Symantec Global internet Security threat report
in 2009, botnets were responsible for approximately 85 percent of all spam observed by MessageLabs intelligence. in 2008, Srizbi, one of the largest botnets observed, had been responsible for almost 26 percent of spam that same year, but after the november 2008 shutdown of an iSp that was believed to be responsible for a considerable amount of spam activity, it virtually disappeared and, by 2009, accounted for less than 1 percent of all spam observed.208 this resulted in a dramatic fall-off in global spam levels. this void was soon filled by the pandex and rustock botnets. pandex increased from less than 1 percent of botnet-related spam in 2008 to approximately 18 percent in 2009 (table 23). rustock experienced similar growth, from less than 2 percent of botnet-related spam in 2008 to 18 percent in 2009.
Percentage 2009 2008
18% 15% 10% 8% 6% 5% 5% 5% 2%
<1% 2% 13% 1% <1% <1% <1% 2% 2%
By June 2009, spam levels were at approximately 90 percent of all email. in the same month, there was another shutdown of a rogue iSp, pricewert LLC.210 Despite the shutdown, Symantec noted that there was minimal impact to overall spam volumes.
Table 23. Percentage of spam from botnets209 Source: Symantec
Of all the botnet statistics tracked by Symantec, the pandex botnet appeared to be the only botnet affected by this iSp closure, with the spam volumes from pandex dropping by 78 percent before recovering a few days later. A similar pattern was detected by Symantec in August, when real Host, an iSp based in Latvia, was taken offline by its upstream providers. Again, pandex appeared to be the only botnet significantly affected by this iSp closure; Symantec noted an 87 percent reduction in spam originating from pandex after the shutdown. However, unlike the Srizbi botnet that was nearly eliminated by the shutdown of McColo (the iSp that was shut down in november 2008, noted above), Symantec noted that within 24 hours pandex was again reporting similar volumes of spam messages prior to the realhost iSp closure.
it appears that the pandex controllers had learned from the McColo shutdown to incorporate redundancy into their business continuity plans for 2009, as evidenced by how quickly they got back online after the closure of the aforementioned iSps. this can be attributed to the fact that attackers are using fast-flux domain-named services into the botnet structure,211 making it less susceptible to a single point of failure such as a single rogue iSp.212
209 210 211
S e e h t t p : / / e v a l . s y m a n t e c . c o m / m k t g i n f o / e n t e r p r i s e / w h i t e _ p a p e r s / b - w h i t e p a p e r _ i n t e r n e t _ s e c u r i t y _ t h r e a t _ r e p o r t _ x i v _ 0 4 - 2 0 0 9 . e n - u s . p d f : p . 8 9 a n d http://www.messagelabs.com/intelligence.aspx MessageLabs intelligence: 2009 Annual Security report Due to rounding, totals may not equal 100 percent http://www.ftc.gov/opa/2009/06/3fn.shtm Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious websites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of p2p networking, distributed C&C, Web-based load balancing and proxy redirection makes it difficult to trace the botnets’ original geolocation. As industry countermeasures continue to reduce the effectiveness of traditional botnets, Symantec expects to see more attacks using this technique. h t t p : / / w w w . m e s s a g e l a b s . c o m / m l i r e p o r t / 2 0 0 9 M L i A n n u a l r e p o r t _ F i n a l _ p r i n t r e s o l u t i o n . p d f : p . 1 2