Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown

Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown

Summary: Following last week's shutdown of 3FN/Pricewert's operations by the FTC, wishful thinkers expected a major decline in the overall spam volume, with botnet masters once again caught off guard just like it happened in November, 2008 with McColo's shutdown.However, according to numerous vendors that doesn't seem to be the case.

SHARE:
TOPICS: Malware, Security, Telcos
7

Following last week's shutdown of 3FN/Pricewert's operations by the FTC, wishful thinkers expected a major decline in the overall spam volume, with botnet masters once again caught off guard just like it happened in November, 2008 with McColo's shutdown.

However, according to numerous vendors that doesn't seem to be the case.  The short-lived 15% drop in spam volume quickly returned to its usual proportions, with only two of the big botnets (Pushdo/Cutwail along with Mega-D) affected for the time being.

Here's what the vendors and their data is saying:

According to managed e-mail and web security services vendor MX Logic, the 3FN/Pricewert shutdown "spam volumes haven't been affected at all" according to data from their Threat Operations Center, where the minor decline is pretty visible, prior to FTC's press release on the 4th of June.

The company attributes the lack of visible affect on the overall spam volume due to the contingency planning applied by the botnet masters, as well as the lack of more effective cooperation with the increasingly decentralized domain registrars increasing the average time a malicious domains remains online.

This decentralization has in fact allowed cybercriminals to centralize their bulk malicious domain registration process at cybercrime-frendly registrars such as EstDomains (Cybercrime friendly EstDomains loses ICANN registrar accreditation; ICANN terminates EstDomains, Directi takes over 280k domains - Q&A with ICANN’s Stacy Burnette).

Marshal8e6's TRACElabs team points out that "looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI), and spam originating from the Pushdo botnet indeed seems to be affected.  The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected."

On the very same day the affected Pushdo botnet spammed a fake greeting card in an attempt to distribute the Privacy Center scareware, in an apparent attempt to signal its existence.

This modest decline can also be seen through daily spam data obtained from Cisco IronPort's SenderBase, with the global spam volume clearly declining June 5th with -8% fluctuation, followed by another -22% decline on the 6th. However, the daily volume then quickly returned to its usual rate.

Proofpoint describes the post-shutdown effect of 3FN/Pricewert on spam as "minimal", in comparison to the shutdown of McColo last year.

It should also be noted that cyber-crime friendly ISPs have feelings too, just like cybercriminals do as a matter of fact :

"At first, our technicians thought something was going wrong," said Christopher, about the sudden shutdown. He said the FTC "has ruined our reputation" and has caused loss of customers. Christopher, who says he is from Ukraine, added that he hopes the firm isn't being targeted because it has associations with Ukraine, which has gotten a bad reputation in some circles for malware distribution and online crime."

The firm is targeted due to its evident connections with key botnets and malware attacks, however, it appears that several ICQ chats obtained by the FTC offered a pretty descriptive insight into the customer relationship management practices offered by 3FN/Pricewert:

"In one of the chats obtained by the FTC, Pricewert's Head of Programming is engaged in a conversation with a customer regarding the number of compromised computers the customer controls. The customer informs Pricewert that he controls 200,000 bots and needs assistance configuring the botnet. The head of Price wert's Programming Department agrees to assist, but complains upon learning of the size of the botnet that it will require a lot of work. In a second chat, a Senior Project Manager for Pricewert is told by a customer that the customer controls a massive and rapidly growing network ofbots. Pricewert's Sales Director reassures the customer that "Well, we know how to manage it."

History repeats itself. October, 2008's disconnection of California based Atrivo/Intercage once again briefly disrupted spam levels. However, a month later,  the single most successful disruption of a rogue ISP in the face of McColo, seems to have thought the botnet masters a simple lesson - don't put all your eggs in a single basket, as well as the basics of contingency planning.

With several U.S based exceptions such as for instance Layered Technologies where Rustock was running for cover following the shutdown of McColo (the company has been the de-facto hosting provider for a botnet for hire service operating for several years, among other activities), the majority of the the cybercrime-friendly ISPs are based outside the U.S, and remain the hardcore cybercriminal's hosting provider of choice.

Topics: Malware, Security, Telcos

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Their equipment must be confiscated

    They redirected to attack the FCC.They probably are still using the same telephone number.
    BALTHOR
  • RE: Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown

    You know what I really don't understand? Why there has been no law saying that if the owner/operator of the PC does not send out an email of his own choice or free will, it is considered an illegal act. It does not infringe upon anyones civil rights, liberties or protection under the constitution, and it would make anyone who uses, controls, creates or maintains a botnet - including ISP's - responsible for essentially stealing from the owner operator of the CPU...
    babyface09123
    • There is no lobbying effort to educate..

      congress on how to craft such a law in a form that would actually be constitutional. I imagine it took some imaginative wangling at the FTC to figure out how to do this. Under the commerce clause of the Constitution it can be very difficult to regulate something that is essentially a legal commerce.

      Congressmen are too stupid to know enough about both the IT tech and the legal ramifications of crafting such legislation. Once again: if their were a lobbying group with such brains in it, congress would be more than happy to let THEM draft something and put it together for lawmakers.

      Our representatives have gotten lazy and shiftless in their responsibilities as they rely on paid lobbyist to do everything for them. The only organized sector that might be capable of doing this with the usual big money, are the anti-virus companies - and they are more than happy with the status quo.

      If bot nets were actually shut down, the AV companies could possibly collapse!
      JCitizen
  • Thank you Dancho and Ryan!...

    Very informative article. I must admit though that the back ground radiation on my ISP has practically disappeared. I'm sure that is from the ISPs efforts however, as many of the culprits came from within.

    External sources also must have been more effectively dealt with by my provider's gateway.
    JCitizen
  • ISP email confirmation would halt spam as we know it

    If ISP's validated their subscribers email addresses when the account was setup, bot emails would bounce. E.g. you use Virgin broadband and send an email via their smtp server. If the sender email address/IP was not approved, they send an automated email back to the sender to validate the address(from that IP). It would only happen once and subsequent emails from that IP would be allowed through.
    paul@...
    • Earthlink.net already does this...

      and so do some anti-spam solutions like Comodo, that work on local server based email.

      The client must approve interrogation requests from every new sender after installation. Once approved that sender is put on a white list. All others are blocked.
      JCitizen
  • RE: Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut