Posts Tagged ‘takedowns’

View All Spam

Rustock down?

By Phil Hay  •  March 16th, 2011  •   Spam

A story emerged today on KrebsonSecurity about the Rustock botnet being disabled, and spam volumes from this rogue spammer plummeting.

A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:

 

Today, Rustock spam completely stopped (16 March, 3pm GMT).  We can also confirm that the Rustock control servers that we know about are not responding.  It is unclear yet who or what caused the shutdown.  Its also possible it has been abandoned. Over the past three years, Rustock has been responsible for a huge amount of spam, at times representing half of all spam caught in our spam traps. But since September last year, when Spamit.com was shut down, its output diminished significantly, and its spam templates hardly changed.

Whatever the reason, lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again.  Its too early to say bye bye Rustock, but the thought is certainly nice.

Update: According to a Wall Street Journal report here it looks like Microsoft, in conjunction with US Federal authorities, was responsible for the takedown of Rustock.

Tags:    |    |    |  

View All Spam

Mega-D Botnet Operator Revealed

By Phil Hay  •  December 2nd, 2010  •   Spam

Interesting details emerged today regarding the Mega-D botnet. The FBI has identified the Russian Oleg Nikolaenko as the operator of the botnet and has filed papers with a US District Court for his arrest. Brian Krebs from KrebsOnSecurity has a good article on the issue here, including a link to the court documents.

M86 Security Labs has monitored the Mega-D botnet closely ever since we noticed huge volumes of spam emanating from it in early 2008.  In fact we originally dubbed it Mega-D because of its numerous and distinctive “Megadik” spam campaigns at that time.  Mega-D has since had its ups and downs as various researchers and law enforcement authorities took ever greater interest in it. The timeline below shows the blog entries we have done on events relating to Mega-D over time.

The court document makes interesting reading.  The FBI found Nikolaenko through data revealed in the 2008 US Federal Trade Commission investigation into Affking, the affiliate program linked to Genbucks that was responsible for “Megadik” and other similar brands. M86 Security Labs provided assistance to the FTC and New Zealand authorities in this original investigation.  Between 6 June 2007 and 14 December 2007, payments totalling around $465,000 were made by Affking into an ePassporte account registered to Nikolaenko for the services of spamming.

Over the last few months, Mega-D spam activity has dried up and its control servers have become non-responsive. It no longer features in our spam tracking statistics. In reality, Mega-D has been on the decline for some time, probably as a result of all the interest by researchers and the authorities.

It’s encouraging to see law enforcement agencies going after these bot-herding criminals. Identifying and incapacitating the individuals behind the malware is one of the best ways to keep these giant spam-spewing systems in check.

Timeline:

Feb-2008: Spam from botnet “Mega-D” constituted 32% of spam, malware identified and control servers disabled

Feb-2008: Mega-D recovers and resumes spamming

October-2008: FTC initiates action against AffKing affiliate program

November-2008: McColo takedown halted operations on Mega-D and other spamming botnets

December-2008: Mega-D resumes spamming

November-2009: Mega-D operations disrupted by FireEye

February-2010: Mega-D resumes spamming…again

December-2010: FBI identifies Mega-D’s operator

Tags:    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled – II

By Phil Hay  •  September 9th, 2010  •   Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down.  Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected.  It is not uncommon to see 10% volume swings in a day.  Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however.  Other researchers have observed more Cutwail control servers being added. Also,  yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload.  This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags:    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled

By Phil Hay  •  August 27th, 2010  •   Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble.  The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down.  According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers.  However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months.  Still, we must sound a note of caution.  Previous experience has taught us that these botnet take downs are short lived.  Disabling control servers does not incapacitate the people behind the botnet.  It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags:    |    |    |