Latest reports have spam accounting for more than 95 percent of all email messages. You can thank botnets for most of that. Here’s what we’re up against.
While doing research for this project, I came across a blog series (first, second, third post) that forced me to rethink. Ranking spam botnets is not as simple as I thought. The blog author, Terry Zink, pointed out that there are several measurement philosophies:
- The number of bot members
- The number of bytes sent
- The number of messages sent
In the grand scheme of things, it may not seem important. But techies like details. Counting the number of bot members or bytes sent is straightforward enough. You would assume that the number of messages would be, too.
Well, it’s not. Botnets are smart enough to create a spam message but address it to a lot of different recipients. That adds another factor when counting messages.
Confused? So am I. To make some sense out of it all, I juggled the different attributes (totally unscientifically, of course) and came up with the following list of the best of the breed. The botnets are arranged in order of spam activity, with the most popular name being listed first:
Note: This article is also available as a download that includes a PDF version and a PowerPoint presentation.
1: Grum (Tedroo)
Grum is the future for spam botnets. It’s a kernel-mode rootkit and thus hard to detect. It’s also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This botnet is of special interest to researchers. It’s relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.
Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam botnets are involved with it to some degree.
2: Bobax (Kraken/Oderoor/Hacktool.spammer)
Bobax confuses botnet hunters, being somewhat related to the Kraken botnet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.
Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That’s 15 percent. Or more impressively, 1,400 spam email messages per bot per minute. Bobax appears to be a botnet for hire, as the type of spam varies.
3: Pushdo (Cutwail/Pandex)
Pushdo started at the same time as Storm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is the downloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.
The Pushdo/Cutwail botnet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.
4: Rustock (Costrat)
Rustock is another survivor. It was almost destroyed when McColo was shuttered in 2008. But it’s back and currently the largest botnet, with almost two million bots. Before McColo, Rustock’s trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock’s signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.
Rustock is also known for forging legitimate email newsletters using image files. Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.
5: Bagle (Beagle/Mitglieder/Lodeight)
Bagle is an interesting botnet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.
Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.
6: Mega-D (Ozdok)
Mega-D is famous — or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the botnet down by registering its command and control domains ahead of the botmasters. But the malware is programmed to constantly generate new domains, allowing the botmasters to eventually regain control.
Of the top 10 botnets, Mega-D is the smallest, consisting of 50,000 members. That’s not very many, considering it pushes out 11 billion pieces of spam daily. It’s second only to Bobax, when considering spam per bot per minute. Mega-D’s spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.
Maazben has been around only since June 2009. Yet it’s of special interest to researchers. Maazben is the first botnet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don’t work if the infected computer is behind a NAT device.
The new technique must be working. Maazben is the fastest-growing botnet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.
8: Xarvester (Rlsloup/Pixoliz)
Xarvester came into the picture after the McColo shutdown. Researchers feel the Xarvester botnet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi botnet, one of the botnets affected by the closing of the McColo data center.
Currently, the Xarvester botnet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.
9: Donbot (Buzus)
The Donbot botnet is unique. It is one of the first botnets to use URL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.
Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.
10: Gheg (Tofsee/Mondera)
Three things stand out about the number 10 botnet. First, almost 85 percent of the spam from it originates in South Korea. Second, Gheg is one of the few botnets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.
Third, Gheg has options in how it sends spam email. It can act as a conventional proxy spambot. Or it can route spam messages through the victim’s Internet provider’s mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.
Daren Lewis of Symantec keeps tabs on many of the botnets for MessageLabs and has come up with some startling numbers. Here are the overall statistics:
- 80 percent of all spam is sent by these 10 botnets.
- These 10 botnets send 135 billion spam messages a day.
- Five million computers belong to the 10 botnets.
The statistics are probably worse now, as I do not see any reduction in any of the spam filtering houses.
Well, there you have it. I wouldn’t get rid of spam filtering devices or services just yet. To make matters worse, I keep close tabs on anti-spam research and do not see any solutions in the near future.
[UPDATE]: I just received an email from MessageLabs. The research arm of Symantec released the February 2010 Intelligence Report, and it’s full of valuable information. I thought it would be a good idea to share the link and mention some of the highlights.
The paper pointed out that Grum and Rustock are the current heavyweights, accounting for 32 percent of all spam delivered. The following figure (courtesy of MessageLabs) shows the output from the 10 most active spam-sending botnets. That’s a lot of green (Rustock) and purple (Grum).
Two additional notable statistics:
- The number of spam email messages containing attachments has dropped to less than one percent.
- The size of spam email messages has also dropped considerably. Spammers are taking advantage of image spam with hidden links.
MessageLabs mentions that both changes reduce the file size of the spam email, allowing the botnets to send more spam messages per minute.