Berserker Botnet Hammering Networks With Spam
From about 11 a.m. EST Monday, what appears to be a new botnet with as many as 5.5 million nodes began a "brute force" spam assault on networks that hearkens back to the early days of spamming, said AppRiver CTO Joel Smith Thursday.
A botnet is IT security parlance for a networked collection of compromised computers that have been infected with malicious code to "enslave" them to a computer controlled by cyber-criminals such as spammers. The controller of the botnet can then use it to conduct malicious Internet activity unbeknownst to each slave node's owner, such as e-mailing spam or infecting more computers with malware.
For the past four days, according to Smith, an onslaught from botnet nodes mainly located in Poland has kicked off in the morning and then abruptly stopped at about 5:30 p.m. EST, almost as if the architect was punching a time clock alongside the harried e-mail administrators trying to counter the attacks.
The "sheer volume" of spam that Gulf Breeze, Fla.-based AppRiver has seen this week "makes this attack unique," Smith said.
"A normal network segment does an average of 250 megs of throughput. Since Monday, we've been seeing a gig of throughput," he said.
The rogue botnet is doing double-duty, according to Smith. "It's trying to harvest addresses and also passing along spam. Usually those two functions are separate," he said.
But whoever brought the new botnet online has created a blunt instrument akin to a denial of service attack. That seems oddly counterproductive given the more sophisticated spamming techniques typically used by today's spammers to milk as many junk mail hits out of a botnet as they can, AppRiver executive vice president Scott Cutler said.
"The current spamming tactic is to gently deliver spam in a manner that closely resembles legitimate e-mail. What we saw yesterday was a return to an earlier period, when it was relatively common for spammers to use directory harvesting to build lists of valid e-mail addresses. A new twist on this old technique was to use a bot network to perform the task," said Cutler in an e-mail received on Tuesday.
What makes this new-old approach somewhat effective is that the botnet does not respond to the blacklisting protocols used in many commercial e-mail filtering systems, Smith said. Instead of the spam attempts "going away" when denied access to user inboxes, Smith said they keep coming. Thus, e-mail administrators are forced to shut down all connections with the sending IP addresses.
But while this is a headache in the short-term, Smith said whoever is running this spam operation is essentially compromising its longer-term life by exposing the IP addresses of millions of botnet nodes to e-mail administrators, who can then simply block them.
"Why would someone do this in such a brute force fashion? When they do something like this it causes us to deny the IP address outright. It's almost like they built this botnet with poor coding," Smith said.
"Why would they do that, you know, cut their nose off to spite their face? Why would they make two million IP addresses known to us? One theory is that they don't know that they're doing that. Another is that they don't care."
Smith said AppRiver had seen as many as 2.2 million identifiable nodes sending spam as part of the berserker botnet, but guessed that the entire network could include as many as 5.5 million slave nodes.