There has been a significant observed drop in worldwide SPAM levels during the last month or so. M86 thinks it's due to Rustock, the world's largest spam botnet, suddenly stopped sending spam for unknown reasons. McAfee has expressed a different point of view. According to them, the steep drop in spam levels is due to recent attempts to shutdown Pushdo.D, another famous spam botnet. It's clear that spam levels are dropping, so let's look behind the curtain and try to find the actual reasons for the statistical observations.
I can think of two possible reasons why a major spam botnet would suddenly stop sending spam:
1. There was an attempt to shutdown the botnet by taking down its CnC servers.
2. The bot herders are running out of business i.e no one is paying them to send SPAM.
Here in the FireEye Malware Intelligence Labs, we monitor the activities of different botnets on a daily basis. Based on the data we have, there is no indication that CnC servers for Rustock are being shutdown. For example, we observed 39 Rustock's CnCs alive and responding within just the past 24 hours. This number of active CnC servers is what we see on average in the case of Rustock. It's clear that this botnet is not dead (or even partially damaged.) Even if it is not sending spam at this moment, it can come back at any time.
Here are the number of active Rustock CnCs observed during each of the last 5 months.
As I explained in my last post, the earlier attempt to shutdown Pushdo.D botnet merely paused its activities for few days. We have observed eight new CnC servers emerging since the Pushdo.D shutdown attempt back on Aug 27. This puts the count of active servers at 18. In terms of active CnC servers, it is pretty clear to us that the Pushdo.D botnet is back to its normal strength.
I would like to add one thing here, there are multiple Pushdo and Cutwail variants/botnets in circulation at the moment. For example Pushdo.C was not touched by LastLine during their Pushdo.D shutdown attempt. I am surprised that no real effort has been made to separate out spam coming from these two different botnets. Spam being classified as coming from the Pushdo botnet must be a combination of spam coming from both variants. This is further confusing the overall situation. How much difference in overall spam volume did LastLine's attempt to kill Pushdo.D make?
The CnC servers behind Rustock, Pushdo.C, Pushdo.D and Cutwail are fully alive and responding. To me, the most logical reason for this spam drop is the recent shutdown of a big spam affiliate program name spamit.com. spamit.com has been a very big source of income for these spammers and in past has been accused of paying spammers for sending spams.
The problem is that these botnets which historically are responsible for large volumes of spam are still fully intact. The moment the bot herders find new affiliate programs, spam volumes will likely come back to their normal position. This incident teaches us a lesson that the best way to kill spam is to either stop the bad guys from operating these botnets and/or cut the food chain by stopping these affiliate programs from paying bot herders.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Detailed Questions/Comments : research SHIFT-2 fireeye DOT COM