Top 10 botnets
1:
Grum (Tedroo)
Grum is the future for
spam botnets. It’s a kernel-mode rootkit and thus hard to detect.
It’s also sneaky, infecting files used by Autorun registries. That guarantees
it will be activated. This botnet is of special interest to researchers. It’s
relatively small, only 600,000 members. Yet it accounts for almost 25 percent,
or 40 billion spam-emails a day.
Grum
focuses on pharmaceutical spam. You know the kind. There must be money in this,
as most spam botnets are involved with it to some degree.
2:
Bobax (Kraken/Oderoor/Hacktool.spammer)
Bobax confuses botnet hunters, being
somewhat related to the Kraken botnet. Recently, Bobax went through
a rewrite. The authors converted command and control traffic to HTTP, making it
more difficult to block and trace.
Right now,
Bobax has only 100,000 members, yet it produces 27 billion spam messages a day.
That’s 15 percent. Or more impressively, 1,400 spam email messages per bot per
minute. Bobax appears to be a botnet for hire, as the type of spam varies.
3:
Pushdo (Cutwail/Pandex)
Pushdo started at the same time as Storm,
in 2007. Storm is all but gone. But Pushdo is still going strong, sending out
approximately 19 billion spam email messages a day from one and a half million
bots. Pushdo is the downloader, which gains access to the
victim computer. It then downloads Cutwail, the spamming software.
The
Pushdo/Cutwail botnet spews spam with a wide variety of subject matter,
including pharmaceuticals, online casinos, phishing schemes, and links to
malware-laced Web sites.
4:
Rustock (Costrat)
Rustock is another survivor. It was almost
destroyed when McColo was shuttered in 2008. But it’s back
and currently the largest botnet, with almost two million bots. Before McColo,
Rustock’s trademark was to generate huge amounts of spam, then go dormant for
several months. Today, Rustock’s signature is to deliver spam only from 3 a.m.
to 7 a.m. EST (GM-5) daily.
Rustock is
also known for forging legitimate email newsletters using image files. Image spam
is undetectable by most filtering software. In addition, Rustock does the usual
pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.
5:
Bagle (Beagle/Mitglieder/Lodeight)
Bagle is an interesting botnet because of
its industrious author. Since 2004, it has gone through hundreds of iterations.
Two years ago, the developer decided to start making money, using Bagle to
cultivate and sell email address databases.
Now, Bagle
bots act as relay proxies, forwarding spam email messages to their final
destination. Bagle has at most 500,000 bots, but it still moves 14 billion
pieces of spam each day.
6:
Mega-D (Ozdok)
Mega-D is famous — or infamous, depending
on your point of view. In November 2009, researchers at FireEye were able to shut the botnet down by registering its
command and control domains ahead of the botmasters. But the malware is programmed
to constantly generate new domains, allowing the botmasters to eventually
regain control.
Of the top
10 botnets, Mega-D is the smallest, consisting of 50,000 members. That’s not
very many, considering it pushes out 11 billion pieces of spam daily. It’s
second only to Bobax, when considering spam per bot per minute. Mega-D’s spam
consists of advertisements for an online pharmacy and, of course,
male-enhancement drugs.
7:
Maazben
Maazben has been around only since June
2009. Yet it’s of special interest to researchers. Maazben is the first botnet
that can use either proxy-based or template-based bots. Spammers prefer
proxy-based bots because the spam source remains hidden. But proxy-based bots
don’t work if the infected computer is behind a NAT device.
The new
technique must be working. Maazben is the fastest-growing botnet of the top 10,
increasing membership five percent in one month. With 300,000 bots, Maazben
spreads two and a half billion casino-related spam messages per day.
8:
Xarvester (Rlsloup/Pixoliz)
Xarvester came into the picture after the
McColo shutdown. Researchers feel the Xarvester botnet picked up a few
customers from the closure. Researchers also see many similarities between
Xarvester and the infamous Srizbi botnet, one of the botnets affected
by the closing of the McColo data center.
Currently,
the Xarvester botnet contains 60,000 members, sending out approximately two and
a half billion spam messages a day. The email messages could contain spam for
pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.
9:
Donbot (Buzus)
The Donbot botnet is unique. It is one of the
first botnets to use URL shortening, in an attempt to hide
malicious links in the spam email. The thought is to increase the likelihood of
someone clicking on the link. Donbot also seems to be divided into multiple
individually run networks, each one pushing different types of spam.
Donbot has
100,000 members and sends out about 800 million spam emails a day. Spam content
varies from weight loss drugs to stock pump-and-dump to debt settlement offers.
10:
Gheg (Tofsee/Mondera)
Three
things stand out about the number 10 botnet. First, almost 85 percent of the
spam from it originates in South Korea. Second, Gheg is one of the few botnets that encrypt
traffic from the command and control servers using a nonstandard SSL connection
on port 443.
Third, Gheg
has options in how it sends spam email. It can act as a conventional proxy
spambot. Or it can route spam messages through the victim’s Internet provider’s
mail server. Gheg has 60,000 members and pushes out about 400 million spam
emails daily, concentrating on pharmaceutical spam.
Grand
total
Daren Lewis
of Symantec keeps tabs on many of the botnets for MessageLabs and has come up
with some startling numbers. Here are the overall statistics:
·
80 percent
of all spam is sent by these 10 botnets.
·
These 10
botnets send 135 billion spam messages a day.
·
Five
million computers belong to the 10 botnets.
The
statistics are probably worse now, as I do not see any reduction in any of the
spam filtering houses.
Final
thoughts
Well, there
you have it. I don’t think we will be getting rid of spam filtering devices or
services
just yet. To make matters worse, I like to keep close tabs on anti-spam
research and do not see
any
solutions in the near future to stop such attacks but you all know never to
open e-mails
from an
unknown origin, especially the pharmaceutical spam and theres always someone
smarter who
really does use it for good intentions.