A presentation at this week's LEET '11, a USENIX workshop on large-scale exploit and emergent threats, delves into the inner workings of the underground economy, specifically the rental and operation of spam botnets.
Brett Stone-Gross, a PhD student at the University of California, Santa Barbara, gave an overview of recently completed research he conducted with fellow researchers Thorsten Holz, Gianluca Stringhini and Giovanni Vigna. In August 2010, the team worked with contacts at various Internet Service Providers and were able to gain access to 13 Command & Control servers and three development servers used by botnet operators of the Cutwail spam engine, a botnet that has been around since 2007 and at one time was estimated to be the largest botnet in existence with the most infected hosts. Cutwail is also often referred to as Pushdo because of a separate Trojan component that installs the software.
According to Stone-Gross, the data the team retrieved helped them understand the "modus operandi of the botmasters of a large botnet." Cutwail, he said, utilizes an encrypted communication protocol and an automated template-based spamming system to generate unique emails that get around spam filters. Researchers had access to records from the Cutwail servers that dated as far back as June 2009, and the amount of spam sent is mind-blowingly large. Stone-Gross reported 1.7 trillion emails were sent out during this time. The researchers had roughly one-half to two-thirds of the active Cutwail C&C servers, so they estimate overall numbers are likely higher.