Who is in Control of Your Spam?

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

Ninety-seven percent of all distributed email spam and malware is delivered by botnets. A botnet is a term that refers to a large group of malware-compromised computers that are designed to follow malicious commands from its controller, which may include delivering a spam campaign en masse, performing Distributed Denial of Service (DDoS) attacks or infecting other computers in order to propagate and grow itself in numbers.

In the past, Internet Relay Chat (IRC) was the command-and-control choice for bot-herders worldwide. The IRC became famous when chat rooms were gaining in popularity, and once computers and networks began to maintain constant connectivity to the Internet, IRC channels took off as a standalone chat/texting community. But when AOL and other major players began offering online communities complete with chat, IRC channels became an underground hotspot filled with nefarious activities that were carefully concealed from the average Internet user.

As demand for the Internet grew, botnet delivery techniques developed in complexity. Rather than infect and issue commands to compromised machines on an individual basis, the idea of networking them together quickly came into play. This exponentially increased their effectiveness and greatly lessened the workload for the owner of a zombie computer, today referred to as the bot-herder.

In order to issue commands to a new botnet, bots would be programmed to secretly log into a chosen IRC channel and wait. The bot-herder would then log in and issue a command to all of their bots at once and in plain text. The bots would then carry out the commands and return to the chat room to await new orders.

For quite a few years, bot-herders utilized IRC. However, with the appearance of more efficient technologies and techniques, the IRC delivery method is on its way out.

One major flaw that led to the decrease in use of the IRC technique is that IRC communications occur on ports 6666 or 6667 by default. For example, if a bot is on a network with a firewall or a SysAdmin, those who were paying attention had the ability to cut off or filter out any traffic to and from those ports. They were also capable of figuring out which machine was infected, allowing them to then clean it. It is because of this limitation that new techniques are in development — such as using HTTP, where bot communication is blended with Web requests, Peer-to-Peer technologies or even the latest proof of concept technique that uses Twitter-issued commands that bots receive via RSS feeds.

The above-mentioned techniques illustrate the continuous evolution among attackers and defenders in cyberspace. As such, it is important to use strong anti-virus software, anti-spam solutions and a good firewall to avoid becoming a victim.

Fred Touchette joined AppRiver in February 2007 as a senior security analyst. In this role, Touchette is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services and information security expertise to assist in designing security solutions for new and existing applications. During his tenure at AppRiver, Touchette has been instrumental in accessing critical IT threats and implementing safeguard strategies and recommendations.

Touchette holds several technical certifications, including COMP-TIA Security and GREM - GIAC Reverse Engineering Malware through the SANS initiative.