A presentation at this week's LEET '11, a USENIX workshop on large-scale exploit and emergent threats, delves into the inner workings of the underground economy, specifically the rental and operation of spam botnets.
Brett Stone-Gross, a PhD student at the University of California, Santa Barbara, gave an overview of recently completed research he conducted with fellow researchers Thorsten Holz, Gianluca Stringhini and Giovanni Vigna. In August 2010, the team worked with contacts at various Internet Service Providers and were able to gain access to 13 Command & Control servers and three development servers used by botnet operators of the Cutwail spam engine. The botnet has been around since 2007 and at one time was estimated to be the largest botnet in existence with the most infected hosts. Cutwail is also often referred to as Pushdo because of a separate Trojan component that installs the software.
According to Stone-Gross, the data the team retrieved helped them understand the "modus operandi of the botmasters of a large botnet". Cutwail, he said, utilises an encrypted communication protocol and an automated template-based spamming system to generate unique emails that get around spam filters. Researchers had access to records from the Cutwail servers that dated as far back as June 2009 and the amount of spam sent is mind-blowingly large. Stone-Gross reported 1.7 trillion emails were sent out during this time. The researchers had roughly one-half to two-thirds of the active Cutwail C&C servers, so they estimate overall numbers are likely higher.
"Most of the stuff was what you'd expect," Stone-Gross said as he displayed images of the type of spam the botnet sends. "You have your phishing, your online pharmaceuticals, diploma programs."
However, there are challenges to sending that much junk mail. Stone-Gross said the job of a spammer is complicated by a number of factors including invalid email addresses, SMTP errors and blacklisting. As a result, while 87 billion spam messages were sent from 30 July to 25 August 2010, the amount of spam that was actually accepted by mail servers was only around 30.3 percent. The actual volume was likely much less after client-side spam filters are taken into account. But like good businessmen, the spammers maintain detailed statistics per infected machine to measure the effectiveness of campaigns and make modifications for future success.
The team was also able to obtain a copy of a popular web-based forum known as Spamdot.biz, which simplifies the process of creating and managing spam campaigns. Spamdot.biz, available in both Russian and English, had about 1,900 members and gave users the opportunity to rent botnets or purchase email addresses to spam. Almost all members, approximately 91 percent, selected Russian as their first language. The highly-vetted community will only allow new members who have been approved by trusted members or established existing users, said Stone-Gross.
A detailed pricing system was observed by the team, who found rates for one million email addresses range from $25 to $50, with discounted prices for bulk purchases. Those interested in building a botnet or installing their malware on a large number of systems often seek the services of groups who provide so called loads - which is terminology for the ability to install malware on compromised machines.
The "loads" come from a variety of sources such as drive-by-download attacks using HTML iframes and other malware, said Stone-Gross.
"We observed several individuals offering 10,000 malware installations for approximately $300-$800," the report summary states.
Market price per "load" is highly dependent on its geographic location, with machines in the US and the UK fetching a much higher price than those in Asia, probably because they have a faster and more reliable Internet connection, researchers noted. Loads sold per thousand in Asia went for around $13, Europe at $35, and $125 for the US.