During the 4th USENIX Symposium on Large-Scale Exploits and Emerging Threats, which will take place in Boston next week, we will present our paper The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns.
It all started last August, when we identified several Command and Control servers responsible of the activities of the Cutwail spamming botnet. Thanks to our contacts with different Internet Service Providers, we managed to take down 16 of these servers and we obtained access to the data stored on them. At first, this operation had a big impact on the botnet's activity, reducing the amount of spam sent by Cutwail by a lot (from our estimates, the servers we took down accounted for half to two thirds of the overall ones). Unfortunately, after a few weeks, the Cutwail crew set up new Command and Control servers, and the spam activity began again. Currently, after the Rustock takedown from last week, Cutwail is the second largest spamming botnet after Lethic.
Even though this takedown has not been very successful in the big picture of fighting world's spam, the data we obtained gave us a unique insight on the modus operandi of the botmasters of a large botnet, as well as on the challenges involved in sending millions of junk emails throughout the Internet. Cutwail is sold as a software package under the name of 0bulk Psyche Evolution. This package provides a web interface that aids the spammer in all the tasks involved in organizing the spam campaign: building a template for the emails, making sure that it doesn't get detected as spam by spamassassin, picking a list of email addresses to send the spam to, and selecting the bots that will carry out that campaign. 0bulk Psyche Evolution comes with a user manual that provides useful instruction on how to correct dimension all the parameters involved in the spam campaign to make it as effective as possible.
The servers we obtained access to had all been set up by the same people, who rented them to different organization to run their spam campaigns. All the most common types of spam were sent using these servers, from phishing, to pharmaceuticals, to malware attachments. In the paper, we provide detailed statistics on how effective these operations were, and how many victims and bots were involved. During a period of one year, the part of the botnet controlled by those servers was able to deliver more than 500 billion messages.
In the paper, we also analyze spamdot.biz, an online forum where it was possible to trade illicit goods such as renting a botnet, or buying a list of email addresses to send spam to. The analysis of this forum gave us an overview on how much these goods are worth. This also gave us the possibility to estimate how much money the Cutwail crew made by running the botnet. Approximately, this should be between 1.7 million dollars to 4.2 million dollars over one year.