Another botnet taken down

  • Article

A few weeks ago in the beginning of November, I posted a blog post about the highest number of spamming botnets that we see on our network.  In roughly the following order, the worst botnets were the following:

  1. Rustock
  2. Bagle-cb
  3. Cutwail
  4. Darkmailer
  5. Grum
  6. Donbot
  7. Bobax
  8. Mega-d
  9. Xarvester

I don’t track these botnets every day, though I do collect the statistics.  Every once in a while I take a look to see who’s the worst, and it’s usually Rustock.  But lately, another botnet has exploded and often penetrates the top 3 – the lethic botnet.

While I don’t currently have the stats handy (I’m off work recovering from arthroscopic hip surgery due to that stupid spammer who attacked me in Peru), I do know that lethic has managed to penetrate the number one spot for botnets on some occasions.  It’s not consistent but it does do it.

Over the weekend, on Jan 10, 2010, the lethic botnet was penetrated by the folks over at Neustar.  Following that, spam from lethic plummeted.  Even on our own networks, we saw a massive drop in mail from week-over-week on a Sunday, even though Sunday, July 3 was still in the holiday time.  Indeed, we are still way below our general network averages for the months of December and early January prior to Jan 10.

Similar to what happened to Mega-D last year when FireEye penetrated it, the botnet’s command-and-control structure was infiltrated in order to take it offline.  Disrupting these types of brain mechanisms prevents the botnet from sending out instructions to the worker nodes and sending out spam.  Cutting off the head of the dragon pretty much kills it for a short time.  Unfortunately, like Medusa’s heads, these things keep growing back.

So, should there be more proactive action on the part of the antispam community to take out botnets?  Should there be research into it?  Funding?  Should ISPs take the initiative to take their customers offline if they detect they are C&C centers?

It’s difficult to say but there is certainly no denying that going after the C&Cs work better than almost any other technique.  After McColo, botnets evolved to make their infrastructure more resilient.  It’s nice to see that the anti-abuse community is also evolving.