There was quite a bit of media coverage over the last two weeks of a reported takedown of the Grum botnet, led by California-based security vendor FireEye and UK-based spam-tracking service SpamHaus.
According to according to ITWorld, the Grum botnet may have been responsible for sending some 18 billion messages per day. FireEye has a detailed account of the takedown process, which happened between July 17 and 19th, in their blog.
Now that it's been more than a week since the initial takedown I thought it would be interesting to see what, if any, impact the Grum takedown has had on overall spam volume. The chart at the top of this post (click for a full-size view) shows the daily volume of spam messages coming into some of Proofpoint's spam traps from May 2012 through today.
There are several interesting points worth noting:
- During most of May and June this year, spam volumes seen by our automated systems were in a relatively steady state, oscillating between 4 and 6 million messages per day. In late June, we begin to see a more bursty pattern of spam attacks with daily volumes sometimes spiking as high as 9 million messages.
- While there is a clear low point (about 2 million messages around July 19th), you can see that bursty spam-sending behavior immediately resumes, though there may be a continued downward trend as measured on a longer timeframe (weeks or months). It will be interesting to see how things evolve in the coming weeks.
- The behavior here is somewhat reminiscent of spam sending behavior immediately after the Rustock botnet takedown, which I covered in a post from early last year.
In general, "honeypot" spam volumes have fallen quite dramatically (about 5x on a daily basis) since 2010 (when it wasn't uncommon for our spam traps to see in excess of 25 million messages daily). While botnet shutdowns have undoubtedly had an impact on spam volume over the past few years, and are an important part of the overall effort to deter and prevent various forms of cybercrime, they are not the sole reason that we've seen nuisance spam subside.
There's been a fundamental change in the business model around unsolicited email. Instead of being primarily concerned with promoting (often fraudulent) products and services, unsolicited email is instead being used as one of the primary vectors to compromise systems (by stealing user credentials), recruit computers (and possibly mobile devices) into botnets (which have applications in many different types of cyberattacks beyond spam and phish), install various forms of malware and commit other forms of fraud.
Such emails are sent in lower volume and are often highly targeted in nature. That is, they are distributed not en masse, but in a very controlled manner, targeting specific Internet domains, or even specific users. In this way, such messages often avoid winding up in generic spam honeypots. The detection and prevention of such attacks, particularly the highly-targeted versions, require different techniques (which I won't belabor here, but see our materials around Proofpoint Targeted Attack Protection as one example).
I suspect that both current and future botnets will become harder to detect and harder to take down. There is already evidence that newly-engineered botnets are becoming increasingly resistant to takedown efforts. News this week from the BlackHat conference in Las Vegas speculated that Gameover ZeuS, a P2P botnet that is the largest bank-theft botnet, incorporates many defensive advantages to avoid a takedown.
According to CSO's article, this botnet has already infected hundreds of thousands of PCs around the globe and that, "The botnet steals by accessing bank accounts and making unauthorized large Automated Clearinghouse (ACH) and wire transfers to what are called 'money mules,' who works as accomplices."
Expect that future botnets (and associated cybercriminal activity) will become increasingly evasive, and increasingly difficult to dismantle once their existence is detected.
[Special thanks to intern Courtney Klosterman for her research and contributions to this article.]