View Only

Cutwail Takedown Cripples Bredolab Trojan; No Effect on Spam Levels 

Sep 03, 2010 12:45 PM

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

The Cutwail botnet has been one of the most prolific spamming botnets during the last two to three years.  Even before the McColo ISP takedown in November 2008, Cutwail represented between ten and 15 percent of all global spam.  Cutwail was almost certainly disrupted by the takedown of McColo, but came back bigger and stronger in response. At its peak at the start of June 2009, Cutwail was responsible for more than 45 percent of all spam and between 1.4 and 2.1 million bots under its control.

In June 2009 and August 2009, Cutwail took some more notable hits, as rogue ISPs were identified and shut down. We reported what happened to Cutwail as a result of the 3FN takedown in the June 2009 MLI report And shortly after, MessageLabs Intelligence reported how Cutwail was affected by the takedown of Real Host (Latvian ISP) in the Aug 2009 MLI report

Cutwail seemed to ride out the storm quite well, but in 2010 so far Cutwail has been much less prolific.

  • Cutwail peaked at 46.5% of spam on May 14, 2009.
  • On average Cutwail formidably represented 17.9 percent of spam in 2009, but on average Cutwail has represented just 5.1 percent of spam in 2010 – a shadow of its former self.
  • At its peak just before the 3FN takedown in May 2009, Cutwail was estimated to send 74,115,721,081 spam/day and account for 46.5 percent of spam -  the largest botnet at 1400k-21k bots in size.  However, last time we measured it in June 2010 Cutwail was estimated to send 7,874,696,752 spam/day and account for 7 percent of spam making it the third largest botnet at 480-720k bots in size.
On August 24, the anti-malware company LastLine made another attempt to take down the Cutwail/Pushdo botnet. After identifying 30 command and control servers, they contacted the hosting ISPs and attempted to get them disconnected. Despite not all the providers being responsive, the attempt still managed to take down almost 20 of the C&C servers. This certainly had an effect on Cutwail, we have identified an immediate drop in the amount of spam coming from Cutwail. However, as the amount of Cutwail traffic is only a fraction of what it used to be, this loss of Cutwail spam had a negligable effect on the overall levels of global spam. This is illustrated in the chart below, where it can be seen that the percentage drops resulting from the takedowns of June and August 2009 were much greater than the most recent takedown. If we weren't aware of the recent takedown, then it is possible we wouldn't have noticed any change in spam activity at all, as any difference is well within normal daily fluctuations of spam levels.

Unfortunately, as with both the previous efforts, the levels of spam coming from Cutwail have quickly started recovering, and already it is almost back to the levels it was prior to the most recent takedown. There is an interesting and very positive effect that has come from this takedown however. Recently, Cutwail was sending out huge volumes of spam containing variants of the Bredolab malware, in fact most of the spam from Cutwail contained malware meaning that an average of between three and four percent of spam was malware coming from Cutwail. That was until the takedown. The chart below shows the percentage of spam containing Bredolab from Cutwail, and as you can see, since the takedown the amount of malware sent by Cutwail has been virtually nothing.

So while the takedown may not have had an appreciable effect on the overall level of global spam, it has certainly crippled the Bredolab distribution efforts of Cutwail, possibly because the bots that were being used to spread malware were under the control of the C&C servers that did got disconnected, but the remaining C&C servers controlled the bots used mainly for more traditional spam. In time, this may change as Cutwail expands with new bots, or if it manages to recover old bots temporarily lost due to the C&C takedown, but for the time being at least, there is a bit less malware in circulation, and any reduction in malware can only be a good thing.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.