As notable as the sustained fall-off in spam levels has been, we've all known it's only a matter of time before botnets began to worm their way back into the the Internet. It turns out that part of the reason spam levels may have stayed lower these past months is that the same authors who might have normally spent time resurrecting their dead botnets on new servers were instead writing new botnets altogether. The new malware networks aren't just rehashes of what's come before; many of them incorporate advanced techniques to render themselves harder to detect/remove.
First the good news: SecureWorks reports that Storm is dead, Bobax/Kraken is moribund, and both Srizbi and Rustock were heavily damaged by the McColo takedown; Srizbi is now all but silent, while Rustock remains viable. That's three significant botnets taken out and one damaged in a single year; cue (genuine) applause.
The bad news kicks in further down the page with a fresh list of botnets what need to be watched. Rustock and Mega-D (also known as Ozdok) are still alive and kicking, while newcomers Xarvester and Waledac could cause serious problems in 2009. Xarvester, according to Marshal may be an updated form of Srizbi; the two share a number of common features, including:
- HTTP command and control over nonstandard ports
- Encrypted template files contain several files needed for spamming
- Bots don't need to do their own DNS lookups to send spam
- Config files have similar format and data
- Uploads Minidump crash file
It's not clear yet whether this is actually Srizbi, or simply another botnet copying certain Srizbi techniques that happen to have worked rather well. Either way, Xarvester poses something of a threat.
Waledac (Waled) is currently a small botnet with a number of updated features first seen in Storm. Not only are the types of spam similar, SecureWorks reports that "[a]lthough the code is completely new, it [Waledac] uses many of [Storm's] old tricks (P2P, encryption, e-card links, spam, DDoS, [and] double fast-flux hosting)."
SecureWorks expects Waledac to gain strength in the coming months, while Marshal has similar concerns about Xarvester. Hopefully the takedowns and successes of 2008 will turn out to be a trend, and help corral these newcomers before they infect enough systems to become a threat in their own right.
