Botnet takedowns aren’t permanent. Less than a month after law enforcement officials and security researchers took down the Cutwail botnet, the gang appears to be back in action.
A joint operation back in May between law enforcement and security researchers took the Cutwail botnet offline. While spam volumes drop after a botnet takedown, the decline is generally temporary as spammers regroup by switching to a different spam-sending botnet or the botmaster uses a backdoor to regain control. The gang behind Cutwail appears to have set up new domains to resume its spam operation, said Cloudmark’s resident spam expert, Andrew Conway.
“By the end of June, [spam volume] was back to to the levels we were seeing in late May,” Conway said.
Spammers use many different techniques to send out spam, such as snowshoe spam, using fake accounts on legitimate Webmail services, and renting out botnets to use compromised machines as mail proxies. This month, Cloudmark’s security experts dug into the Cutwail botnet. At the time of the takedown last May, Cutwail was one of the biggest spamming botnets; in the same league as Grum and Kelihos. Com Spammers also used the Cutwail botnet, according to Cloudmark.
The Cutwail Spam Attack
Once a device is infected with Cutwail spamming malware, it’s also infected with two other packages: the Gameover variant of Zeus (GOZ) and Pushdo. Pushdo is a tool used to install and run other malware, like theCryptoLocker ransomware, while Zeus intercepts and modifies web access to obtain sensitive information on victims.
Law enforcement successfully disrupted operations because the researchers had found and exploited issues in the botnet’s peer-to-peer infrastructure. Cloudmark believes the spammers will fix the issues that caused them to lose control of the botnet and rebuild their infrastructure.
“Given the amount of money they were making from bank fraud and extortion, it’s certain that the GOZ gang will be back,” said Conway.
And with the latest news from Malcovery Security confirming new versions of the malware being spread by spam messages, it’s clear the gang will keep up with its old tricks.
The Fight Has Just Begun
The only way to keep the botnet out of action is to arrest the individuals operating the botnet. “Let’s hope that The FBI are able to extradite Evgeniy Michailovich Bogachev, who is known to be one of the ringleaders, from Russia, and identify and extradite the rest,” Conway said.
What can users do to protect themselves against these crafty baddies? For starters, installing antispam software will keep emails containing dangerous links from reaching your Inbox. You should also learn how to spot and avoid phishing emails. Don’t click on suspicious-looking links, and be sure to read domain names carefully to make sure they’re legitimate. Spam will never stop coming, and it’s a good idea to always be prepared in case cyber crooks strike.