New botnets hitting the net, Oz spam levels higher than global average

Peter Dinham
Thursday, 01 October 2009 08:24

Business IT - Security

Symantec senior analyst, Paul Wood, says that over the past year, the security firm has seen a number of ISP’s taken offline for “hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power.”

“This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

According to Wood, following the closure of these ISP’s over the past three months, two other botnets have had the opportunity to vie for Cutwail’s previous position as the most active botnet.

Grum, half the size of Rustock but responsible for 23.2 percent of spam, and Bobax, responsible for 15.7 percent of spam, have both taken over as the most active botnets for spam distribution. Previously, Cutwail was responsible for 45.8 percent of spam.”

Also in September, Symantec analysis revealed that a decline in ‘domain tasting’, the practice of domain registration cancellation within a five day grace period, reported by ICANN in June this year, may be responsible for a change in the malicious nature of web sites, “suggesting that malicious domains are now likely to be older, compromised websites rather than newly registered domains with a short lifespan as they were about one year ago.”

According to Wood, an analysis of websites that are established with the pure intent to serve malware reveals that “young” domains - those that are registered up to three months before first being blocked for hosting malicious content - are small in number but the “vast majority of them are blocked as malicious and founded with malicious intent,” and “ninety percent of ‘young’ domains are taken down within 38 days of registration.

“It is not surprising that with a small window of opportunity for younger domains, the attackers register domains much faster,” Wood said, “suggesting that attackers are working very hard to set up new domains and compromise new websites. However, in an effort to keep up with the rapid turnover of domains, the bad guys are often serving up the same malware.

CONTINUED page 3