Are Botnet Takedowns The Final Weapon In Spam Fight?11:28 AM EST Fri. Mar. 25, 2011
It’s been a week since the Rustock shutdown, and the world is much quieter on the spam front.
According to stats from leading anti-spam vendors, the successful takedown of the Rustock botnet has so far had a lasting impact on spam levels. Figures from Symantec’s MessageLabs team show the overall amount of spam being blasted out declining by approximately 15 billion during the eight days between March 15 and March 23, when it stood at roughly 30 billion.
“The spam output from Rustock is still flat lined, (and) MessageLabs Intelligence has still seen no activity from this botnet since the 16th March 13:30 GMT,” said Paul Wood, senior analyst at MessageLabs. “Prior to the takedown, Rustock was sending spam in large bursts every two days, so we would have expected a new run to begin on 17th, but nothing happened.”
All this was the result of the well-publicized Operation b107, a project that used the combined efforts of researchers from Microsoft, FireEye and the University of Washington in conjunction with CN-CERT (China’s Computer Emergency Response Team) and various law enforcement agencies. It was the second Microsoft-led takedown of a major botnet in the past year; in 2010, the company claimed victory of Waledac.
But the effect of the takedowns, as perhaps can be expected, is often relatively short-lived, raising the question of whether the anti-spam industry is at the point where takedowns are the only thing that can help vendors inch closer to blocking 100 percent of unwanted mail.
There's not much more that the anti-spam industry can do about targeted spear phishing without running into problems with quarantining legit user emails, Alex Lanstein, senior security engineer at FireEye, told CRN.
“Targeted spear phishes will use personal details and relevant sounding content to bypass spam filters and ultimately fool very savvy users to open the email and attachments,” he said. “That's why our email security appliances use our virtual machine analysis to assess each and every attachment for malicious code."
As an industry, there is still bickering about the subtleties of even defining the term spam, said Adam Wosotowsky, principal engineer at McAfee Labs.
“The anti-spam industry suffers from a general malaise because a lot of industry leaders went right over the cliff following folks who shouted the mantra ‘spam is a solved problem’,” he said. “The spam problem has not been solved…It is an issue which is connected to how we live and how we do business, and until there is no potential for profit, spam will continue to be a significant problem.”
NEXT: New Anti-Spam Solutions
McAfee has a lot of initiatives in the works to continue to refine its capabilities to detect and stop spam as well as infiltrate botnets and cooperate with the authorities, he said.
“Tool and protocol integration through our GTI (Global Threat Intelligence) initiative is significant and ongoing,” he explained. “Better data mining, data traps and finding the key individuals who have the artistic talent to craft effective rules and hunt spammers are also very important.”
There’s no doubt that takedowns have an impact, even if historically it has been relatively short-lived. Before Operation b107, Rustock was sending billions of spam emails daily, accounting for an average of 28.5 percent of global spam from all botnets in March. That percentage was actually down from the end of 2010, when Rustock was responsible for as much as 47.5 percent of spam.
That being said, spammers will always adapt, Wosotowsky said.
“They have been constantly improving their distributed command and control capabilities over the past few years, moving into instant messaging, comments in blogs, or wiki updates to hold encoded messages to lost bots in order to lead them back to a new home,” he said. “I would also predict that we’ll see more definitive splits of the botnet (Rustock) into functional units. This will ensure when someone blocks the Rustock botnet they will only be tracking down the portion of it that was used for spam or some other obvious purpose, while the more subtle corporate espionage related infections will be safely tucked away.”
While it may seem like innovation is in a holding pattern, there is progress being made in the backend, said Symantec Abuse Desk Analyst Eric Park. “The reality is that top tier anti-spam product probably catches 99-plus percent of spam,” he said. “So it’s about the push to get that last fractional percentage point gain, which becomes more difficult as we get closer to 100 percent.
“Also, the typical end-user’s perception is based on the number of spam messages received, not the percentage filtering rate,” Park added. “For example, if one user received one spam message daily last year and one spam message daily this year, the perception would be that there has been no progress made. However, if spam output increased over that time period, the anti-spam effectiveness percentage would’ve actually increased. So the product may be doing better, but would make no difference to the end-user.”