Some spammers are scrambling to find a new ISP to host their botnet command-and-control servers and resume spam campaigns as a result of the Federal Trade Commission's action to take 3FN.net offline.
The court action disrupted some spam bots and caused a dip in global spam levels, according to security vendors that track global spam volume. But security experts warn that any disruption will be temporary as cybercriminals find new ISPs to do business.
Investigators have linked 3FN.net to at least 17 botnet command-and-control servers that are used by spammers to send out millions of spam messages in bulk. The Cutwail botnet was linked to at least one command-and-control server hosted by 3FN.net. Cutwail picked up a lot of Srizbi botnet customers when it was disrupted by the shuttering of San Jose-based Web hosting service provider McColo late last year. At its peak in May, Cutwail represented 35% of all spam globally. Shortly after the shutdown last week it was reduced to 8% of all spam globally, according to Symantec's MessageLabs.
FTC shutters rogue ISP for hosting malicious content, botnets: Executives at Triple Fiber Network are suspected of recruiting bot herders and hosting botnet command and control servers.
Other vendors are reporting the same dip. Marshal8e6's TRACElabs reported today that it observed a 15% drop in their spam volume index. But security experts say the shutdown will only be a temporary setback for cybercriminals, who will move Cutwail and other spambots to new ISPs and resume operations.
"What happens is you take out one of the big boys and somebody will take over those customers and start spamming for them," said Matt Sergeant, senior antispam technologist for MessageLabs. "[Cutwail] dropped briefly after 3FN was taken down and some of the connectivity around the botnet was taken out, but since then it has really managed to find a way to recover and started spamming again."
For about eight hours following the shutdown of 3FN.net, Cutwail fell silent, but since then it has regained its footing and is currently operating at about 50%, Sergeant said.
"There's some issues that they're trying to resolve, but Cutwail is certainly not quite dead yet," Sergeant said.
Command-and-control servers enable cybercriminals to control large numbers of zombied machines to send out spam messages and spread malware. The command and control is typically hosted at a rogue ISP and tends to be a central host that generates stats and other data. Getting spambots shutdown has been a frustrating problem for security researchers who have to deal with tens of thousands of ISPs globally. And with the economic downturn, some ISPs may ignore requests to shut down suspicious activity since it generates much needed revenue.
"Unfortunately there are a lot of rogue ISPs out there that are really willing to host just about anything," Sergeant said. "Many of them would say that they don't specifically look to host the bad stuff, but they will just turn a blind eye to problems and abuse on their network."
Sergeant said information sharing between private sector and law enforcement to track down spammers has been increasing. As a result, it is getting harder for new people to get into the very deep level of spamming -- owning and running the botnets, he said. Still, it is fairly easy to get into spamming if a person rents out botnet services.
"In terms of its impact on spam, the event is not quite in the same league as the McColo shutdown last November when spam output was halved overnight, but it is still very welcome nonetheless," wrote Phil Hay, a senior threat analyst with Marshal8e6 TRACElabs in the company's Tracelabs blog. "Unfortunately, the spammers will probably not be deterred and we are likely to see a renewed assault on our inboxes before long."