Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Spam Comes From Just Six Botnets

Posted by CmdrTaco on from the all-obsessed-with-your-wang dept.

Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.

23 of 268 comments (clear)

  1. Who needs 6? by elrous0 · · Score: 5, Funny

    Bet I could connect any one of these bots to Kevin Bacon in 3 or less.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  2. Distributed projects by sakdoctor · · Score: 4, Funny

    Srizbi is the largest contributor at 39%
    I believe this figure could be much larger if the Trojan.Srizbi client was ported to Mac and linux
    Anyone know what licence it's distributed under?

  3. Re:Hmm by Anonymous Coward · · Score: 5, Funny

    Is there a way to block these specific botnets!? Yes. Unplug your computer. Or require every person who is stupid enough to run porn.exe that they found on some website to immediately jump off a cliff carrying their computer with them.
  4. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  5. Since ISPs Love Filtering So Much... by blcamp · · Score: 4, Insightful


    Why can't they focus thier efforts and resources on shaping traffic to block this kind of nonsense, rather than Torrents?

    --
    The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
    1. Re:Since ISPs Love Filtering So Much... by Von+Helmet · · Score: 5, Insightful

      Spam affects the little guy. Torrents affect (apparently) the big guy.

  6. Most Spam Comes from just Six Bots, not Botnets by Aaron+Isotton · · Score: 5, Informative

    What TFA says is that most Spam comes from the following six types of Bot:

    Srizbi: 39%
    Rustock: 20%
    Mega-D: 11%
    Hacktool.Spammer: 7%
    Pushdo: 6%
    Storm: 2%
    Other: 15%

    This doesn't necessarily mean that most spam comes from six botnets. Some of the bots could be used by multiple bot masters; OTOH some botmasters could control multiple botnets using different bots.

    Something else I just thought of:

    The botmasters are going to use the best bot available, i.e. the one enabling them to send most spam at the least cost. On the other hand, the "good guys" are fighting spam (and the bots). So whenever a certain bot starts taking over (currently Srizbi) all the good guys will focus on that one and try to shut it down. So the bot decreases in value and another, better bot will take over. Evolution at its best.

    The Antivirus companies which are trying to fight the malware are also trying their best. The big difference is that while the success of a spambot can be easily measured by the customer (i.e. the botmaster), the success of an AV product is much harder to estimate. Also, the typical AV customer doesn't have the ability/time to find out which AV product is best for him. Moreover, AV products are some sort of subscription service (you buy the package and get 1 year of updates) which makes it hard to switch products. Often AV products are bundled with computers, selected by business principles and not by technical superiority.

    In other words, the evolution process of malware is far superior to the one of AV products.

    1. Re:Most Spam Comes from just Six Bots, not Botnets by Anonymous Coward · · Score: 5, Insightful

      Tinfoil hat much Mr. 404? An AV product can't block every threat BECAUSE Windows is closed source? That makes no sense.

      The reason that they can't block every threat is that they are still signature based and have not completed the move to behavior based blocking and heuristics. The other problem - the main one - that you don't even mention is users. If someone bothered to write a 'SomeFamousPersonNaked.exe' for other OS'es - stupid users would still run it. (I do note that in today's world, the average Linux user is brighter about these things than their Windows counterparts - mostly because Linux is still in that niche role where it is dominated by computer savvy folks at least for now).

      But, give that same Windows user who is stupid enough to run that EXE an Ubuntu machine and send him a version that runs on Linux AND HE WILL STILL CLICK IT. Switching OS'es doesn't make a dork not a dork. Doesn't even really matter whether the user is an admin or not on Windows or Linux - just sending mail doesn't require it and now that Vista is actually usable by many people as a standard user the malware writers will adapt and not try to own the whole machine right away.

      I can see how this will be a problem for Linux users in the future if the user base continues to grow into that "stupid user" segment - at which point folks will be more than happy to write bot software for those users to run.

    2. Re:Most Spam Comes from just Six Bots, not Botnets by rucs_hack · · Score: 4, Insightful

      how marvelously uninformed..

      There are no major spam bots for linux because linux just doesn't have that all important desktop install base. However infected linux servers are frequently used to admin botnets. Badly configured linux servers are like treasure to the botnet guys..

      Microsoft don't have more bots and virii in windows because their stuff is closed source, they have it because the underlying security model of windows is, and always has been, pretty poor. For years, normal users have run windows boxes in admin mode by default. This is INSANE!!, and yet it persists.
      Adding UAC hasn't helped. It was implemented so badly that people just click through the new dialogs without reading the warnings most of the time. This wouldn't happen if it didn't question almost everything you do.

      The sony rootkit couldn't be detected because of a flaw in windows that allowed it to hide even from most AV products.

      Most AV companies don't 'take bribes' to keep bots going, they just aren't very good these days. The way virii are fought on the desktop needs to change, and that change is very slow in coming.

    3. Re:Most Spam Comes from just Six Bots, not Botnets by xZgf6xHx2uhoAj9D · · Score: 4, Informative

      What does the underlying security model have anything to do with idiots running Windows as administrator?

      Everything. People run as administrator because they have to.

      How is your "poor Windows security model" different than someone running Linux as root?

      It's different in that a user does not have to run as root in Linux to get useful work done.

      Ever tried to debug as an unprivileged user on W2K? Ever tried to install software? Just what is the Windows equivalent of sudo that ships standard with Windows XP?

      Windows is secure once you spend 1 minute creating a non administrator account.

      Let me correct that for you: Windows won't let you do anything of substance once you're running as non-administrator. That is the problem.

      Disclaimer: this situation has changed somewhat in recent years. However, considering the number of Windows user still running W2K or Windows XP (and for good reason), it's still concerning.

    4. Re:Most Spam Comes from just Six Bots, not Botnets by jimicus · · Score: 4, Informative

      I've just spent the last week wrestling with Vista's implementation of UAC, and I agree with what you've been told.

      For better or for worse, I administer a bunch of desktops and my current build process consists of a number of automated installations (most software installations can have all the mindless "click next next next" automated away fairly easily). I am at an awkward point where I have enough machines to want to automate the process, but not enough that I can easily just buy 100 identical systems and ghost the lot. And before you ask, I don't run Active Directory so rollout through group policy is out of the question.

      It looks like this process will require substantial redesigning for Vista, as there doesn't seem to be an easy programnatic way to say "do everything below this point without bothering me through UAC". Neither is there an easy programmatic way to disable UAC altogether, even on a temporary basis. (Yes, I know about the registry setting from the command line. But that needs to run from an elevated command line which, guess what, you can't set up without interaction).

      The way UAC works is that normal users still can't do a bunch of things. This doesn't change; they probably won't ever see a UAC prompt. Administrators can do everything they're used to, but by default if they want to do anything administrative, UAC steps in and says "Cancel or allow?".

      I can understand from Microsoft's perspective that it's somewhat pointless to create such a system and then create an easy method to work around it, but I can't believe that in the whole corporation there aren't a few people with the brains between their two ears to realise that it's a very inelegant solution which adds hassle without really solving the problem.

    5. Re:Most Spam Comes from just Six Bots, not Botnets by dc29A · · Score: 4, Informative

      Everything. People run as administrator because they have to. Since when?

      On my non administrator account I run the following programs (Windows XP):
      - World of Warcraft.
      - A few other games I play once every blue moon.
      - Music player, video player, encoders, editing software.
      - Office.
      - VPN client for my job.
      - Firefox with Flash, Java, AdBlock and NoScript.
      - Azureus.
      - Thunderbird.

      I need administrator to run these:
      - Windows update (Duh!).
      - Various software updates (Duh!).

      How is that different from a typical Linux usage? I still need root access (via sudo or root) to update my OS and installed programs. So where is this "Windows won't let you do anything of substance once you're running as non-administrator." problem?. I can play video games, do video editing, listen to music, surf the web, use office and work from home via VPN and all that without being logged in as administrator. Where is the problem?

      I am perfectly aware that there are a few programs that have trouble running as non administrator most notably CD burning/ripping stuff. You can always run them "Run as administrator" or find one that works fine. Mind you, I never bothered finding one that works well, just picked up one from Sourceforge and run it as root.

      The whole Windows security "issue" is strictly educational. The underlying OS has a very solid security framework that IMHO is better than Linux because it's more granular.
  7. Re:Anti-bots? by ajs318 · · Score: 4, Insightful

    In theory, yes it would.

    In practice, no it wouldn't.

    You'd be opening yourself up to prosecution. Even in countries without specific "misuse of computers" laws, running a program on someone else's computer is trespass. You might think that, since trespass is a civil matter, you'd only need to worry about someone who has the money to sue you taking a dim view of what you were up to. And you'd be right. But the botnet-controllers have got enough money and would be bothered to take you to court.

    And I haven't even touched on the really horrifying issue: what if your benign, anti-malware malware malfunctioned, or was subverted by the next generation malignant, anti-benign-anti-malware-malware malware? You could easily end up becoming even worse than the enemy whose dirty tricks you borrowed.

    --
    Je fume. Tu fumes. Nous fûmes!
  8. Re:How much spam do you actually get? by shird · · Score: 4, Informative

    rather than creating a new gmail account, you should look at spamgourmet.com. The email accounts are created and limited automatically. Just give out an email address, and it automatically is limited to x many emails. You need to have a read up on it, but its very easy to use.

    Or you can put a prefix to your gmail address with a '+'. ie. "temp+john38@gmail.com" the mail still gets delivered to john38@gmail, but with 'temp+john38@gmail.com' in the 'to:' field, allowing you to filter it easily.

    --
    I.O.U One Sig.
  9. Re:Blocking known residential blocks sucks by Corporate+Troll · · Score: 4, Insightful

    Oh, I did that too. I resigned, I still have my own mailserver, but it simply sends everything through my ISPs smtp server. Even then, I sometimes get flagged as spam. This is, alas, a battle we have lost ages ago :-(

  10. Re:People need to take responsibility by CaptainPatent · · Score: 4, Insightful
    What you have is a good idea in principle, but with potentially horrible consequences.

    I would suggest some measures we can use:

    1) static IP's. Then we can easily track down infected machines and take them offline. Advertising companies are jumping for joy at this one. The more stable the IP address, the more they can bombard you with ads specially tailored for you. I like the fact that DHCP refreshes my IP every day or so, it means that sites that use web-bugs and other semi-devious methods of gathering information and (much worse) sell it to other companies, only have a very limited time frame to do so - and the fact that my IP does refresh makes them that much less able to make any profit off of me.

    2) Laws that require people to assume some form of responsibility when they connect a computer to the net. And what's going to happen if they don't "take responsibility?" By what metric do we judge responsibility? It sounds like the only way to enforce this is to dig into private internet usage information. I think the last thing I want is another person snooping around in the internet garbage bin for places my computer has been and is going to.

    3) Perhaps some form of compulsory insurance policy. Mainly see the above, but in addition the last thing we need is another mandatory insurance policy.

    4) Laws that require ISP's to disconnect spam bots and take some responsibility. This one may not be a terrible idea in practice, but ISP's are currently going nuts over things like bittorrent. What's to stop them from classifying bittorrent activity as "suspected botnet activity?"

    I do like the spirit of the post, but I don't think there's a clear-cut solution to the problem.
    --
    Well, back to rejecting software patent applications.
  11. Sue the companies who advertise by ThirdPrize · · Score: 5, Interesting

    While most of us treat spam as junk it is there to serve a very specific purpose. To get our money into the accounts of unscrupulous companies. A mate of mine (honestly) replied to spam and got some pills back. There are proper businesses behind them. Why can't we trace where the money goes and sue their butts off?

    How many companies are actually advertising at any one time? Is all the spam for one company, ten companies, a thousand companies or a million?

    --
    I have excellent Karma and I am not afraid to Troll it.
    1. Re:Sue the companies who advertise by oliderid · · Score: 4, Insightful

      Precisly...For example US mortgages debt. I guess the "real" businesses behind could be easily tracked but US police officers. All you have to do is respond to the SPAM and wait until you get a phone number, a bank account or whatever. Or those VIAGRA pills...If they are "officals", then you can track their production numbers to the last "official" resellers.

      There are plenty of spams requiring real businesses behind. Most of these businesses are located in western countries. Why can't they track them?

  12. Re:How much spam do you actually get? by Tacticus.v1 · · Score: 5, Informative

    I just checked this and i think you got the address round the wrong way.

    you need to put it john38+temp@gmail.com for it to work as the other way round just goes to the wrong address

  13. Re:Anti-bots? by MightyYar · · Score: 5, Interesting

    I was wondering whether it would help if Google (and maybe some of the other top 10) notified you when you showed up on one of the IP block lists with a big yellow box at the top of the page, like an IE alert: "Warning: Your computer has been reported to be a SPAM relay! Please clean up your computer with the following tools..."

    Something like that. They could get the list of infected IPs from one of the black lists.

    I'm not a network guy, so I don't know what kind of technical restrictions there would be... obviously this wouldn't work well with proxies - maybe NAT would be an issue as well? In any event, I personally would appreciate such a service, even if I got hit with false positives once in a while. Of course, the bots would eventually get wise and filter out the messages, but that's part of the fun of the war.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  14. You have overlooked a more permanent solution. by Dimensio · · Score: 4, Funny

    While it may be difficult to terminate entire networks and IP address ranges, a more effective solution would be to identify the individuals who are directly responsible for sending unsolicited just e-mail through "botnets" and the individuals who are responsible for providing access to these illegally hijacked "botnets" and then kill them. Such an action would be most effective if done brutally and painfully, through acts of torture, with videos and images of the events and the aftermath released to the public as a warning to others who might engage in the same behaviour.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  15. Re:Hmm by eth1 · · Score: 4, Insightful

    Actually, using something like the Spamhaus PBL (which pre-emptively lists IP ranges that shouldn't be sending direct-to-MX email, such as ISP dynamic ranges), you actually CAN block significant portions of these botnets.

    The three of my relays that use the combined Spamhaus SBL, XBL, and PBL block about 3.5 million connection attempts per day, and let 1 million emails/day through to the next layer of filtering. (about 78% of the flow, assuming that each connection would only drop off one email) The PBL accounts for about half of those blocks.

  16. Re:Hmm by graphicsguy · · Score: 4, Informative

    Perhaps it's not a random Microsoft bash, but a reference to Bill Gates' claims in 2004 that the spam problem would be solved by 2006.