US takedown of Russian botnet won't end pernicious spam: experts

Paul HANDLEY
Robots and humans on the Internet

The US takedown of the huge Kelihos botnet and the arrest of its Russian operator shut down one of the world's top generators of spam and online extortion.

But that will barely blunt the flow of unwanted emails touting fake sexual performance drugs or delivering vicious malware that allows criminals to ransom your computer data.

Experts say there are dozens of other such infected, remotely-manipulated computer networks, including a handful as large as Kelihos, with the most nefarious working from the safety of Russia and Eastern Europe.

They rake in huge sums of money offering their services to others to spread computer viruses, pump out tens of millions of spam emails, and hijack user data like bank account numbers and logins.

"The global spam landscape is pretty vast and there's a lot of different people participating in it," said Keith Jarvis, a senior researcher at computer security firm SecureWorks.

"If one company goes out of business, somebody else fills that space."

The US Justice Department announced Monday it was seizing control of Kelihos, days after Spanish police arrested the Russian hacker behind it, Piotr or Peter Levashov, at Washington's request.

Levashov, a 36-year-old from Saint Petersburg, controlled a diffuse network of more than 100,000 computers around the world infected with Kelihos malware.

He could order them remotely to deliver fraud spam and malicious computer viruses on behalf of whoever would pay him to do so.

Proud of his work, he advertised the ever-improving effectiveness of his spam services and a standard price list. For legal ads, he charged $200 per million spam emails. For illegal scams and phishing attacks, it was $500 per million.

To help someone with a stock manipulation, he wanted a deposit of $5,000-$10,000 to share his list of 25 million traders. He also demanded 5 percent of the gains made on the stock.

- Temporary downturn in spam likely -

The Spamhaus Project, which documents spam, botnets, malware and other abuse, listed Levashov as seventh on its "10 Worst Spammers" list, out of a list of some 100 worldwide that also includes malign but legal spam operations based in the United States and elsewhere.

Kelihos has not been tied to Russian interference in the US presidential election last year.

But that operation -- which SecureWorks helped uncover -- depended on sending spam emails that allowed hackers to penetrate the computers of the Democratic Party to steal data. That was exactly the kind of botnet service that Levashov was selling to criminals.

Taking Kelihos down will likely result in a substantial decline in the global production of billions of spam emails every day, according to Jarvis.

US officials took the extraordinary move of injecting its own modified Kelihos malware into already-infected computers, giving them the ability to direct the botnet's traffic into FBI-controlled "sinkhole" servers, rendering the network useless.

But that gain will likely only be temporary. After the US Federal Bureau of Investigation similarly shut down the Gameover Zeus botnet in 2014, spam and other illegal activities fell sharply, but only for months before roaring back on competing networks.

Today there are other botnets, like Cutwail, Asprox and Necurs -- the largest spam botnet in the world infecting an estimated five million computers.

Most are in Russia, where the government lets them operate freely as long as their victims are outside the country, say experts.

All could be ready to fill in in Kelihos's absence.

"With a large botnet going away, certainly that monetary drive is there for somebody else to enter the market," said Jarvis.