Explore the dark world of spam botnets like Rustock, Waledac, and Cutwail. Uncover how they were built and the motivations behind their creators. Discover the shocking connections between spammers and counterfeit online pharmacies. Delve into the sophisticated mechanics of email spoofing and the relentless efforts by law enforcement to dismantle these cybercriminal networks. Learn about the ongoing challenges in combating spam and the risks associated with rogue online services that threaten users' safety.
Affiliate programs incentivized spammers to promote rogue online pharmacies through high commission rates.
Microsoft's Operation B49 demonstrated the capability to dismantle a sophisticated botnet through technical and legal means.
The takedown of Rustock botnet significantly reduced global spam traffic and led to a decline in infected machines.
Deep dives
The Rise of Rogue Online Pharmacies
Online pharmacies emerged as a convenient alternative for purchasing medication, particularly due to their lower prices compared to traditional brick-and-mortar pharmacies. However, this led to the rise of rogue online pharmacies that sold unregulated and potentially dangerous medications. These pharmacies often masqueraded as Canadian pharmacies, taking advantage of the perception of regulated drugs at more reasonable prices in Canada. These rogue pharmacies were heavily promoted through spam emails sent by affiliate networks, attracting customers through deceptive advertising.
The Dark Side of Online Pharmacy Spam
Spam emails advertising online pharmacies, particularly those promoting erectile dysfunction drugs like Viagra, became rampant. These spammers used botnets, such as Cutwale and Rustock, to send millions of spam emails per minute. The bots in these botnets were often recruited through malware infections, making unsuspecting computers part of the spamming operation. Affiliate programs like Glavmed and Spamit incentivized spammers to promote these rogue online pharmacies through high commission rates.
The Growth and Complex Structure of Walladak Botnet
The Walladak botnet, started by the bot master Severa, was one of the most sophisticated and powerful spam botnets. It utilized layered structures and encryption techniques to hide its communication routes and avoid detection. Walladak infected Windows machines and sent out massive volumes of spam emails. This botnet had a decentralized structure with multiple layers, including spam bots, repeaters, protectors, and command and control servers. The actions of Walladak prompted collaborative efforts from Microsoft and various security researchers to dismantle the botnet.
The Successful Takedown of Walladak
Microsoft initiated a landmark operation, codenamed B49, to take down the Walladak botnet. The coordinated effort involved obtaining a restraining order to disconnect Walladak's domains and prevent communication between the botmaster and the infected machines. The restraining order was granted by a federal court, and Verisign, the overseer of the .com and .net domain spaces, disconnected the domains. This resulted in a significant reduction in spam traffic and a major blow to Walladak. Operation B49 demonstrated the capability to dismantle a sophisticated botnet through technical and legal means.
The Takedown of Cutwale Botnet
Cutwale was a resilient botnet that was difficult to take down. Multiple attempts were made to disrupt its operations, including takedowns of its command and control (C&C) servers. While some takedowns had temporary impacts, Cutwale would quickly bounce back by activating new servers. One accidental takedown of Cutwale's servers by researchers examining other botnets did have a significant and lasting impact on its operations. This event weakened Cutwale and allowed other spam botnets, like Rustock, to gain dominance in the spamming world.
The Takedown of Rustock Botnet
Microsoft, working alongside other organizations and law enforcement agencies, initiated Operation B107 to dismantle the Rustock botnet. By seizing Rustock's C&C servers, Microsoft disrupted its operations and significantly reduced global spam traffic. The takedown involved filing a lawsuit and seeking the legal basis to seize servers. The cooperation between Microsoft, FireEye, and other entities led to the successful neutering of Rustock, causing a decline in infected machines and reclaiming control for computer users. The search for the botnet operator, Cosma, is ongoing, with a $250,000 reward offered for information leading to his arrest.
This episode tells the stories of some of the worlds biggest spamming botnets. We’ll talk about the botnets Rustock, Waledac, and Cutwail. We’ll discover who was behind them, what their objectives were, and what their fate was.
Sponsors
Support for this show comes from Juniper Networks (hyperlink: juniper.net/darknet). Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are.
Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
