Behind the curtain of a botnet business

Researchers gain access to one of the world's largest spam botnets, and find it's an operation that as organized and crafty as any successful corporation

. What's this?

By , Senior Editor

March 29, 2011CSO

Boston—A presentation at this week's LEET '11, a USENIX workshop on large-scale exploit and emergent threats, delves into the inner workings of the underground economy, specifically the rental and operation of spam botnets.

Brett Stone-Gross, a PhD student at the University of California, Santa Barbara, gave an overview of recently completed research he conducted with fellow researchers Thorsten Holz, Gianluca Stringhini and Giovanni Vigna. In August 2010, the team worked with contacts at various Internet Service Providers and were able to gain access to 13 Command & Control servers and three development servers used by botnet operators of the Cutwail spam engine, a botnet that has been around since 2007 and at one time was estimated to be the largest botnet in existence with the most infected hosts. Cutwail is also often referred to as Pushdo because of a separate Trojan component that installs the software.

MORE ON BOTNETS

* What a botnet looks like

* The botnet hunters

* Report: Rustock still top dog among spam botnets

* With botnets everywhere, DDoS attacks get cheaper

According to Stone-Gross, the data the team retrieved helped them understand the "modus operandi of the botmasters of a large botnet." Cutwail, he said, utilizes an encrypted communication protocol and an automated template-based spamming system to generate unique emails that get around spam filters. Researchers had access to records from the Cutwail servers that dated as far back as June 2009, and the amount of spam sent is mind-blowingly large. Stone-Gross reported 1.7 trillion emails were sent out during this time. The researchers had roughly one-half to two-thirds of the active Cutwail C&C servers, so they estimate overall numbers are likely higher.

"Most of the stuff was what you'd expect," Stone-Gross said as he displayed images of the type of spam the botnet sends. "You have your phishing, your online pharmaceuticals, diploma programs."

However, there are challenges to sending that much junk mail. Stone-Gross said a spammers job is complicated by a number of factors including invalid email addresses, SMTP errors, and blacklisting. As a result, while 87 billion spam messages were sent from July 30 to August 25, 2010, the amount of spam that was actually accepted by mail servers was only around 30.3 percent, and the actual volume was likely much less after client-side spam filters are taken into account. But like good businessmen, the spammers maintain detailed statistics per infected machine to measure the effectiveness of campaigns and make modifications for future success.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER