Spammers survive botnet shutdowns

Spam levels have not been dented by a series of strikes against controllers of networks of hijacked computers.

Early 2010 has seen four such networks, or botnets, tackled via arrests, net access cutoffs and by infiltrating command systems.

The successes have not inconvenienced hi-tech criminals who found other routes to send spam, say experts.

And, they add, despite falling response rates, spam remains too lucrative for criminals to abandon.

Cable cutting

In early March, many parts of the command and control (C&C) system for the Zeus botnet were knocked out of action as Cisco and others cut off the Kazakhstani ISP being used to administer it.

The action comes on top of similar success against the Lethic, Waledac and Marioposa botnets in early 2010.

"So as far as impact on spam goes it has been minimal," said Rik Ferguson, a senior security analyst at Trend Micro.

Statistics on spam and botnet numbers in the UK gathered by Trend Micro show that the rates of both have stayed constant despite the growing numbers of successes against these networks of hijacked home PCs.

Victims, typically users of Windows machines, often fall victim via booby-trapped e-mail messages or through websites that slip malware onto computers via software vulnerabilities.

Botnet controllers have shown resilience in recovering swiftly after a shutdown. 2008 saw the close down of an ISP called McColo which provided net connections for many botnets. As a result of that, global spam levels dropped by 70% but it did not take long for junk mail levels to start climbing again.

Similarly, the recent action against the Zeus botnet briefly caused the number of C&C computers behind it dropping by a quarter. Since then, however, numbers have been climbing and the network is closing in on its earlier total.

The problem, say experts, is that those who send spam are not those that run the botnets. As a result, if one botnet disappears then spammers and other hi-tech criminals simply shop around for another.

Cashing in

Hi-tech criminals persist with spam despite evidence that response rates are plummeting.

Only 28 responses were recorded from a spam campaign of 350 million e-mails found a study carried out by Professor Stefan Savage and colleagues at the University of California, San Diego.

Of those 350 million, only 23.8% made it through spam filters to e-mail inboxes and resulted in more than 10,000 visits to site peddling cheap pills.

Professor Savage said it was difficult to draw conclusions based on its limited data but said even with response rates of 0.00001%, the most prolific spammers could potentially make millions of dollars per year.

"It is true that over the years spam campaigns have become less successful for certain age demographics in the USA and most of Europe, but not so much in Asia and developing countries." said Paul Sop, chief technology officer at security firm Prolexic.

"What counts is not the amount of spam being sent, but how profitable/effective the campaign is," he said. "Smaller more targeted spam campaigns, especially phishing, are more effective."

Mr Ferguson from Trend Micro said low response rates did not mean that spam had become a solved problem in some countries.

"Spam is not just about selling spurious bargains anymore," he said. Typically, he said, spam was the trigger that led people to a website where they may fall victim to some kind of malware.

"Most non-commercial spam these days is aimed solely to get you to click on a link, even out of curiosity," he said. "As soon as you click on that link, you're infected, most likely to become yet another botnet victim, have your identity and information stolen and go on to participate, all unknowingly in the infection of further victims."