Back in 2003, security firms saw thousands of PCs infected with the Sobig mass-mailing virus. Later that year, Fizzer malware logged thousands of computers into internet chat rooms.
This was initially perceived only as a problem for IRC (Internet Relay Chat) admins. However, the infected PCs were connected to chat rooms by their human bot-masters, waiting for command and control (C&C) instructions. When MessageLabs Intelligence correlated the malware and spam traffic from each spam sending IP address, the bigger picture was revealed.
Security firms observed botnets to combat their escalating output of spam, but didn't know how to tackle their C&C infrastructure. In 2008, the security community realised the best way to disrupt botnets was to take down the ISPs that hosted them.
The first to go at the end of September 2008 was Intercage (aka Atrivo), linked to the infamous Russian Business Network. The most widely publicised shutdown was McColo, a California-based ISP which was found to deal almost exclusively with cyber gangs. McColo was host to a botnet called Srizbi controlling 1.3 million IP addresses, as well as the Mega-D, Rustock, Asprox, Bobax and Gheg botnets.
In November 2008, community action resulted in McColo's peering ISPs disconnecting it from the internet. Taking down McColo was a shock to botnet gangs. Spam levels dropped instantly by up to 80 per cent.
Srizbi was crippled, never to return and other botnets were badly disrupted. Two months later spam recovered to previous levels, as the surviving botnets relocated their C&C channels and criminals spawned new botnets. Botnet operators were forced to re-evaluate how they functioned and put more protection in place to prevent a repeat of the huge disruption caused by taking down a single ISP.
When Srizbi disappeared, activity from the surviving botnets increased dramatically, seeking to fill the gap left behind. When the next major take-down of a dubious ISP occurred, it was clear cyber criminals had already learned from the strike against McColo.
This time the security community's target was an ISP called 3FN (aka APS Telecom and Pricewert). 3FN hosted C&C channels for Cutwail (aka Pandex). Cutwail, one of the oldest botnets, had been spewing out malware since January 2007 and by June 2009 swelled to over 1.5 million active IP addresses in an aggressive recruitment drive.
3FN was taken down on 5 June, 2009, and Cutwail went with it. But within a few days, Cutwail was back online with a vengeance.
Botnet gangs refined their creations following the McColo takedown. Now armed with more flexible and robust technology, botnet gangs could review the botnet status and return to business in a few days. Botnets now had a business continuity or disaster recovery plan of their own.
Botnet C&C mechanisms shifted from IRC to HTTP. Algorithms were now built into the bots so they would look for random-looking domain names, which are purchased by the botnet gang each day, and from which bots receive commands. This ensures botnets aren't reliant on one ISP.
Mega-D (aka Ozdok) was one botnet that grew significantly in the wake of the McColo take-down. By November 2009, FireEye broke the algorithms behind the C&C mechanism used to issue the botnet with new instructions. The result was the ability to predict which domain names were going to be used by the botnet and register them in advance of the botnet controllers. It was now possible to know the botnet's next move and to register these domains faster than the botnet controllers.
Mega-D appeared to be crippled. However, a few days later MessageLabs Intelligence identified large volumes of Mega-D spam being distributed from IP addresses that had not been used to send spam previously. This suggested that the botnet controllers had enacted their business continuity plans, seemingly with inactive sleeper bots or a whole parallel backup botnet.
Disaster recovery isn't the only business methodology botnet controllers utilise. They also use a technique called 'fast-flux' hosting, which dynamically distributes resources across a number of continually changing IP addresses using a 'round-robin' style DNS. In the hands of a botnet controller, fast-flux can hide the true location of websites used to host malware, spam and phishing content by hiding them behind the IP addresses of compromised, botnet-controlled computers, each acting as a web server or proxy.