Cutwail Botnet Revives within 48 Hours of ISP Shutdown

According to a recently released MessageLabs Intelligence Report, experience has taught a thing or two to cyber criminals indulged in building botnets as they now know how to make their hijacked PCs (joined into malicious networks) more resilient.

The report states that although the world's major botnet 'Cutwail' had its activity fall by 90% following the closure of an ISP in Latvia recently, it revived in merely 48 hours. This starkly differs from the takedown of 'McColo', a US-based ISP, in 2008 when the related botnet was able to recover fully only after several weeks.

Cutwail, the huge network of compromised computers, is ferociously active on the Net and reportedly distributes 15%-20% of the total spam, including phishing websites, bogus antivirus software, and other types of malicious sites. MessageLabs discovered that Cutwail relied on Riga, Latvia-based ISP Real Host, to carry out a voluminous share of questionable operations.

Real Host provided hosting services to several command-and-control servers that resulted in massive botnet infections. Consequently, its providers disconnected the ISP from the Internet on August 1, 2009, causing spam levels fall by 38%.

Commenting on this point, Paul Wood, Senior Analyst at MessageLabs, said that when the Latvian ISP was disconnected, the impact was instantaneous but for a brief period, as reported by V3 on August 25, 2009. Wood further said that the ISP returned within 48 hours and started working like usual, which was rather worrying; adding that a great deal was being done out of sight to make the takedown more difficult.

Wood also stated that botnet herders searched for more and more P2P channels, server operations, chat rooms and HTTP traffic for updation and management of their botnets to make it harder to trace them for shutdown.

Thus, Wood suggests that the problem can be tackled with enhanced law enforcement and greater cooperation within the security industry. According to him, since creating an ISP is trivial, it is hard to distinguish ones that are malicious against those that authentically strive to minimize possible hazards on the networks they support.

Related article: Cutwail Botnet For New Spam Campaign Spoofing IRS

» SPAMfighter News - 9/10/2009