Last November’s shutdown of bot-controller-friendly hosting provider McColo had a surprisingly signficant—and long-lasting—impact on the worldwide spam problem, with some sites reporting as much as a 70 percent drop in inbound spam after McColo’s connectivity was switched off. Despite claims it was a responsible ISP on the forefront of the war against spam, the reality was that McColo played host to a number of systems that served as controllers for vast hordes of bot-infected computers around the world. The controllers at McColo would send commands and data to the infected bots, and the bots would start sending spam and malware out to millions of Internet users. With the shutdown of McColo, spam activity worldwide dropped significantly, and the spread of malware like the Windows-infecting Srizbi and Storm worms largely ceased.
But now, the spammers are coming back, and they’ve reengineered their control systems to avoid creating a single point of failure like McColo. And some spam fighters think spam might get back up to pre-shutdown levels as soon as the end of January. And while some new botnets are still staying quiet, others have begun sending spam at prodigious rates: including Mega-D (Ozdoc) at more than 26 million spams a minute, and Cutwail (Pandex) with more than a million bots under its control. Other active botnets include Xarvester, Donbot, and Waledac.
"For now, the botnet controllers are clearly focusing on growing and developing this new botnet resource rather than using it to spam, "said MessageLabs analyist Paul Wood, in a statement. "The potential of these botnets to spam in large volumes is a major concern. In particular, Waledac is believed to be the next generation of the infamous botnet Storm (Peacomm)."
Google’s enterprise group—which runs the Postini Message Security network—notes spam rates are up 156 percent since November 2008, when McColo was taken down. Google expects 2009 to see an increase in viruses sent via email, as well as blended attacks that try to lure uses to sites that install malware on unprotected PCs in order to take them over as bots. One reason? Botnet operators looking to expand their footprints and rebuild their capacity after the McColo shutdown.