American and German researchers who infiltrated and crippled one of the world’s biggest spam-producing networks last summer have released a formal paper on the experience, and the numbers are staggering.
The Pushdo/Cutwail “botnet” sent out 1.7 trillion e-mails over 15 months (about 113 billion per month), had 100,000 enslaved “bots” around the world and had about 30 command-and-control servers in Europe, North America and Russia.
Its Russian cybercriminal operators bought and sold e-mail addresses by the million and compromised PCs by the thousand, with lower prices for less-desirable countries and volume purchases.
[ Read the original research paper here (PDF). ]
"The interesting things were just the amount of spam that they were sending and how they operate like a professional business, with detailed statistics and error reporting,” Brett Stone-Gross, one of the researchers and a doctoral candidate at the University of California, Santa Barbara, told Kaspersky Lab’s ThreatPost blog. “This is a real business."
The 16 Pushdo/Cutwail servers that the researchers were able to access contained 2.35 terabytes of data, 24 databases full of details about operations and billions of target e-mail addresses.
The researchers estimate that the botnet’s operators have earned between $1.7 million and $4.2 million since June 2009.
Even one sub-botnet — Pushdo/Cutwail was divided into several domains, each under the control of one gang member — was able to pump out 87.7 billion e-mails in the four weeks between July 30 and August 25, 2010.
"I was most surprised by the sheer number of e-mails sent by this one botnet," another researcher, Thorsten Holz of Ruhr-University Bochum in Germany and Lastline, Inc., in Santa Barbara, told UBM TechWeb’s Dark Reading blog. "It turns out this one botnet sent out billions of spam messages."
Symantec Labs estimated last year that 89 percent of all e-mails are spam.
Takedown
The research team got service providers to pull the plug last summer on about 20 of Pushdo/Cutwail’s 30 command-and-control servers. (The other service providers refused.) The botnet was crippled for several months.
Botnets are illicit networks of computers that have been enslaved by malware, which burrows deep into their operating systems and opens “backdoors” that allow control by remote operators, or “bot herders.”
Malware infection usually happens when a user opens a compromised e-mail attachment (a Trojan) or visits a compromised website (a drive-by download).
The bots, ordinary machines scattered across the globe whose users have no idea they are infected, are used to send out spam touting Viagra and pornography, phishing e-mails and Trojans to harvest more bots.
Almost 40 percent of Pushto/Cutwail’s bots were in India, Holz and his colleagues found. Other countries’ shares were far lower; Australia came in second, comprising 9 percent of the compromised PCs.
Holz and his colleagues also got an archived copy of Spamdot.biz, an online forum used by botnet operators for communication and trade, which provided a fascinating look into the world of mid-level cybercriminals.
More than 90 percent of the posts on Spamdot.biz were in Russian, and less than 9 percent in English. It had nearly 2,000 registered members, who had to be recommended by at least two other existing members to be accepted.
E-mail addresses were bought and sold in blocks of a million, with prices ranging from $25 to $50 per block depending on geographical location, status (free Web-based e-mail services such as Gmail or Hotmail were cheaper) and volume.
Specialized groups sold services, such as infecting new batches of computers with the client’s malware. These sold in blocks of 1,000, with prices ranging from $13 for Asian computers to $125 for PCs based in the United States.
Top-notch software
The software used by the Pushdo/Cutwail botnet was remarkably sophisticated. Each server running Cutwail, the spam engine, constantly tested its messages against a built-in copy of the SpamAssassin e-mail filter.
Pushdo, the Trojan used for command and control, used a proprietary, and often encrypted, communications protocol to direct its bots.
Despite the technological efforts and the sheer volume of spam sent out, only 30 percent of Pushdo/Cutwail’s e-mails ever reached their target servers, the researchers estimate. Half went to invalid addresses, and nearly 17 percent were blacklisted.
"That's quite a big loss," Holz told DarkReading. "And even if the mail is received by the targeted mail server, with filtering and SpamAssassin a large chunk of that 30 percent gets filtered and doesn't necessarily reach the inbox of the user."
Still, having all this information isn’t much of a victory in the fight against spammers.
Pushdo/Cutwail has been rebuilt since last summer and is now back up to its pre-takedown size of about 100,000 bots. It’s the second-largest botnet in the world; the Rustock botnet has an estimated 250,000 enslaved PCs.
How can you prevent your computer from being enslaved by a botnet? No method is foolproof, but your odds of infection drop dramatically if you do two things: Don’t open any unrequested e-mail attachments, even those from friends; and install and constantly update and run anti-virus software, even if you’re using a Mac.
Using a Mac instead of a Windows PC also does help, at least for now. Macs are not immune from infection and a few Mac Trojans have been found in the wild, but Apple’s PC market share is still so small that most cybercriminals don’t bother writing malware for it.