Botnet controllers are switching to stealth tactics in a bid to avoid detection. Instead of mass mail-outs of spam and malicious code, they are adopting slower distribution tactics in a bid to avoid appearing on corporate security radars.
UK-based web security firm BlackSpider Technologies reports that one huge botnet, responsible for issuing 50m identical spam emails per day, compromises at least 150,000 distinct IP addresses. The use of a large number of machines - each sending out an average of 330 emails a day or around 40 per hour during the course of a working day - is a change from days of yore when a handful of compromised email servers would have been used to do the same job.
It's well known that packages such as Send-safe.com are used by spammers to control the distribution of junk mail broadband-connected PCs infected by viruses such as SoBig, but BlackSpider's figures on the mail-out rate from compromised machines add a fresh perspective to the problem.
BlackSpider Technologies CTO James Kay said this low mail-out rate means users of compromised machines will not notice anything untoward with their net connection. Because they don't notice anything amiss, the spambot remains undetected. "It’s about time law enforcement agencies took the botnet issue far more seriously. Ninety-eight per cent of spam and malicious code comes from machines with bad or unknown reputations, and we should be slapping online ASBOs (anti-social behaviour orders) on them to stop this criminal cycle," Kay said.
Kay added that spam purveyors are adopting the same stealth tactics as VXers. "It’s not dissimilar to the low-volume virus distribution tactic that we first saw last year, when hackers realised that releasing viruses in smaller numbers kept them out of sight of anti-virus vendors for far longer, causing more damage." ®