Thanks to Attila Marosi of SophosLabs in Hungary. Attila came up with the idea for, and conducted the research used in, this article.
That’s because they’re the money-making machinery of modern cybercrime.
The idea is simple: malware on your computer regularly “calls home,” often by making an innocent-looking web request using HTTP, just like your browser.
But instead of fetching a web page for display, the bot (short for “malware robot”) downloads a list of instructions, which it carries out using your computer and your network connection.
- Logging your keystrokes to steal online usernames and passwords.
- Searching through your files for interesting data to steal.
- Tricking you into clicking on ads to generate pay-per-click revenue.
- Posting “recommendations” for your friends on your social networks.
- Downloading more malware, for example ransomware that scrambles your data and demands an unlock fee.
- Acting as a proxy, or relay, and charging rent to other crooks so they can use your internet connection to cover their tracks.
- Attacking other people’s websites, making you look like the crook.
But the criminal activity most associated with bots is spamming.
That’s because spammers don’t just use a bot here and a bot there to send unwanted emails, they use a whole collection of bots at the same time (typically tens of thousands or more), for truly distributed spamming power.
→ The collective noun for a group of bots is a botnet, short for “robot network.” The cybercrooks that runs a botnet are known as botherders or botmasters. If you want to send spam but you don’t have a botnet of your own, you can rent time on someone else’s, using the CaaS (crimeware-as-a-service) model.
The crooks enjoy many benefits from using other people’s computers to send spam, namely:
- Resilience. There isn’t a single point of failure. Even if half of the zombified computers are cleaned of malware, the other half keep going.
- Value-for-money. The crooks pay nothing for their bandwidth. You pay instead. You also carry the risk of being blocklisted by your ISP, because you’re the only publicly visible email step in the spam sending chain.
- Performance. 10,000 computers sending 10,000 spams each will typically finish faster than one server sending 100,000,000 spams.
Enter the Honeybot
But just how much spam can a botnet send in real life?
SophosLabs in Hungary decided to find out, using a carefully-configured “honeybot” that would receive spamming commands from its botmasters, generate spam messages, and send them out.
However, the messages weren’t allowed past a special dead-end server that was blocked off from the internet.
In other words, the spam was constructed and sent on its way, but then trapped and measured instead of being delivered to its real destination.
With that in mind, of course, the numbers in real life would be lower, because not all receiving servers would be working correctly, and not all email addresses would be valid.
Nevertheless, the numbers give a good idea of how much you might help the crooks if you had a single infected computer connected via a typical home network connection (e.g. ADSL or cable).
In a one week period, from a single computer infected with a single piece of malware:
- 5.5 million email addresses were spammed.
- 30 GBytes of outbound email were sent.
- 750,286 unique spam messages were sent.
- 26% included another item of malware.
- 74% contained links to a pharmaceutical website.
In the course of the week:
- 11 different types of malware were sent out.
- 3771 different URL-shortener links were used
- …which redirected via 58 different hacked servers
- …to the same pharmaceutical site.
As we mentioned above, if you were infected on a real computer at home, your throughput might be lower.
Some of the 60,079 mail servers used might have been offline; some of the recipients would certainly have been invalid; and bandwidth or data limits might have reduced your total sending capacity.
But many users these days have uncapped data plans, or ISPs that meter downloads only (sending email is effectively an upload), 30GByte in a week is not an exceptional amount.
→ That’s a sustained average throughput of about 400Kbit/sec, which is less than half the upload bandwidth of a regular ADSL connection. For many users, that would mean sufficient bandwidth left over that the spam would probably go unnoticed, or at least uninvestigated.
And that, in a nutshell, is how much spam a single infected computer in a botnet can send.
What does this mean?
• A 10,000-computer botnet can pump out 50 billion spams per week.
• Cybercrooks “invest” by spreading new malware during spam campaigns.
• Insecure servers provide innocent-looking URLs as a first hop.
• Don’t give up on your spam filter just yet.
• Clean up right away if you find you are infected..
Remember, if you aren’t part of the solution, you’re part of the problem!
Free Sophos UTM Home Edition
Want to filter spam and keep out zombie malware on your home network?
If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?
You get all the features of our commercial product, including: web and email filtering; a network intrusion detection system; full-blown VPN support; regular and frequent updates; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.
If you are the IT geek in a shared house or have children to keep safe online, this could be just what you need, all for $0.