160 likes | 296 Views
The top 10 spam botnets: New and improved. By Michael P. Kassner. Latest reports have spam accounting for over 95 percent of all email messages. You can thank botnets for most of that. Here’s what we are up against . . Rethink spam statistics.
E N D
The top 10 spam botnets: New and improved By Michael P. Kassner • Latest reports have spam accounting for over 95 percent of all email messages. You can thank botnets for most of that. Here’s what we are up against.
Rethink spam statistics • While doing research for this project, I came across a blog series (first, second, third post) that forced me to rethink. Ranking spam botnets is not as simple as I thought. The blog author, Terry Zink pointed out that there are several measurement philosophies: • The number of bot members. • The amount of bytes sent. • The number of messages sent.
Grand scheme of things In the grand scheme of things, it may not seem important. But, techies like details. Counting the number of bot members or bytes sent is straight forward enough. You would assume that the number of messages would be to. Well, it’s not. Botnets are smart enough to create a spam message but address it to a lot of different recipients. That adds another factor when counting messages.
Confused? Confused, so am I. To make some sense out of it all, I juggled the different attributes (totally unscientifically, of course) and came up with the following list of the best of the breed. The botnets are arranged in order of spam activity, with the most popular name being listed first:
1: Grum (Tedroo) • Grum is the future for spam botnets. It is a kernel-mode rootkit, thus hard to detect. It’s also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This botnet is of special interest to researchers. The Grum botnet is relatively small, only 600,000 members. Yet, it accounts for almost 25 percent or 40 billion spam-emails a day. • Grum focuses on pharmaceutical spam, you know the kind. There must be money in this, as most spam botnets are involved with it to some degree.
2: Bobax (Kraken/Oderoor/Hacktoo.spammer Bobax confuses botnet hunters, being somewhat related to the Kraken botnet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace. Right now, Bobax only has 100,000 members, yet it produces 27 billion spam messages a day. That’s 15 percent. Or more impressively, 1400 spam email message per bot per minute. Bobax appears to be a botnet for hire, as the type of spam varies.
3: Pushdo (Cutwail/Pandex) Pushdo has longevity, starting the same time as Storm in 2007. Storm is all but gone. Yet Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is the downloader which gains access to the victim computer. It then downloads Cutwail, the spamming software. The Pushdo/Cutwail botnet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.
Rustock is another survivor. It was almost destroyed when McColo was shuttered in 2008. But, it’s back and currently the largest botnet with almost two million bots. Before McColo, Rustock’s trademark was to generate huge amounts of spam. Then go dormant for several months. Today, Rustock’s signature is to only deliver spam from 3 a.m. to 7 a.m. EST (GM-5) daily. Rustock is also known for forging legitimate email newsletters using image files. That’s because image spam is undetectable by most filtering software. Rustock also does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day. 4: Rustock (Costrat)
5: Bagle (Beagle/Mitglieder/Lodeight) Bagle is an interesting botnet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases. Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, still it moves 14 billion pieces of spam each day.
6: Mega-D (Ozdok) Mega-D is famous or infamous, depending on your point of view. In November of 2009, researchers at FireEye were able to shut the botnet down, by registering the botnet’s command and control domains ahead of the botmasters. Still, the malware is programmed to constantly generate new domains, allowing the botmasters to eventually regain control. Of the top 10 botnets, Mega-D is the smallest, consisting of 50,000 members. That’s not very many, considering it pushes out 11 billion pieces of spam daily. That’s second only to Bobax, when considering spam per bot per minute. Mega-D’s spam consists of advertisements for an on-line pharmacy and of course male-enhancement drugs.
7: Maazben Maazben has only been around since June of 2009. Yet, it’s of special interest to researchers. Maazben is the first botnet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But, proxy-based bots do not work if the infected computer is behind a NAT device. The new technique must be working. Maazben is the fastest-growing botnet of the top 10. increasing membership five percent in one month. With 300,000 bots Maazben spreads two and a half billion casino-related spam messages per day.
8: Xarvester (Rlsloup/Pixoliz) Xarvester came into the picture after the McColo shutdown. Researchers feel the Xarvester botnet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi botnet, one of the botnets affected by the closing of the McColo data center. Currently, the Xarvester botnet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.
9: Donbot (Buzus) The Donbot botnet is unique. It is one of the first botnets to use URL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually-run networks, each one pushing different types of spam. Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump, and debt settlement offers.
10: Gheg (Tofsee/Mondera Three things stand out about the number 10 botnet. First, almost 85 percent of the spam from it originates in South Korea. Second, Gheg is one of the few botnets that encrypt traffic from the command and control servers using a non-standard SSL connection on port 443. Third, Gheg has options in how it sends spam email. It is capable of acting as a conventional proxy spambot. Or it can route spam messages through the victim's Internet provider’s mail server. Gheg has 60,000 member and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.
Grand total • Daren Lewis of Symantec keeps tabs on many of the botnets for MessageLabs and has come up with some startling numbers. Here are the overall statistics: • 80 percent of all spam is sent by these 10 botnets. • The above 10 botnets send 135 billion spam messages a day. • Five million computers belong to the 10 botnets. • The statistics are probably worse now, as I do not see any reduction in any of the spam filtering houses.
Final thoughts Well, there you have it. I wouldn’t get rid of spam filtering devices or services just yet. I keep close tabs on anti-spam research and sadly do not see any solutions in the near future.