20 March 2008 - 12:2685 Percent Of Spam Traced Back To Only 6 Botnets!

Threat Research & Content Engineering (TRACE) is a group of security analysts who continuously monitor and prevent online security threats. According to their security researchers, approximately 85 percent of all spam email messages are being generated by only 6 botnets which include Mega-D.

The Srizbi botnet is currently responsible for generating 39 percent of the spam in February, taking over from the previously dominant Mega-D botnet which was taken down by the operators for 10 days in January. The second-place botnet is Rustock which generates approximately 21 percent of the spam, followed by Mega-D at 9 percent. The top six offenders include Hacktool.spammer with 8 percent, Pushdo with 6 and Storm that generates 2 percent.

A sales engineer for Marshal, Glen Meyers, confirmed “We can’t tell who owns these botnets, but Mega-D, the number one source in January, went quiet for 10 days in February, and the others ramped up, advertising some of the same products.” Most of the spam email messages created by the Rustock, Srizbi and Mega-D botnets promote male enhancement drugs like Viagra and herbal remedies. Therefore, there is a possibility that the same people are responsible for these botnets.

Meyers provides another possibility: “The advertiser is told by the botnet operator that he’s shutting down and looks for an alternate source. We can’t know that from looking at the spam.” He also confirms that although they can determine that the spambots are coming from a new source, they are unsure whether they are being controlled by the same advertisers or the same spammers. Regardless, “it appears the botnet operators are actually competing with each other” according to Meyers.

The Storm botnet is comprised of approximately 85,000 zombie computers and was the main generator of spam last year. However, it is currently responsible for only 2 percent of all spam. Meyers believes the Mega-D operators shut down their botnet due to fear of the publicity it generated: “It’s been around for more than a year, and when we announced in January that it was the number one botnet, it spooked them and they took things offline.”

Mega-D re-emerged in late February, generating 21 percent of all spam. At its peak which occurred in January, it was responsible for one-third of all the spam. Srizbi quickly overtook the botnet, using celebrities in its spam campaigns to lure unsuspecting users. The researchers at Sophos, a security vendor, have noted the re-emergence of the Pushdo botnet that was common with spammers in late 2007.

According to Richard Wang, the manager of Sophos’ US labs, variants of Pushdo were created on a weekly basis during the summer of 2007. However, the botnet’s activity level subsided during the first few months of 2008. According to Wang, “we haven’t seen much activity from Pushdo for a few weeks.” However, his security team recently noted a very large amount of spam being generated from a new variant of Pushdo.

The creators of Pushdo codes change them frequently in order to defeat the perimeter defenses used by many organizations. Instead of writing itself to disk, the spam generally delivers a payload that is encrypted and will infect the memory of the computer. Wang confirmed that it’s difficult to determine whether Pushdo is being generated by a group or a single individual.