I’ve written a number of times in the past about which botnets send us the most spam. Cutwail is always in the top 3.
With the Zeus disruption, has this affected Cutwail at all? Cutwail is not necessarily related to Zeus; as I said in my previous post, online criminals don’t need to spam in order to use Zeus. There are a lot of different activities. Still, the botnet that is mostly commonly associated with spam from Zeus is Cutwail. Given that, has there been any noticeable disruption in Cutwail since this past Friday?
At first glance, you might be tempted to think “Wow! Look at the drop in spam since last Friday!” But in fact, spam goes down on the weekends every weekend and therefore a drop in spam is not indicative of anything.
Unfortunately, while it did drop on the weekend, it only dropped to pre-shutdown levels. There is no observable effect at the moment (contrasts with Rustock which showed an instant change in behavior to almost no spam overnight).
This means one of two things:
- Cutwail is not associated with Zeus. The link was never particularly strong, but it has weakened since then.
- Zeus has been disrupted in some fashion, but what has been disrupted is not spam but other activities – phishing, hosting illegal websites, fast fluxing, etc. Spam just isn’t a big part of Zeus’s activities these days.
[Aside:The website abuse.ch has a Zeus Tracker that tracks domains and (I guess?) how active they are.]
Microsoft has diversified its anti-abuse legal strategies from spam (Waledac, Rustock) to general abuse (Kelihos, Zeus).