Symantec Global internet Security threat report
the Downadup worm, which first appeared late in 2008, attracted a lot of attention in the first half of 2009 because it was used to rapidly create a large botnet. this contributed significantly to daily activity levels observed during this reporting period, particularly at the beginning of the year. the increase in active bots per day is also indicative of the predicted growth and recovery of several prominent botnets—Srizbi,75 rustock,76 Ozdok, and pandex—following the shutdown of two U.S.-based Web hosting companies late in 2008.77 the Web hosts were allegedly hosting large numbers of C&C servers and there was a noticeable decline in botnet activity following the shutdowns. As these botnets recovered and grew, so did their levels of technical sophistication. this was apparent when, following the shutdown of two other botnet hosts in 2009 and a subsequent decrease in spam levels, the volume of spam returned to normal soon afterward, indicating that the botnet controllers had implemented contingency plans in case of shutdown.
the dip in activity between March and July 2009 coincides in part with the release of two Downadup variants as well as with increased spam output from the pandex botnet. the first of the Downadup variants, Downadup.B,78 was released in March and lacked a propagation routine, which may have contributed to the downward slope toward April, until the release of the second variant, Downadup.C,79 which did include a propagation routine. the increased spam output by pandex, one of the most prominent botnets following the previously mentioned iSp shutdowns in 2008, was likely achieved at the expense of further propagation. the increased output of spam was observed from April to June and the lack of propagation activity may have contributed to the drop in overall botnet activity.
there are several possible contributing factors to the large decline in botnet activity that began in late June and continued through to november. Between July and november, four notable botnets—Grum,80 Maazben,81 Festi,82 and rustock—increased their spam output volumes significantly during overlapping one- to three-month periods.83 Additionally, Symantec observed increased spam output from the Donbot84 botnet from April to December. As mentioned, increased spam output may come at the cost of propagation activity and may have contributed to the reduced activity observed during 2009.
there were also two iSp shutdowns in 2009 that could be related to the decline. the first shutdown in late June was the previously discussed shutdown ordered by the United States Federal trade Commission and the second was an iSp in Latvia.85 Both of these iSp shutdowns resulted in an immediately noticeable reduction in spam volume, particularly from pandex; however, spam volumes returned to normal levels within a matter of days. this may have been the result of continued increases to spam output at the cost of propagation as well as redundancies built into the botnet.
Another contributing factor to the decline in botnet activity during the second half of 2009 may have been that there was a notable increase in spam containing malicious code in both September and October.86 this may have resulted from botnet administrators wanting to maintain the increased spam output per bot while offsetting the reduction in propagation through irC, p2p, and Http channels.
75 76 77
78 79 80 81 82 83 84 85 86
http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99 http://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99 See http://eval.symantec.com/mktginfo/enterprise/other_resources/b-state_of_spam_report_12-2008.en-us.pdf and http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99 http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-010717-4209-99 http://www.symantec.com/security_response/writeup.jsp?docid=2007-033016-1857-99&tabid=1 http://www.symantec.com/connect/blogs/evaluating-botnet-capacity http://www.symantec.com/connect/blogs/festi-botnet-spins-become-one-main-spamming-botnets http://www.messagelabs.com/mlireport/MLireport_Annual_2008_FinAL.pdf : p. 8–10 http://www.symantec.com/security_response/writeup.jsp?docid=2009-012112-4859-99 http://www.symantec.com/connect/blogs/latvian-isp-closure-dents-cutwail-botnet See http://eval.symantec.com/mktginfo/enterprise/other_resources/b-state_of_spam_report_10-2009.en-us.pdf and http://eval.symantec.com/mktginfo/enterprise/other_resources/b-state_of_spam_report_11-2009.en-us.pdf