Skip to content


How tightly linked are the top spam botnets?

I was away on holidays last week, and when I got back, I found my feed reader full of some good discussion as to whether today’s bigger spam botnets — Srizbi, Rustock, Mega-D, Cutwail/Pushdo — are sharing components, such as “landing” sites, exploits, customers, and even command and control networks. It started with this post on the FireEye Malware Intelligence Lab’s blog noting:

‘Some malware researchers have described Srizbi and Rustock as rival botnets, our data indicates that this apparent rivalry is a sibling rivalry at best. Srizbi and Rustock seem to be supported (controlled) by the same parent (bot herder).’

and in this followup:

‘We can clearly see that Srizbi, Pushdo and Rustock are using same ISP, and in many cases, IPs on the same subnet to host their Command and Control servers. It seems extremely unlikely to our research team that three previously “rival” Botnets would share nearly consecutive IP space, and be hosted in the same physical facility. Of all the data centers and IPs in the world, the fact that they are all on the same subnet is very intriguing. This fact makes the FireEye research team conclude that either the Botnets are operated by the same organization, or that the datacenter (McColo) is a shell corporation that leases out it’s IP space and bandwidth for nefarious actions.’ […]

‘IPs at a typical datacenter are leased out in a /30 or more commonly, a /29 block. However, here we can see that in a given succession of IPs, the three Botnets have C&C servers dispersed throughout. This gives us an impression that same Bot herder leased out a larger range and then distributed it amongst its different Botnets.’

Marshal say: ‘at the very least, the major botnets have common customers.’

Dark Reading cover it like so:

Rustock, which recently edged Srizbi for the top slot as the biggest spammer mostly due to a wave of fake Olympics and CNN news spam, and Srizbi, known for fake video and DVD spam, have been using the same Trojan, Trojan.Exchanger, to download their bot malware updates, researchers say. “This is the first time” we had seen this connection between the two botnets, says Fengmin Gong, chief security content officer for anti-botnet software firm FireEye. “That’s why when we saw it, it was surprising. They definitely have a relationship,” he says. “There’s not the rivalry we used to think about.” […]

Joe Stewart, director of security research for SecureWorks, says the Srizbi-Rustock connection is most likely due to a spammer using both zombie networks — not that the operators of the two botnets are actually collaborating. “What is confusing people is that you’re seeing Rustock bots sending out emails that essentially infect people with Srizbi, so they think it must be Srizbi that’s sending it, but it’s not,” he says. “Srizbi is not just one big model. It’s rented out to lots of different spammers.”

A major spammer may be trying to diversify by using the two botnets, he says. “It could be because they want to separate their malware-seeding operation from their spamming operation,” Stewart says. “Maybe their bots are getting blacklisted faster when they’re sending out URLs with fake video files because they’re easy to spot, so their spam doesn’t get through. So they send malware from this botnet, and spam from this one, to keep out of the blacklists longer.”

I agree that Joe’s scenario is very likely; the spammers aren’t always the same people who operate the botnets, and it only makes sense that some of them would spread their business among multiple nets, to minimize the risk that all of their output would be blocked if one ‘net runs into trouble (or indeed, good filtering ;). But seeing C&C servers sharing LANs also strikes me as unusual. One to watch.

Anyway, it’s good to see that the malware research blogs are now actively tracking and posting updates when the botnets change topics and format; this info is very valuable for us in anti-spam, as it allows us to map from the received spam mails back to the sending botnet, and determine which rules are good at detecting each botnet. Thanks, guys.

(image credit: cobalt123, used under CC license)