Nefarious Donbot spews URL-shortened spam

Posted by Aharon Etengoff

San Francisco (CA) - A report published by Symantec's MessageLabs indicates that shortened-URL spam continues to be a popular medium for criminal elements attempting to sell drugs online. According to Matt Sergeant of MessageLabs, spammers are taking advantage of the heightened interest in health-related issues such as swine flu to disseminate large volumes of spam using the powerful Donbot botnet.

Sergeant explained that the ongoing abuse of shortened-URLs has forced a number of legitimate "shortening" services to close due to their inability to thwart malicious hijacking attempts.

"Exploiting URL-shortening services for spam runs is not a new technique. However, this method really exploded in July 2009. We attribute the increase to an evolution in automated techniques," Sergeant told TG Daily. "There are multiple ways to exploit shortened-URLs for spam related purposed. One method is the wholesale, mass cracking of site validation codes. The other is to hire a large number of people in develping nations to manually enter the clearance codes."

Nefarious Donbot spews URL-shortened spam

Sergeant also commented on the Cutwail botnet, which was partially shut down in August.

"On August 1st, the Latvian ISP Real Host was shutdown, causing Cutwail's activity levels to drop by 90 percent. However, it only took Cutwail a matter of days to recover, demonstrating just how powerful and intelligent this botnet has become," said Sergeant.

"The almost immediate recovery of Cutwail seems to suggest that its handlers had long planned for takeover attempts by designating an alternate, backup ISP. As such, the botnet was quickly able to transfer its command and control functions elsewhere. It is safe to say that botnets and their controllers have evolved in an effort to prevent significant periods of downtime."

Nefarious Donbot spews URL-shortened spam

Finally, Sergeant noted that cybercriminals were three times as likely to favor repurposing malware across numerous domains rather than developing new tactics. Indeed, only 11.9 percent of malware blocked in August could be defined as "newly developed."

The full MessageLabs Intelligence report can be downloaded here.