intelligence 2010 Security Report from Symantec, spam rates peaked in August 2010 at 92.2 per cent, with spam from botnets accounting for 88.2 per cent of all spam.

It also claimed that by the end of 2010 there was a reduction in the contribution of botnets to spam and by the end of this year to this point, the total number of active bots had returned to roughly the same number as at the end of 2009, increasing by approximately six per cent in the latter half of 2010.

Talking to SC Magazine, Paul Wood, MessageLabs Intelligence senior analyst at Symantec Hosted Services, said that there is around five million botnets generally active at any one time, but that can vary from three and a half to five and a half million botnets.

Asked if a botnet such as Bredolab, a general-purpose botnet commonly distributed via the Cutwail botnet which accounted for approximately 7.4 per cent of all email-borne malware in 2010, is likely to be controlled by more than one person or group, he said: “If you look at botnets like Bredolab and Zeus and find what is on the server is infected, but it may not be controlled by one person.

“Zeus fell into the public domain and there could be lots of small botnets combining to be a large botnet, it is hard to determine. Sometimes a botnet will reserve IP addresses to send out spam. Mega-D was stopped but was carrying different IP addresses so it is moving in terms of response. In terms of the command and control point, there is more variety and next year there will be more steganography by using trending topics to generate domain names.”

The concept of steganography techniques, hiding commands within images or music files distributed through file sharing or social networking websites, will be more prominent in 2011, according to Symantec. It will allow criminals to surreptitiously issue instructions to their botnets without relying on an ISP to host their infrastructure, thus minimising the chances of discovery.

The report also found that while 2010 has experienced fluctuation in the number of botnets and their associated output, the top three botnets have not changed in the latter half of 2010, with Rustock remaining the most dominant botnet followed by Grum and Cutwail.

Rustock's spam output more than doubled since last year to more than 44 billion spam emails per day and more than one million bots under its control. With the report claiming that there has been an overall decrease in malware/phishing detections within email, Wood was asked if this is evidence of a change in tactics?

“Rather than sending out email, we are starting to see a shift to drive-by-downloads or a botnet with a Trojan like Bredolab, while other botnet controllers are sending spam or fake anti-virus. We are seeing more targeted attacks of up to 77 a day whereas in 2005 it was one or two. Where there is still a pattern of targeted attacks it is crafted to get into the organisation,” he said.

With the FIFA World Cup having dominated phishing and spam trends through this summer and with nothing as high profile on the calendar for 2011, Wood was asked if it is going to be harder for spammers to be more proactive to breaking events?

Strongly disagreeing, he said: “It will be easier as it is automated with trending targets to include headlines in spam and we see cyber criminals doing that. Before the World Cup there was no mention of it, but as they harvested newsfeeds they used RSS feeds to create a spam subject and there is more and more of them about.

“Next year there is the royal wedding and we expect to see the spammers adapt to this. It will be interesting as this is the first royal wedding in some time so we are not sure what we will expect to see.

“Also with celebrity deaths, but they are hard to predict and we saw a lot more related spam after Michael Jackson's death. With events based on a region they will be more targeted and be more aggregates for a newsfeed, there is a quest for breaking news on the likes of Twitter and that is what they are feeding off and people want the latest news and we rely on the internet rather than TV or newspapers.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews