Move to IPv6 could help spambots churn out more spam, malware says botnet expert

Antispam measures that rely on IP blacklisting could be less effective if Internet Service Providers take the wrong approach to IPv6, said prominent malware expert Joe Stewart.

This tip is a part of the SearchSecurity.com mini learning guide, IPv6 tutorial: Understanding IPv6 security issues, threats, defenses.

The global spam volume is down due to the success of blacklisting IP addresses, but, according to a malware expert, IPv6 adoption may cause problems for Internet service providers using IP blacklisting for antispam measures.

It appears the person or persons behind Rustock are doing as much as they can to maintain the largest botnet and make the most money.

 

Joe Stewart,
Dell SecureWorks Counter Threat Unit

"The one thing that stops these spambots in their tracks is blacklisting," said Joe Stewart of Dell SecureWorks Counter Threat Unit. "My fear is that ISPs will keep cycling through IP addresses … and you can get to the position where the blacklist just can't scale to the size of IPv6."

IP blacklisting is a common but limited approach to weeding out spambots because cybercriminals can cycle through new IP addresses in hours, Stewart said. Cybercriminals can also hijack known good IP addresses, such as a stolen webmail account, to bypass blacklisting efforts and causing issues for webmail providers.

The Internet Engineering Task Force (IETF) is supporting the move to IPv6, which will lengthen IP addresses from 32 bits to 128 bits, because the Internet is running out of the shorter IP addresses. The IPv6 rollout could enable ISPs to take the easy approach of cycling through IPv6 addresses rather than giving users static addresses, Stewart said. Using static IP addresses "Would be great because you can blacklist the actual spam emitters on a more permanent basis," he said. Assigning a static IP address to users may prove too costly for ISPs or amount to more paperwork, he said.

The issue could lead to increased consumer costs, according to Stewart, who issued the new Dell SecureWorks report, RSA Conference 2011. In addition to outlining the potential issues with the IPv6 rollout, the report details the botnets responsible for delivering spam and malware to PCs. "It's not just about the spam that companies are receiving, it's about the infections they are getting from the spambots," Stewart said.

Companies may not see spambot infections as a big impact on the budget, but it could lead to other costly problems, Stewart said. Firms should closely examine machines that have been infected and determine if they should be reimaged, he said.

"Often times that spambot is just the tip of the iceberg," Stewart said. "With the pay-per-install model of malware being used these days, every time we see a spambot we see three or more pieces of malware installed with it."

Rustock continues to be the most prominent spambot, with an estimated 250,000 machines churning out spam and malware. Rustock's strength is its stealthy way of infecting Windows PCs. It was designed as a rootkit, burying its files deep inside Windows machines, according to the Dell SecureWorks report. Stewart said Rustock represents the most innovative botnet and doesn't really have another challenger.

The cybercriminals behind Rustock use stealth and evasion tactics to stay under the radar. It uses encryption to disguise command-and-control orders and a technique to avoid being disconnected by network administrators.

"It appears the person or persons behind Rustock are doing as much as they can to maintain the largest botnet and make the most money," Stewart said.

Cutwail is a contender for one of the top botnets. It is responsible for many different botnets that use iterations of the Cutwail code.

Other spambots that are even further under the radar are Lethic, Grum, Festi and Maazben. But Stewart said spambot size does not mean it poses less of a threat.

"They're definitely going to have a level of success as they stay under the radar," Stewart said. "They figured out that if they don't raise too high of a profile, it's not going to be worth a researcher's time to go after a botnet that has only 5,000 or 20,000 bots in it because they're so many more that are larger."

Stewart noted that Mega-D, the notorious spam botnet brought down last year by researchers at security vendor FireEye Inc. is showing no signs of bouncing back. The alleged author of the botnet, a native of Moscow, faces charges in Wisconsin for his role in running the botnet, which is estimated to have sent out more than 10 million spam messages a day.

"I think it shows that if a company can put indefinite resources into finding the domain names and tracing them back to the source, they can be successful," Stewart said. "Arrests are the only thing in the long run that will fix the problem of botnet proliferation."

Stewart did note in his report, however, that it is impossible to say who might have the source code to Mega-D, so it could resurface in the future.

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close