Security researchers and anti-spam authorities need to go in for the kill soon!
If you’ve noticed a lot less spam in your inbox in recent years, it’s not just because spam filters have improved, according to security expert Atif Mushtaq. The takedowns of several of the biggest spam-generating botnets on the Internet also had a huge effect, and the FireEye Malware Intelligence Lab researcher believes getting rid of just a few more could virtually eliminate spam for good.
“Can we dream of a junk-free mailbox?
Guess what—it’s just a few takedowns away. In my opinion, taking down the top three spam botnets—Lethic, Cutwail, and Grum—is enough for a rapid and permanent decline in worldwide spam level. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well,” Mushtaq posts on the FireEye blog.
Could it be that Bill Gates’ notorious 2004 prediction that “spam will be a thing of the past in two years’ time” was a trifle premature but not as laughable as it was once seemed?
The researcher, whose work on identifying the command and control (CnC) coordinates of popular spam botnets has assisted in taking down some of the world’s most powerful junk email pushers, thinks at least one prominent remaining spam operation shouldn’t be too difficult to dismantle as well.
“If I were to rank Grum’s takedown difficulty level from one to five where five is the most difficult, I would give Grum a two,” Mushtaq writes of a botnet that was the world’s most
active as recently as January 2012 but has since slipped to the number three spot behind Cutwail and Lethic. Grum produced about a third of worldwide spam at its height, but as of June was driving only about 17.4 percent of junk email.
What’s interesting about Grum, he writes, is that at more than four years old it’s a relative oldster in the fast-paced world of botnets. With CnC servers scattered about “in countries like Russia, Panama, and the Netherlands where authorities historically have been reluctant when dealing with abuse notifications,” Grum is sort of the tortoise of the botnet scene, keeping its head down and eventually outpacing the high-flying, hard-crashing hares like Rustock.
Still, taking down Grum should be possible thanks to some “obvious architecture-level weaknesses,” according to Mushtaq. These include a lack of a “fallback mechanism” from the master CnC servers to secondary servers, the ability to shut down big chunks of Grum even if some CnCs survive, and its reliance on hard-coded IP addresses.
Mushtaq figures big-time spam operations have been on the ropes for some time, but he warns that security researchers and anti-spam authorities have to go in for the kill pretty soon. “No doubt global spam volume is at a record low, thanks to the research community’s efforts against spammers. But the research community needs to maintain this pressure until we reach a point where the bad guys start thinking that becoming a spammer is not worth the risk,” Mushtaq writes.
Conversion Conversion Emoticon Emoticon