Catch a botnet by the tail

Catch a lizard by the tail and it will shed its tail and run free. This is a fun fact of nature (even more fun when you’re a kid) and a very clever trick to fend off a predator’s attacks.

And did you know that if you try to catch a botnet, chances are the same thing will happen? As we saw in a previous article, botnets are resilient creatures: they do whatever they can to avoid being caught, but when it happens they usually grow stronger.

In recent years, more and more botnet control centers have been taken down. This is due to great collaboration between ISPs, researchers and security specialists, and their combined efforts to stop them. The Lethic spambot was dismantled just recently, and the resulting decrease in spam activity during the following weeks showed that this was definitely a good thing! This was but one addition to the growing list of heavy blows targeted at spammers and botnet masters, including strikes on the Storm botnet in 2009, the McColo botnet in 2008, and so on.

Of course these are all good things, but it doesn’t end there. Further analysis of spam activities clearly showed, for example, that shortly after the McColo botnet takedown, things slowly started climbing back up to pre-takedown spam traffic levels, and then got worse. The results of those spam traffic studies show that, so far, we have been left with just a lizard’s tail in our hands and that, ‘Overall spam growth is the highest it’s ever been.’

Some botnets have taken heavy blows, it’s true, but they have nevertheless grown stronger. How? A recent review of the Webwail bot found that the communication channels between the bots and their C&C centers have been secured using encryption, making them harder to reverse-engineer and to sniff out. And, these vital parts have become more flexible and dynamic than ever. Despite being an already fully-blown, resilient, distributed system, botnets are now evolving into a full-featured product which ‘incorporates library updates and a scripting engine.‘  

So, botnets are getting stronger and are spreading further. When looking at recent statistical trend analysis of spamming IPs around the world, we clearly see an increase in IP diversification, which in turn questions the real impact of RBL solutions in the spam detection process. Of course, they are a big factor in helping to stop the spam chain and are a great example of the collaborative efforts to reach that goal. However, studies on the efficacy of RBLs tend to issue warnings about how they could potentially be at risk in the future as an efficient means to block blacklisted IPs at the connection level.

So what does all this tell us? It serves to underscore an important fact that bears repeating: there is no silver bullet. We are truly in an arms race where it is important to have as many diversified and up-to-date weapons as possible. It is the sum of these weapons: RBLs, cutting-edge content filtering, anti-malware solutions, and so on, in addition to the research and security efforts aimed at understanding and taking down botnets, that will collectively give us the upper hand in the fight against spam.

Some of the data collected after the McColo takedown  tended to back up that observation. Once all the IPs used by the McColo botnet were cleared from the RBL lists, it took time to identify and collect new botnet IPs. Thus, the effectiveness of RBLs dropped during that interim.

So, choose your solution(s) carefully. Don’t use something just because it has a well-known name, but because of how flexible it is. Also, do not neglect your raw content filters: even if you think RBLs may be the most effective solution against spamming, they certainly aren’t the only one. And certainly make sure your protection will protect you.