Botnet Traffic Bounds Back 90% Within 48 Hours of ISP Shutdown
Casey Johnston writes on ARS Technica:
A common way of combating spam traffic is to shut down the service provider through which the traffic is being processed. With a new variety of botnets, though, this method is becoming increasingly ineffective. The August report from Message Labs indicates that the shutdown of a Latvian ISP, while initially effective, ultimately did little to quell the malicious activity of one botnet, whose traffic recovered in a matter of days.More here.
Cutwail is one of the largest botnets running amuck on the Internet, and is estimated to be behind 15-20 percent of all spam, including malicious websites, phishing websites, and fake antivirus products. Message Labs noted that Cutwail was conducting a large portion of its dubious business through Real Host, an ISP based in Riga, Latvia. Real Host was allegedly involved with "command-and-control" servers allowing large-scale botnet infection.
Because Real Host was supporting such a large amount of suspicious traffic, it was disconnected by its upstream providers on August 1, 2009. As a result, spam volumes dropped by 38 percent across the board within 48 hours, and Cutwail's activity fell by as much as 90 percent during that time. A win for the good guys, or so it seemed.
After the 48-hour mark, Cutwail's activity levels has rebounded significantly, nearly to those of its Real Host heyday. This recovery indicates that botnets are increasingly able to continue their operations almost undisturbed, despite the lack of a colluding ISP.