Most of the spam that is sent today originates from botnets, which use several different techniques to get their unwanted messages past recipientsâ€™ mail filters. In addition to renting out their botnets to spammers, bot-herders also use the botnetsâ€™ spamming functionality themselves, sending out disguised copies of the bot malware (or hyperlinks to hosted copies of it) in an effort to increase the size of the network.
To understand how bots have come to play a central role for spam and phishing schemes, consider the typical life cycle of a spam or phishing attack. Attackers must first find a list of email addresses to target, and then they must craft their messages in a way that is likely to bypass email spam filters. They usually also host a landing page on which the product or service that is advertised in the message can be purchased. Bots can assist the attackers in all of these phases.
Attackers have traditionally found new potential victims by crawling the web or buying lists from other spammers. However, the email addresses obtained in this way are often of low qualityâ€”they might be old and no longer used, or the lists they buy might include trap accounts that notify the administrators of the receiving email system upon receiving a spam message so that the originating IP address can be quickly blocked.
Bots can be used to harvest high quality email addresses. For example, the HTTP botnet family Win32/Waledac searches through many different kinds of files on fixed and remote drives on compromised computers looking for addresses. In addition to sending spam to the harvested addresses directly, Waledac also transmits the addresses to a list of remote websites, presumably for the attacker to retrieve. The market for lists of email addresses is well-established, and bot owners can easily turn the lists they harvest this way into profit by selling them to spam and phishing attackers. Addresses that include demographic information, such as name and address, or targeting information, such as the name of the bank the person uses, command a premium. Bots can steal very specific information from computers, which makes them especially useful for spear phishing, a type of phishing attack that targets the employees or customers of a particular institution.
Spambots, as bots that send spam are sometimes called, also give attackers access to tens of thousands of computers or more that can be used to originate spam. Typically, a prospective spammer contacts a bot-herder to rent the services of a botnet. Several modern botnet families are designed to be partitioned into segments that can be controlled separately. Partitioning allows the bot owner to control how much capacity to rent at a time, prevents valuable parts of the botnet from being used without their permission, and segments the market by collecting higher-quality bots (newly compromised, high-bandwidth, rarely rebooted) together and renting them for a premium.
After the spammer and bot controller negotiate the product and price, the bot controller instructs each of the selected bots to start a proxy server, and typically provides the spammer with access to a webpage that lists the IP addresses of the selected bots and the ports on which they are running their proxy servers. These bots go online and offline as the compromised computersâ€™ real owners reboot them; IP addresses might change, and the ports on which the proxy servers run might change over time. Every time there is a change, the bot notifies its C&C server, which automatically updates the list of IP addresses the spammer can use.