Botnets Tighten Defenses Year After McColo Shutdown
In the roughly 12 months since the McColo shutdown caused a short but dramatic drop in spam, botnet operators have changed tactics to minimize the impact of authorities shutting down their ISPs. Security researchers discussed how with eWEEK.
In the year since the shutdown of notorious Web hosting firm McColo, spammers are growing strong. In fact, researchers at McAfee reported that spam accounted for 92 percent of e-mail in the second quarter of 2009. Part of this is the result of improvements by botnet operators. Like anyone who is successful what they do, the people controlling the most powerful botnets in cyber-space learn from their mistakes.
"McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an immediate hit before recovering over time," explained Bradley Anstis, vice president of technical strategy at M86 Security. "One of the immediate changes was the use of hard coded domains in the malware body instead of IP addresses. Before, domains could be changed to different IP addresses to provide a recovery option on their command and control methods."
"In general," he continued, "they have improved the availability and resilience of their command and control servers and in some ways the McColo take down has driven them more underground and forced them to use more different methods, making it harder to detect. Some examples that have already been seen have been the use of Twitter, Google Groups and Facebook."
More in http://www.eweek.com/c/a/Security/Botnets-Tighten-Defenses-Year-After-McColo-Shutdown-613503/