blog
Impact on Cutwail of 3FN shutdown
There is nothing like a visual representation to show how botnet spam traffic dries up when a major eastern European run host (in this case, USA routed) of the botnet Command & Control systems (C&C) is shut down. Below is a report from the CBL botnet spam detection system on...
There is nothing like a visual representation to show how botnet spam traffic dries up when a major eastern European run host (in this case, USA routed) of the botnet Command & Control systems (C&C) is shut down. Below is a report from the CBL botnet spam detection system on the effect of a recent shut down.
These graphs are the total number of spams (per second) detected as being sent by the Cutwail SpamBots at one of our larger (but not nearly largest) spamtraps. See graphical representation of total spamtrap flow for how this compares to total spamtrap flow.
There are two sets of graphs included here, that of "Cutwail" and "Cutwail2". Cutwail2 is a newer version of Cutwail, and is included first because it is the higher volume. "Ordinary" Cutwail has been in existance for at least two years, the latter for the past half year or so. We detect them separately, so we present graphs for each of them.
This is intended to give an indication of the overall Cutwail flow and how it was affected by the 3FN shutdown, which caused the shutdown of most or all of the Cutwail "Command and Control" (C&C) servers. See Krebs on FTC's shutdown of 3FN
As can be seen, the 3FN shutdown caused an immediate precipitous collapse in Cutwail-emitted spam, particularly the Cutwail2 variety - which had completely disappeared for two intervals in excess of 8 hours. However, as it was only one SpamBot family of many, its collapse is not particularly apparent in total spamtrap flow.
The shutdown of McColo was far more apparent in total flow simply because it was the shutdown of (or severe damage to) the C&C for the top 5 or 6 SpamBot networks all at once.
It is also readily apparent that Cutwail2 is struggling to get back on its feet. Cutwail2 has recovered to about 1/4 of its former volumes as of the date of this snapshot. "Ordinary" Cutwail never did vanish completely, but does not appear to be recovering yet.
The upsurge in Cutwail2 appears to be due to new C&C servers being established at other providers.
The Y axis is detections per second.
The X axis is the date/time in GMT. This snapshot was taken Tuesday, June 9th, 2009.
The Spamhaus Project works with CBL and appreciates the effort put forth by the CBL team in creating this break down of the Cutwail botnet numbers post the 3FN, Pricewert, APS Telecom, APX Telecom, et. al. shut down. Original CBL link. A copy of the US Federal Trade Commision's complaint can be found at this link at the Washington Post (PDF).