Sophos Cloud Optix
Thanks to Attila Marosi of SophosLabs in Hungary. Attila came up with the idea for, and conducted the research used in, this article.
We write about bots, also known as zombies, fairly frequently on Naked Security.
That’s because they’re the money-making machinery of modern cybercrime.
The idea is simple: malware on your computer regularly “calls home,” often by making an innocent-looking web request using HTTP, just like your browser.
But instead of fetching a web page for display, the bot (short for “malware robot”) downloads a list of instructions, which it carries out using your computer and your network connection.
For example:
- Logging your keystrokes to steal online usernames and passwords.
- Searching through your files for interesting data to steal.
- Tricking you into clicking on ads to generate pay-per-click revenue.
- Posting “recommendations” for your friends on your social networks.
- Downloading more malware, for example ransomware that scrambles your data and demands an unlock fee.
- Acting as a proxy, or relay, and charging rent to other crooks so they can use your internet connection to cover their tracks.
- Attacking other people’s websites, making you look like the crook.
But the criminal activity most associated with bots is spamming.
That’s because spammers don’t just use a bot here and a bot there to send unwanted emails, they use a whole collection of bots at the same time (typically tens of thousands or more), for truly distributed spamming power.
→ The collective noun for a group of bots is a botnet, short for “robot network.” The cybercrooks that runs a botnet are known as botherders or botmasters. If you want to send spam but you don’t have a botnet of your own, you can rent time on someone else’s, using the CaaS (crimeware-as-a-service) model.
(Audio player above not working? Download, or listen on Soundcloud.)
The crooks enjoy many benefits from using other people’s computers to send spam, namely:
- Resilience. There isn’t a single point of failure. Even if half of the zombified computers are cleaned of malware, the other half keep going.
- Value-for-money. The crooks pay nothing for their bandwidth. You pay instead. You also carry the risk of being blocklisted by your ISP, because you’re the only publicly visible email step in the spam sending chain.
- Performance. 10,000 computers sending 10,000 spams each will typically finish faster than one server sending 100,000,000 spams.
Enter the Honeybot
But just how much spam can a botnet send in real life?
SophosLabs in Hungary decided to find out, using a carefully-configured “honeybot” that would receive spamming commands from its botmasters, generate spam messages, and send them out.
However, the messages weren’t allowed past a special dead-end server that was blocked off from the internet.
In other words, the spam was constructed and sent on its way, but then trapped and measured instead of being delivered to its real destination.
With that in mind, of course, the numbers in real life would be lower, because not all receiving servers would be working correctly, and not all email addresses would be valid.
Nevertheless, the numbers give a good idea of how much you might help the crooks if you had a single infected computer connected via a typical home network connection (e.g. ADSL or cable).
The results
In a one week period, from a single computer infected with a single piece of malware:
- 5.5 million email addresses were spammed.
- 30 GBytes of outbound email were sent.
- 750,286 unique spam messages were sent.
- 26% included another item of malware.
- 74% contained links to a pharmaceutical website.
In the course of the week:
- 11 different types of malware were sent out.
- 3771 different URL-shortener links were used
- …which redirected via 58 different hacked servers
- …to the same pharmaceutical site.
As we mentioned above, if you were infected on a real computer at home, your throughput might be lower.
Some of the 60,079 mail servers used might have been offline; some of the recipients would certainly have been invalid; and bandwidth or data limits might have reduced your total sending capacity.
But many users these days have uncapped data plans, or ISPs that meter downloads only (sending email is effectively an upload), 30GByte in a week is not an exceptional amount.
→ That’s a sustained average throughput of about 400Kbit/sec, which is less than half the upload bandwidth of a regular ADSL connection. For many users, that would mean sufficient bandwidth left over that the spam would probably go unnoticed, or at least uninvestigated.
And that, in a nutshell, is how much spam a single infected computer in a botnet can send.
What does this mean?
• A 10,000-computer botnet can pump out 50 billion spams per week.
• Cybercrooks “invest” by spreading new malware during spam campaigns.
• Insecure servers provide innocent-looking URLs as a first hop.
• Don’t give up on your spam filter just yet.
• Clean up right away if you find you are infected..
Remember, if you aren’t part of the solution, you’re part of the problem!
Free Sophos UTM Home Edition
Want to filter spam and keep out zombie malware on your home network?
If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?
You get all the features of our commercial product, including: web and email filtering; a network intrusion detection system; full-blown VPN support; regular and frequent updates; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.
If you are the IT geek in a shared house or have children to keep safe online, this could be just what you need, all for $0.
Image of honeypot courtesy of Shutterstock.
Image of woman blasting out messages courtesy of Shutterstock.
Many rural connections still use ADSL Max and ours struggles to give 200kbps download so we would definitely notice such traffic levels – and we are not untypical of rural users. I gather from BT/Openreach that even a significant proportion of urban users do not have download speeds that exceed 400 kbps so they would definitely notice the traffic levels mentioned.
Those with fibre services, whether FTTC or FTTP or even FTTRn, would be less likely to notice unless they use network traffic monitoring software on each and every ‘computer system’, whether PC or laptop or smart phone or tablet etc., that connects to the internet.
Really? A significant proportion of urban ADSL users can’t exceed 0.4MBit/sec downstream? Are you sure you don’t mean 400K*byte*/sec, which is more like 4Mbits/sec?
I’ve used several different ADSL-based internet services in numerous countries, and in my experience, anything at 4MBit/sec or below requires special throttling effort by the ISP. (Some sell lower-rated services at a cheaper price, which involves rate limiting your connection; others have a monthly data cap that cuts your speed back after you exceed a certain data allowance.)
From memory, ADSL2+ gives up to 24Mbit/sec downstream, but typical figures are 8-12Mbit/sec, plus 1Mbit/sec upstream, with typical figures of 1Mbit/sec.
By way of background, I’ve always found it more convenient to do calculations with bytes rather than bits, with two exceptions — x86 vs. x64 in my OS, and display color depth. And I’ve tried to stick with what I thought was a standard for notation, upper-case B referring to bytes and lower-case b meaning bits.
With that in mind, I’m in an urban region in south-central Ont., Canada, and have ADSL service through a large regional independent ISP which offers “up to” 15 mb/sec downloads. With a good connection and good server at the other end, I can typically get around 1.5 MB/sec, which is reasonably close to the advertised speed. They don’t do any throttling, as far as I know, but simply add a $1/GB surcharge for anything over my 100 GB/mo. cap. And I don’t think I’ve ever gone beyond around 50 GB, so no point paying extra for unlimited service.
I used to do the B-versus-b thing until I figured I might as well write “Byte” and “bit” instead 🙂
This exchange is a bit off the subject, and admittedly I live in rural Lincolnshire, 6 Km from the roadside cabinet. 2 months ago I was getting 0.25 to 0.4 Mbps downstream on each of two lines. I complained to both ISPs, and different OpenReach engineers visited on different days. The first one managed to raise it to 0.5 Mbps. The second engineer transferred us to a more direct line from the exchange. We are 4 Km from the roadside cabinet in that direction, and he improved the speed to 1.0 Mbps.
I use Mbps to mean megabits per second, as quoted by the ThinkBroadband speed tester.
If your computer was sending out spam, it would increase your upload utilization, which you might not notice because it would not affect your download speed. (This assumes that your ADSL modem is full duplex, which most are.) If you do a lot of uploading, you might notice the difference.
wow I think I have had this pharmacy online store, originating from Canada hmm now I am panicked. If anyone knows how to be rid of this help please.
If you received the spam linking to that page, and indeed clicked through, you should be OK. It’s just trying to sell you hookey pharmaceuticals, as far as I can see, not to infect you.
If you’re worried, perhaps give the free Sophos Virus Removal Tool a spin, see if it detects anything:
http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
Thanks Paul Just did that with the virus tool supplied by Sophos and low and behold virus detected and removed
thanks for all the hard work guys
On a related note…
David said above that upload would not affect your download speed. I would tend to agree, BUT I have a client who had Google Drive on a few computers and it was continually uploading for some reason. When it was uploading, the DOWNLOADS slowed to a crawl and the 20 people on the LAN could not reliable connect to SaaS server and email and streaming music. They had a 16Mbps DSL and a 3Mbps T1.
I can’t figure out why the uploads would cripple the downloads. Has anyone experienced this?
Once Google Drive was stopped, things worked fine.
Indeed, on ADSL when the upload is maxed download slows to a crawl (and upload is easier to cap given you get less of it compared to downloads). We had this at work with someone on dropbox.
Hi,
You spelled delivered as delviered – just letting you know.
Thanks,
Jason
Oops. Corrected now. Thanks 🙂
bender_henry58@yahoo.com
why would this online pharmacy store go to the trouble of hiding their unsolicited messages and presumably keep sending out their messages unless some of the recipients actually bought something ?
maybe some of the recipients might have been thankful to get the ” spam ” messages, and as i am 83 years old i do not think that starting my own list is an option and how do i send the first message anyhow , the one where they may want to ” optin ” , is this not a spam message ?
i think spam messages should be those that keep coming , or any message that does not have an ” unsubscribe ” option, and one message to a single address should be allowed.
of course to some people the deleting of a single unsolicited message is just too much trouble , don rees
Australia was one of the first countries to pass a strict “opt-in” anti-spam law, back in 2003, and the regulators very specifically considered the “what’s a reasonable volume before we call it spam” question.
Back then, a lot of people called spam “*bulk* unsolicited email,” but the Aussie regulators figured that it would be wise to drop the word “bulk,” because whatever you’d set as the legal limit, the crooks would just go one less in each batch of unwanted email and laugh at the letter of the law. So they figured, rightly IMO, to consider *one* spam enough.
You get permission first, or you don’t send it, and one is enough (though the penalties ramp up with volume, the actual offence kicks in at one). So you can’t send one message as a “test” each time…
That seems to be the legislative trend othes have followed.
At the bottom of your page is a smiley face.
OMG