A software worm called Storm—intricately crafted malware—became an engine for distributing spam and hijacking unwary computers to further spread the contagion. It also became a laboratory specimen for both security specialists and hackers who wished to study the workings of this scheme for hijacking and subjugating multitudes of unsuspecting machines to the worm-writer’s purposes. In yet another incarnation, spam floods Estonia’s Internet as digital effluvia becomes an implement of cyber warfare.
TABLE OF CONTENTS
Filtering: Scientists and Hackers [Excerpt Part 1]
Part 1 of the Spam book excerpt series
Poisoning: The Reinvention of Spam [Excerpt Part 2]
Part 2 of the Spam book excerpt series
“New Twist in Affect”: Content Farms and Social Spam [Excerpt Part 3]
Part 3 of the Spam book excerpt series
Inside the Library of Babel: The Storm Worm
Storm becomes the quintessential example of software that commandeers other computers for spam distribution
Surveying Storm: Making Spam Scientific, Part II
Security specialists and hackers study Storm closely to learn its workings
The Overload: Militarizing Spam
Botnets and spam overwhelm an entire country
Reprinted from Spam: A Shadow History of the Internet, by Finn Brunton. Copyright © 2013, by Massachusetts Institute of Technology. Used with permission of the publisher, the MIT Press.
INSIDE THE LIBRARY OF BABEL: THE STORM WORM
Paul Graham [a well-known programmer] thehad speculated that “the spam of the future,” designed to better beat filters, would take the form of squibs of text and a single link: “Hey there. Thought you should check out the following: http:// www.27meg.com/foo.” It looks innocuous enough, but there was an unforeseen element that could be added to this mix, particularly after September 11, 2001, and similar shocks: news, or the promise of news. Messages in a new spam vernacular began to arrive, promising dreadful events and scandal, from celebrity gossip (“Justin Timberlake Says ‘Britney Shaved Her Head Bald For Me,’” “Will Smith found dead in bathtub”) to the amusingly bizarre (“Bigfoot found, shot down in cold blood”) or the politically startling (“Chinese missile shot down USA aircraft”). The subject line promised much, with brief body text (“A hunter claims he saw the legendary beast known as Bigfoot”) and a link to the story. The link directed to a web page or a download, the point of malware infection, just as the purported file sent by the coworker did in the Mydoom instance. Such a message is classified as a self-propagation spam campaign in the language of the antispam community—spam to add more machines to a network. In early 2007, the self-propagation message that dominated the field was “230 dead as storm batters Europe”: the vehicle for the eponymous Storm Worm.
Storm spread swiftly, but more worrisome and fascinating than its speed was the technical muscle behind the scenes, visible to those antis- pam groups and security companies that watched the bot world. It began simply, albeit at a higher level than the primitive second-person botmaster discussed previously. That storm-warning spam message linked to a worm that installed both a downloader and a peer-to-peer client on each infected computer. The conventional, contemporary network for distributing information online is made of client and server machines—for the basic botmaster example, the infected computers in your botnet are all client machines that download the material you specify from a server, a central machine somewhere. A peer-to-peer system, by contrast, treats all of the computers on the network as peers, which are capable of being clients and servers simultaneously, both requesting and providing information from and to other peers. Any one of the infected computers with a complete message could route it to the others, passing data along one to the next over their diverse connections. Bots communicating among themselves as peers meant that any changes the botmaster sent out—new C&C [command and control] instructions, packages of code for new functionality, spam text and address databases—could propagate out through the network with less work and traceable exposure on the part of the botmasters. The machines circulate it, one to another, on their own. The botmasters could drop new material in a few select places, like ink in a pool or a rumor in a crowd, and watch it diffuse.
Within months, this already fairly sophisticated system was broken into two networks: one managing package distribution and the other C&C, with bots passing along regularly updated directions to keep the programmers in control and the lines of communication open. Storm’s authors had built a dream of decentralized and outsourced production, turning spam into the financial backer and infection vector for a global workhorse made of other people’s capacity. Researchers found that Storm acted as a vast spam factory drawing on the botnet’s resources. It had “a work queue model for distributing load across the botnet, a modular campaign framework, a template language for introducing per-message polymorphism, delivery feedback for target list pruning, per-bot address harvesting for acquiring new targets, and special test campaigns and email accounts used to validate that new spam templates can bypass filters.”
In other words, the work queue kept the workload of sending spam, among other projects, evenly spread across the many thousands of infected computers, ensuring that few were underutilized. Different spam campaigns could be paced in their distribution by the botnet. In the primitive example in the previous section, the botmaster could distribute only one campaign at a time to all of his bots and would have to cancel it to start another one, whereas the Storm system could simultaneously run several different profitable campaigns alongside the all-important malware self- propagation spamming.
Individual bots could produce one unique message after another—that’s the “polymorphism”—to beat filters with a tide of minor combinatorial variations, litspam text, and alternate names and subject headings. The bots could report the failed messages and take the addresses, invalid or dead, off the target list of addresses to be used and add new addresses, fresh from infected machines. Evidence was found of testing systems using common third-party email services such as Hotmail and Yahoo! to fine- tune new spam campaigns and get past the basic filters. The bots on this system, given their instructions and material, each sent an average of 152 messages a minute while the notional owners of the infected computers worked on spreadsheets, answered email, played games, or left them on while out of the office. “One such [spam] campaign—focused on perpetuating the botnet itself—spewed email to around 400 million email addresses during a three-week period.” One campaign, it should be remembered, among many: the Storm botnet’s segmentation into different subgroups of computers, with the control of each accessible by a different security key, strongly suggests that part of the business model lies in renting out capacity, piece by piece, for others to use.
Of those 152 messages a minute, only about one in six is successfully delivered, and that delivery is prior to several stages of potential filtering. The work is so inexpensive that rates of success can be far lower than even those of earlier spam systems. For instance, the address harvesting functionality of the segment of the Storm system under research analysis returned almost a million email addresses. About half of these were duplicates, and a tenth were not valid email addresses at all, with endings like.gbl, .jpg, .msn, .hitbox, and so on—a sign that the pattern-matching soft- ware looking for the characteristic email address shape (firstname.lastname@example.org) was not very good, and many of the harvested computers contained slightly mangled addresses or things resembling addresses. So many mistakes, and so much duplication of effort, with only one in six messages even making it to the jaws of the mail filtering systems through which only some small percentage will pass: this completely unacceptable level of failures simply does not matter if the means of production and distribution are so powerful and so cheap. At 152 messages a minute from every one of many thousands of computers at no cost to you, the failure of the vast majority of messages at every stage means nothing. This is a post-scarcity manufacturing model of fantastic profligacy, recalling “The Library of Babel” as a study in Borgesian publishing economics. Somewhere in those endless hexagonal rooms of books filled with random letters is “the minutely detailed history of the future, the archangels’ autobiographies . . . the true story of your death,” all generated affordably if the cost of production is zero, or close enough.
A new worm, taking over a new machine, will include an antimalware kit to clean its competitors off, stopping the operation of suspect files and then going through their code for likely passwords and other information to take over other computers on the competitor’s botnet. The suspect programs are usually just lists of known malware files, which create a kind of found poetry of filenames with a functional banality meant to evade the interest of the user looking for malware, or to thumb its nose at them:
W32.Blaster.Worm “msblast.exe,” “tftpd.exe,”
Backdoor.IRC.Cirebot “worm.exe,” “lolx.exe,” “dcomx.exe,” “rpc.exe,”
From the struggles on individual computers to the control of global spam production, Storm did not want for rivals. It shared the upper reaches of the food chain with systems like Kraken (alias Bobax, Bobic, Cotmonger), Cutwail (which may have been responsible—again, certainty in measure- ment is difficult here—for about 29 percent of all spam between April and November of 2009), Nugache, Ozdok (alias Mega-D), Grum, Lethic, Festi, Bagle, Srizbi (alias Exchanger, Cbeplay), Conficker (alias Kido), Rustock, and Wopla. This strange, small population of hundred-handed titans with evocative names is collectively responsible for the vast majority of email spam, all quickly learning from each other and fighting for market share. Their history is defined by rapidity: rapid innovation, just as rapidly copied by the others, as well as rapid increases and declines in capacity as security patches are released and the botnets steal captured machines from each other.
SURVEYING STORM: MAKING SPAM SCIENTIFIC, PART II
Among these competitors, Storm remains the best researched. As a vein of quartz suggests the possibility of gold nearby, so does spam often imply new areas of exploitation and innovation online, drawing in scientists as well as security professionals and curious hackers of all stripes. As with the problem of email corpora for scientific spam filtering, simply fashioning an epistemic object on which experiments can be performed is the difficult first step for scientists encountering the botnet. With the email corpus, the problem was one of privacy. With the botnet, it is that of the gold rush: too many teams and individuals following the same thread of quartz. The tents and campfires multiply, and every stream fills with silt. Storm is notorious in the computer security community and has some major flaws in its architecture: because every compromised computer on the network is a peer when it comes to circulating information, it can tell a lot of others where to listen for instructions, leading them astray, that is, into the labs of interested parties. These factors make it attractive to researchers who want to measure or manipulate it and to saboteurs who want to harm it.
As a botnet, Storm turned compromised computers into a platform for self-propagation, spam campaigns, and ambitious exploits, and it has in turn become a platform on which scientists, security specialists, hackers, and other interested parties launch project after project. (“It is difficult to strike a balance between being a good citizen in the [Storm] network and potentially damaging it through novel research techniques,” as one group put it.) Filtering out the effects of attacks and research projects being performed on the botnet is one of the hardest parts of doing research on Storm. Like the wonderful scene in G. K. Chesterton’s metaphysical detec- tive novel The Man Who Was Thursday when the anarchist conspirators realize that they are all secret police agents attempting to infiltrate the anarchist conspiracy, Storm researchers keep encountering other research- ers and the results of their work in the botnet itself.
A surprising flaw in the Storm system—a bad pseudorandom number generator that produced a recognizable pattern of IDs that were internal to the Storm network itself, rather than the outsiders exploring and tra- versing it—made it possible for scientists to gradually separate out and define a population of other users. This cohort is a population of buggy and broken bots, “vigilante researchers, rival spam gangs,” and other players, all seeking to slow the system down, test it out, and make it impossible for the Storm bots to communicate with the Storm botmasters or interfere with the other onlookers. Rather than the kind of monolithic artificial intelligence dominating the network as imagined by science fiction, such as Wintermute in William Gibson’s Neuromancer, as a total and enclosed apparatus—“Case laughed. ‘Where’s that get you?’ ‘Nowhere,’” the AI replies, “‘Everywhere. I’m the sum total of the works, the whole show’”— we find instead something more like a gold rush boomtown or an Arctic research base, criss-crossed by natives and scientists, crooks and surveyors looking for a cut, sociologists, cops, and broken machines: a gathering place for interested parties. Sometimes the gold is gone but the town remains: “There was a joke at a recent security conference that eventually the Storm network would shrink to a handful of real bots and there would still be an army of rabid researchers fighting with each other to measure whatever was left!”
Of the population of visitors and immigrants to this outpost, built on flows of spam as other communities were made on flows of railroad tracks or grant money, security groups and the agents of the government and the military have become some of the most prominent. “The more wor- rying thing is bandwidth,” said a security analyst of Storm at its likely peak (its peak and its total size being objects of considerable debate). “Just calculate four million times a standard [high-speed Internet connection]. That’s a lot of bandwidth. It’s quite worrying. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries—means they can deliver very effective distributed attacks against hosts.” Storm, or its owners, seemed to periodically identify attempts on the part of serious security firms to investigate it and would retaliate with DDoS attacks, like Mydoom’s swamping of SCO, Inc., with requests from its bot computers. Sometimes they could take an investigator’s servers down for days. “As you try to investigate [Storm],” said Josh Corman, the host-protection architect for IBM’s Internet Security Services, “it knows, and it punishes. It fights back.”
The question of jurisdiction raised by these attacks is a very real one: at their largest scale, at the size of Storm and Wopla and Srizbi and Cutwail, botnets have strange relationships with national boundaries and human populations. Bot computers make the botnet grow by sending out self- propagation spam (as well as using more esoteric means like those files Mydoom seeded in file-sharing applications for others to discover). To spread the botnet infections, by spam or other means, the compromised computers need to be on, and online—an obvious fact with a strange implication: spam can be seen to rise and fall, and botnet propagation spike and diminish, as the earth rotates. The terminator, the line that separates day from night, is part of the circadian clock of large botnets, a diurnal rise and fall in total capacity and rates of potential infection. The infrastructure of the botnet apparatus also changes, more slowly, with shifts in global Internet access. The next great botnet resource, many agree, is the African continent, home to about 100 million PCs, of which an estimated 80 percent are compromised or infected with some kind of malware. Most of the boxes are running pirated operating systems (and therefore may not receive security updates and patches) and their owners can’t afford antivirus software (a standard Windows installation license can be laughably expen- sive relative to local salaries), both of which make them significantly more vulnerable. Most of the Internet access has been telephonic dialup—which is to say, fairly useless for a botmaster—but a great push to connect the continent to the big cables that form the global backbone will bring in a huge population of additional, accidental victims for the cloud.
Finally, the success of spam and self-propagation messages, as well as many particular aspects of the exploits that worms perform, depend on languages. That malware download pitch promising a news story would not get much traction with a user who reads only Mandarin Chinese, Russian, or Hindi, and the installation process by which the worm takes control might rely on code in the language-specific version of an operating system. Different botnets therefore have different demographic dynamics: the perspective of the botnet sees national boundaries as relevant only insofar as different economies and infrastructures affect the number of computers online. Botnets operate in vast regions whose edges are language, software, and time zone rather than borders.The jurisdictional issues are beyond complicated. A botnet apparatus, setting aside the global population of infected computers, might be using many hosting services under many identities in many different countries, all hooked up into an inter- dependent system. It is here, at the farthest perspective and the broadest spatial scale, where the borderlines have almost evaporated and Pitcairn Island is one minute node among many in the botnet’s architecture, that the transition from tool to weapon appears: the boundaries are violently reasserted, and nations and their armies get into the business of spam and its consequences.
THE OVERLOAD: MILITARIZING SPAM
“Hackers often use botnets to generate spam, but their real strength lies in their ability to generate massive amounts of Internet traffic and direct it against a small number of targets,” explains Col. Charles W. Williamson III in his profoundly strange article “Carpet bombing in cyberspace.”
Email spam, despite being instrumental to the propagation and finances of botnets, has stopped being their reason for existence—despite the fact that they now produce almost all of it. In many ways, it has become the most boring part of their operation: 120 billion messages a day surging in a gray tide of text around the world, trickling through the filters, as dull as smog. It is still what they do, but the technical excitement is elsewhere now, as are the fascination and the panic. It is in the prospect of DDoS attacks—massive exploits that can temporarily kill the networks of companies and countries—and in enormous amounts of computing power available for cracking codes and finding passwords, as well as in a new market for accidental intelligence data. Spamming, though remaining largely unchanged, has become a minor and incidental part of the system——a technique disappearing into ubiquity rather than obsolescence, having been reinvented as part of a new language of threat.
In April 2007, the Estonian government provoked an international incident by removing a bronze statue of a Soviet soldier from the center of Tallinn. That statue was an object with several voices: the product of multiple histories and an intersection of numerous timelines, identities, and archives. Like the Enola Gay, it meant very different things to different people, and the delegations and cohorts gathered there did not agree at all. For both Russian nationals and the ethnic Russians in Estonia (who constitute a quarter of the country’s population), the 1947 statue—which was (or was not) erected over the graves of fourteen (depending on who counts) Soviet soldiers—stands for those who fell in the fight against Nazi Germany. For Estonians, it symbolizes the soldiers who took Estonia back from the Nazis and then did not leave, occupying the country until 1991. The statue had become a point of continuous friction between the ethnic Russian minority and Estonian nationalists and police, and the removal of the statue took place in a scrum of rioting, rubber bullets, hurled stones and bottles, and television coverage.
Almost immediately thereafter, Estonia’s network traffic started to surge. The servers for several major Estonian institutions, including government ministries, banks, and newspapers, were hit with massive spikes in activity, enough to eat up their bandwidth and repeatedly take them offline. The Estonian newspaper Postimees was swamped with comment spam and millions of page requests from countries such as Egypt, Vietnam, and Peru (that is, countries unlikely to have a major interest in Estonian affairs). Official government sites were hacked and redecorated with anti-Estonian visuals and rhetoric or simply driven offline by repeated bursts of traffic. Many of the country’s official organs were unable to get the word out about events within their borders, and in a country as small and Internet- driven as Estonia, where 90 percent of the banking transactions are handled online, the loss of official web services was invasive and distressing. By mid-May, the Active Threat Level Analysis System (ATLAS), a datagathering tool run by the security firm Arbor Networks, provided a partial picture of the events: 128 distinct DDoS attacks over two weeks against a handful of crucial Estonian sites. “Someone is very, very deliberate in putting the hurt on Estonia.”
The Estonian DDoS attacks provide a deeply unsettling perspective on the vulnerabilities of web services, particularly for small countries—and Estonia is thoroughly wired, and one of the countries most reliant on Internet connectivity for the daily lives of its citizens—as well as on the state of post-Soviet diplomatic relationships and the new forms of subwar harassment that countries can exert on each other. Those facts aside, this string of events immediately became an argument in which botnets and spam were fashioned into objects of geopolitical, military concern and “cyberwar” hype: they became attention-grabbing sources of rhetoric.
Where there is one malware infection, there is almost always more than one, and conflict and competition between them, and so it seems to be with the narratives told by different constituencies during technological dramas. Where there’s one story, there are many, and they do not fit con- veniently together. From the network security perspective, the DDoS attacks, related exploits, and floods of spam against Estonian sites were a serious matter, particularly for a small country with relatively low bandwidth capacity to absorb them, but they were also entirely familiar and could be handled with technical aplomb after the first rush of panic.
Estonian and international security services could track the traffic, block the clusters of Internet addresses responsible for most of it, work closely with service providers, and engage in other defensive measures to mitigate the effects. Rapid response and knowledgeable security managers and system administrators, in the case of Estonia—as in many similar attacks on diverse companies and countries—could undercut a sustained attack.
From the perspective of official governmental statements, though, the April and May attacks were a very different matter, constituting a “cyber- war” attack or one example among several of a “digital Pearl Harbor.”
Or a digital Hiroshima: “When I look at a nuclear explosion and the explosion that happened in our country in May, I see the same thing,” said Ene Ergma, president of the Riigikogu (Estonian Parliament). We are abruptly in a whole different class of metaphors: “Like nuclear radiation,” she continues, “cyberwar doesn’t make you bleed, but it can destroy every- thing.” This obscene analogy, comparing a series of infrastructural slow- downs and panics produced by DDoS attacks with the mass death and devastation of a nuclear weapon, epitomizes the process by which spam, and its technical transition into the botnet, was adopted into political and military narratives. Estonia is a NATO country, and there was consideration of invoking Article 5, which mobilizes all NATO members against an aggressor who has attacked one of the member countries, thereby initiating the first war in which spam played a major role. The Estonian attack precipitated the creation of a NATO Cooperative Cyber Defense Center of Excellence in Tallinn. During the attacks, “NATO dispatched two observers to Estonia and the Americans sent another in order to ‘observe the onslaught.’” Col. Williamson, advocating the construction of a U.S. military botnet, asks: “Can the U.S. reasonably believe that other nations have not learned from the DDOS attacks on . . . Estonia in 2007?” We have seen the processes scientists go through to turn email spam and botnets into the kinds of epistemic objects they need for their research; in these remarks, we can see the process by which the botnet becomes a militarized object—a matter available for strategic analysis, countermeasures, and deterrence.
In the military language of botnets at war, spam is a sinister process of mobilization, as infections spread and botnet capacity is built. Even as that rhetorical turn is underway, however, the place of spam in the public perception of the network has changed. Complaint and survey data in the United Kingdom and the United States suggests that after the millennium, even as spam was beginning one in a series of massive growth spurts, users became more tolerant of spam as an insignificant matter, increasingly regarding it more as a nuisance and less as a threat: just something to be filtered, coped with, deleted, and ignored. From the perspective of the vast statistical majority of users, spam does not even really seem like a crime, much less a cybercrime. We expect cybercrime to be big, dramatic, and exciting—the prosecutor keeping hacker Kevin Mitnick in solitary because (so the cybercrime fantasy went) with a moment’s access to a telephone he could whistle the secret launch tones that would start a nuclear war—not the quotidian trickle of fake bank notices, hilariously maladroit scams, and ads for porn and pills. And it is a trickle, for many, with the apogee of sophisticated techniques applied to big data by service providers creating truly effective filtering systems such as those Gmail uses. (As I was writing this book, I often got into conversations with people who would mention that from their perspective, spam seemed to have “gone away,” by and large, or become negligible as a part of daily life.) Spam was starting to seem more like an irritant, a kind of mild chronic problem that had ceased to be of much significance and become an operational inevitability, a cost of doing business for the individual user—and a business in itself for the security provider.
The alliance of spam and malware that produced the botnet architecture also produced a new business for security professionals. “‘Antispam is a big business now,’” Jessica Johnston quotes a researcher as saying, “‘something that the large corporate customers are prepared to pay for . . . The early antispam products were always free or relatively cheap.’”1 In those same early days, spam was still seen as a social problem and possibly a legitimate marketing opportunity. Now it has been recast as a far more consequential and problematic object, wedded to the enormous exploit-enabling machinery of the botnet, a matter of concern for the big-ticket culture of enterprise security firms. (Airports from Pudong to JFK have ads for products like Barracuda Networks’ “Spam and Virus Firewall”—“Blocks e-mail borne spam and virus intrusions while preventing data loss”—to attract the eyes of business travelers.) It has also become an area of interest for the much bigger-ticket world of the military, just when the civilians were getting used to it and starting to see it as a part of everyday life.
Threat or annoyance, spam in the shadow of the botnet is repeatedly rescripted by enterprise security groups and the military. “‘If the fraudsters destroy e-commerce as we know it . . . it’s going to do us a lot of harm,’” says another researcher. “‘If the fraudsters undermine the banking system, and there is every indication that they’re close to doing that through insecure mirrors and proxies all over the net so you can’t see where it’s coming from, then in all honesty, that does far more harm than knocking down a couple of towers and the like. No lives are lost, but even so, the overall impact is greater.’” The comparison to September 11 recalls Ene Ergma’s exercise in atomic metaphor after the Estonian DDoS attacks. The point is not to question the premise for this comparison—whether the financial damage caused by spam, and the potential cost of a loss of confidence in online banking and ecommerce, exceeds the financial impact of 9/11—but to observe these metaphors in operation.
Even as the number of users who could remember a network on which spam was still something new and startling steadily declines relative to those who have known nothing else, big institutions give it a fresh coat of paint as a threat of very grave consequence. Antispam is no longer the area of the communal hobbyists, activists, and vigilantes gathered on NANAE, or the collective of programmers building better Bayesian filters. It’s now part of Homeland Security, a front in the “cyberwar,” a place for private contractors to overlap with officers from the Air Force Cyber Command, NATO, and the FBI. The DDoS has also made a strange lateral move into protest events, becoming the weapon of choice for online activist groups such as Anonymous. Programs including the grandly named “Low Orbit Ion Cannon” (from a superweapon in the science fiction game Command & Conquer) enable individuals who download it to voluntarily join a botnet. This public-spirited botnet can then be directed to attack sites like those of organizations that were hostile to WikiLeaks and of repressive governments like Syria’s. The values of these technologies, and the narratives in which they can be enlisted, are in constant transformation.
Though the botnets rely on distributed computers, the business of email spamming has become far more centralized. The economies of scale that make spam possible demand volumes of messages that only a major, sophisticated, evasive, and inexpensive infrastructure such as a botnet can provide. The days when hundreds of dubious bit players with some office space, a couple of rented high-bandwidth connections, and a bunch of cheap PCs with off-the-shelf mail marketing software could build a business around stock touting and potency pills are long past. The combination of filters, responsible service providers, legislation, and informed consumers have swept out those small-timers with their pill-financed convertibles, entrepreneurial zeal (recall those offers in Rodona Garst’s IMs: “I now have that mortgage deal, cable boxes, anabolic steroids and Adult If they want to”) and phones ringing with the charivari’s threatening calls. Those left are the cohort, the few hundred groups responsible for more than 80 percent of spam, who have the training and the capacity to leverage the network to generate the hundred billion–plus messages that constitute the daily spam load. Even as their systems spread to encompass the globe and traffic in numbers and amounts difficult to grasp, the group at the core of spam shrinks steadily into one aggressive and bickering extended professional family.
Similarly, the infrastructure that enables their activities has become more centralized. “Our datacenter is situated in top-level modern MarketPost- Tower IT center, San Jose, CA, USA”: so runs the text on a defunct website site belonging to McColo Hosting Solutions. (The site’s bare- bones text lives on at the Internet Archive.) McColo had a reputation among the loose confederation of private- and public-sector security professionals, IT analysts, and cops as a “bulletproof hosting” provider—a term that goes back to the early days of NANAE, referring to an ISP that will not kick clients off regardless of the complaints that they receive and that is thus a haven for spammers. If you paid extra, they would take the flak of complaint and criticism for your activities and even take steps to disguise your existence—allegedly doing this by moving some of their offending clients to different subnets, like publicly firing a problematic employee in one department and quietly hiring them into another. McColo was hosting the servers for the C&C channels, many of the web pages for moving products and malware downloads (rxclub.biz, high-quality-viagra. com, pills24.biz, valium-plus.com, etc.) as well as anonymization and proxy services and payment sites for several major botnets, including Srizbi, Mega-D, Rustock, and Cutwail, along with some other nefarious content. On the November 11, 2008, the two “upstream” providers for McColo— the companies whose backbone Internet connectivity McColo relied on to run its hosting service—cut off their bandwidth after receiving reports on their activities. Global spam activity abruptly and precipitately began to drop by the millions and then billions of messages. At the lowest point, global spam levels declined by roughly 65 percent.
The forces involved in the shutdown of McColo included journalists, security analysts, and the administrators of the major hubs that provided McColo’s connectivity. (Its shutdown left a strange dead zone in the Internet’s address space: the block of addresses allocated to McColo had ended up on enough blacklists for their bad activity to render others leery of taking them over, leaving them as “ghost number blocks,” like a house known for its suicides and shunned by potential tenants.) We can see a similarly mixed population in the Mariposa Working Group, which came together to shut down the Mariposa botnet: an international collection of security specialists working with the FBI and Spain’s Guardia Civil. If the very concept of Internet governance is presently diffuse, so is its enforcement, with loose working groups that overlap jurisdictions and expertise, odd bedfellows in some cases—like the Finnish security specialists, NATO and U.S. observers, and Estonian ISPs brought together by the DDoS attacks on Estonia in 2007—that form in relation to the diffusion of the problem.
Though we seem to have come a very long way from Peter Bos’s message of conscience to the terminals supported by MIT, this history can also be read as a kind of interregnum, a transit from one period of overt control by systems administrators to another. The sysadmins of the early years of the network, Gandalfian figures maintaining order in their domains according to their lights, have become what Alan Liu terms “a priesthood of backend and middleware coders” as well as a small expert elite of security analysts, state agents, and ISPs. Users can take refuge within the relatively spam-free zones that the developers build, such as Gmail and Facebook, with robust filtering and community management, paying with advertising and their personal information and user activity—with their quantifiable attention.
Imagine another industry that could drop in production by more than half overnight with a single industrial action or largely vanish if a few hundred people were imprisoned. Conventional email spamming has long since passed a peak of easy money and is well into the hard grind of optimization and efficiency, trying to extract the maximum value from the network in a dense matrix of constraints. Spam levels rebounded over the weeks after the McColo shutdown, as the botmasters found new ISPs willing to work with them and host their systems and moved the bots over to the new command channels, but the revelation of just how small the industry had become was clear. The conventional spam with a heritage running alongside that of email and the rise of the web had become the world’s most efficiently concentrated business. Spam’s history of labor- saving solutions, like Canter and Siegel’s Usenet-spamming script and the early pattern-seeking address harvesters looking for “email@example.com,” which leveraged the automated accumulation of many small effects over a vast public infrastructure, has made it possible for group of people about the size of a very small town to affect part of the daily lives of the planet’s entire computer-using population.
Our history began with networking computers together and then con- necting up the networks for the sake of efficiency and resource sharing and remote access. Our story ends with a small group of criminal spam- mers with remarkable talent and vision, stitching networks of malware-infected personal computers around the world together into globally distributed machines devoted to sending spam—and to other, more sinister tasks—for efficiency, resource sharing, and remote access. This is a chapter in the shadow history of the Internet. It is in some ways akin to the obverses of globalization, with the construction of covert markets, franchised criminal organizations, and massive supply-and-demand logistics for operations such as drug smuggling, counterfeiting, and human trafficking that parallel, parasitize, or undergird those of conventional globalized operations. Cloud computing is an immensely popular model in contemporary business: order up some given amount of computing power from Amazon’s services or a company such as Rackspace, set up an instance of an operating system, and from your laptop control processing power and bandwidth that would have been inconceivable to any backbone-administering baron of the Usenet years—with the cloud computing provider handling the software maintenance and the security of the server racks being cooled in an anonymous facility somewhere. However, if you run a different kind of business, you could set up a deal with the Conficker botnet at its peak, with access to millions of computer systems distributed across 230 top-level domain names (that is, scattered across many countries and hosts), order the amount of bandwidth you need and the appropriate operating system, and start running spam campaigns, DDoS attacks, data harvesting, or password cracking, as you wish. (Security researcher Robert Hansen has made the point that this activity can change the dynamics of corporate and state espionage: don’t start with trying to infil- trate a company or a government, but instead give a botmaster a list of the Internet addresses or machines you’re interested in, and if they’ve already got them on the network, you can simply buy in directly, and start exfiltrating information.)
This is one form of the end of spam: its subsumption into criminal practices and systems of far greater power, profit, and complexity—indeed, nothing less than the construction of a criminal infrastructure—as a mere source of funding, that is, one of a suite of services and part of standard operating procedure. It also implies the possibility of another end of spam, though, one that many people desire and that events like the McColo shutdown emphasize. The stitched-together networks of machines that constitute the botnet, the whole spam apparatus, are unexpectedly fragile. They reflect the same tension between distributed and centralized that plagues cloud computing as a whole. A few pivotal arrests—or threats of arrests, as in the case of Rustock botnet, whose controllers apparently abandoned it under increasing legal pressure—and the volume of email spam plummets by billions of messages per hour, though it quickly climbs back up as newcomers enter the business. A remarkably small number of registrars handle the bulk of the registration of domain names for spam sites; the same is true for hosting and other Internet services... Though it can be relatively easy for groups as sophisticated as contemporary botnet administrators to switch providers, it is still time-consuming—and the production of a climate of reasonable fear among service providers who might otherwise be tempted to take some spam business could make the work of migration much more difficult.
The financial infrastructure behind the consolidated botnets is similarly brittle. One group of researchers found that 95 percent of “spam-advertised pharmaceutical, replica, and software products are monetized using mer- chant services from just a handful of banks.” A “handful,” in this case, meaning three: a Norwegian-owned bank in Latvia called DnB Nord, the Azerbaijani bank Azerigazbank, and the St. Kitts-Nevis-Anguilla National Bank in the Federation of Saint Kitts and Nevis, in the West Indies. (Since the start of this research into the banking system, spammers—nothing if not adaptable—have migrated away from Azerigazbank to two other Azerbaijani institutions.) As the researchers point out, finding payment processors willing to do business with spammers is not a trivial matter, and there aren’t that many of them. They propose a powerful demonetization strategy: a swiftly updated financial blacklist of institutions for which Western banks will refuse to settle a small subset of transactions. The money in spam, aside from phishing, 419-type scams, and businesses spun off from excess botnet capacity, comes from Westerners paying with their credit cards online for a very narrow range of products (pills, fake watches, cracked software, and the like). If you can bracket out card-not-present transactions for that set of products, identifiable by their Merchant Category Codes, to that small collection of banks, you could essentially halt the circulation of a large portion of the funds that keep email spam in business. Asking issuing banks in the United States not to honor certain The financial infrastructure behind the consolidated botnets is similarly brittle. One group of researchers found that 95 percent of “spam-advertised pharmaceutical, replica, and software products are monetized using mer- chant services from just a handful of banks.” A “handful,” in this case, meaning three: a Norwegian-owned bank in Latvia called DnB Nord, the Azerbaijani bank Azerigazbank, and the St. Kitts-Nevis-Anguilla National Bank in the Federation of Saint Kitts and Nevis, in the West Indies. (Since the start of this research into the banking system, spammers—nothing if not adaptable—have migrated away from Azerigazbank to two other Azerbaijani institutions.) As the researchers point out, finding payment processors willing to do business with spammers is not a trivial matter, and there aren’t that many of them. They propose a powerful demonetization strategy: a swiftly updated financial blacklist of institutions for which Western banks will refuse to settle a small subset of transactions. The money in spam, aside from phishing, 419-type scams, and businesses spun off from excess botnet capacity, comes from Westerners paying with their credit cards online for a very narrow range of products (pills, fake watches, cracked software, and the like). If you can bracket out card-not-present transactions for that set of products, identifiable by their Merchant Category Codes, to that small collection of banks, you could essentially halt the circulation of a large portion of the funds that keep email spam in business. Asking issuing banks in the United States not to honor certain transactions may seem a radical step, but it has been done before in rela- tion to some online gambling transactions. (Though the chaotic record of that gambling-regulation project suggests the many layers of law, policy, jurisdiction, and enforcement that such a spam-halting project would confront: struggles with Antigua and disputes with the World Trade Orga- nization (WTO) over trade agreements and “secret” trade settlement con- cessions, the proposal of alternate bills, and the indictment of online poker sites for colluding with payment processors to disguise gambling transac- tions as innocuous purchases of golf gear and jewelry. It would not be simple.) Just as with Rodona Garst and her team, who hopped from one hosting provider to another, spammers are critically dependent on the availability of infrastructural access, which is why they began to build their own. The points of failure for their operation lie there.
A few carefully directed and executed interventions could make an enormous dent in the production of email spam. Filtering and laws did not stop it, by any means, but they have painted it into a developmental corner with severe bottlenecks: an almost totally centralized, consolidated business dependent on colossal volumes of mail to survive. Even assuming such an intervention were to be successful, however, that event would stop only one of the forms that spamming has taken—admittedly, one of the most visible and hardiest. Recall the proliferation of search engine spam and the flood of spam comments in blogs; wiki spam; the subculture of Twitter spambots piggybacking on popular phrases with their untrustworthy links concealed with address-shortening technology; social network spamming inside services, such as "likejacking" in Facebook; line-blurring cases like content farms, link-baiting blog posts and sleazier forms of attention-grabbing viral media: these will not go away, and only a few offer the same obvious (if politically complex) points of failure that email spamming does. (And this list does not even mention forms of spam now being born, including "spam books" and spam in online games.) Spam persists and diversifies because we are living through a major, complex transition in the constitution and management of our own attention, a transition moving faster than our governance, our metaphors, and our software can keep up with. Spammers—the disbarred lawyers, impoverished con artists, would-be pornographers, credit card thieves, and malware coders—are the avant-garde, the wildcatting exploiters of this transition. They find domains where salience is being generated, whether in a comment thread, a search engine result, a social media platform, or your email inbox, and move to commandeer it. They are the crudest and most abject form of this capture, from students pranking each other with the words of a Monty Python sketch to global botnets producing more email than everyone else on earth, every single day. In their crude way, they show the rest of the online population the network’s new capabilities, the new forms of attention and community experience, which we have not yet fully understood.