Researchers gain access to one of the world's largest spam botnets, and find it's an operation that as organized and crafty as any successful corporation Boston—A presentation at this week’s LEET ’11, a USENIX workshop on large-scale exploit and emergent threats, delves into the inner workings of the underground economy, specifically the rental and operation of spam botnets. Brett Stone-Gross, a PhD student at the University of California, Santa Barbara, gave an overview of recently completed research he conducted with fellow researchers Thorsten Holz, Gianluca Stringhini and Giovanni Vigna. In August 2010, the team worked with contacts at various Internet Service Providers and were able to gain access to 13 Command & Control servers and three development servers used by botnet operators of the Cutwail spam engine, a botnet that has been around since 2007 and at one time was estimated to be the largest botnet in existence with the most infected hosts. Cutwail is also often referred to as Pushdo because of a separate Trojan component that installs the software. MORE ON BOTNETS * What a botnet looks like * The botnet hunters * Report: Rustock still top dog among spam botnets * With botnets everywhere, DDoS attacks get cheaperAccording to Stone-Gross, the data the team retrieved helped them understand the “modus operandi of the botmasters of a large botnet.” Cutwail, he said, utilizes an encrypted communication protocol and an automated template-based spamming system to generate unique emails that get around spam filters. Researchers had access to records from the Cutwail servers that dated as far back as June 2009, and the amount of spam sent is mind-blowingly large. Stone-Gross reported 1.7 trillion emails were sent out during this time. The researchers had roughly one-half to two-thirds of the active Cutwail C&C servers, so they estimate overall numbers are likely higher.“Most of the stuff was what you’d expect,” Stone-Gross said as he displayed images of the type of spam the botnet sends. “You have your phishing, your online pharmaceuticals, diploma programs.”However, there are challenges to sending that much junk mail. Stone-Gross said a spammers job is complicated by a number of factors including invalid email addresses, SMTP errors, and blacklisting. As a result, while 87 billion spam messages were sent from July 30 to August 25, 2010, the amount of spam that was actually accepted by mail servers was only around 30.3 percent, and the actual volume was likely much less after client-side spam filters are taken into account. But like good businessmen, the spammers maintain detailed statistics per infected machine to measure the effectiveness of campaigns and make modifications for future success.The team was also able to obtain a copy of a popular web-based forum known as Spamdot.biz, which simplifies the process of creating and managing spam campaigns. Spamdot. biz, available in both Russian and English, had about 1900 members and gave users the opportunity to rent botnets, or purchase email addresses to spam. Almost all members, approximately 91 percent, selected Russian as their first language. The highly-vetted community will only allow new members who have been approved by trusted members or established existing users, said Stone-Gross.A detailed pricing system was observed by the team, who found rates for one million email addresses range from $25 to $50, with discounted prices for bulk purchases. Those interested in building a botnet or installing their malware on a large number of systems often seek the services of groups who provide so called loads — which is terminology for the ability to install malware on compromised machines. The “loads” come from a variety of sources such as drive-by-download attacks using HTML iframes and other malware, said Stone-Gross. “We observed several individuals offering 10,000 malware installations for approximately $300-$800,” the report summary states. Market price per “load” is highly dependent on its geographic location, with machines in the U.S. and the U.K. fetching a much higher price than those in Asia, probably because they have a faster and more reliable Internet connection, researchers noted. Loads sold per thousand in Asia went for around $13, Europe at $35, and $125 for the U.S. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe