The top 10 spam botnets: New and improved

The botnets are arranged in order of spam activity, with the most popular name being listed first:

1: Grum (Tedroo)

Grum is the future for spam botnets. It’s a kernel-mode rootkit and thus hard to detect. It’s also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This botnet is of special interest to researchers. It’s relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.

Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam botnets are involved with it to some degree.

2: Bobax (Kraken/Oderoor/Hacktool.spammer)

Bobax confuses botnet hunters, being somewhat related to the Kraken botnet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.

Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That’s 15 percent. Or more impressively, 1,400 spam email messages per bot per minute. Bobax appears to be a botnet for hire, as the type of spam varies.

3: Pushdo (Cutwail/Pandex)

Pushdo started at the same time as Storm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is the downloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.

The Pushdo/Cutwail botnet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.

4: Rustock (Costrat)

Rustock is another survivor. It was almost destroyed when McColo was shuttered in 2008. But it’s back and currently the largest botnet, with almost two million bots. Before McColo, Rustock’s trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock’s signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.

Rustock is also known for forging legitimate email newsletters using image files. Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.

5: Bagle (Beagle/Mitglieder/Lodeight)

Bagle is an interesting botnet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.

Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.

6: Mega-D (Ozdok)

Mega-D is famous — or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the botnet down by registering its command and control domains ahead of the botmasters. But the malware is programmed to constantly generate new domains, allowing the botmasters to eventually regain control.

Of the top 10 botnets, Mega-D is the smallest, consisting of 50,000 members. That’s not very many, considering it pushes out 11 billion pieces of spam daily. It’s second only to Bobax, when considering spam per bot per minute. Mega-D’s spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.

7: Maazben

Maazben has been around only since June 2009. Yet it’s of special interest to researchers. Maazben is the first botnet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don’t work if the infected computer is behind a NAT device.

The new technique must be working. Maazben is the fastest-growing botnet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.

8: Xarvester (Rlsloup/Pixoliz)

Xarvester came into the picture after the McColo shutdown. Researchers feel the Xarvester botnet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi botnet, one of the botnets affected by the closing of the McColo data center.

Currently, the Xarvester botnet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.

9: Donbot (Buzus)

The Donbot botnet is unique. It is one of the first botnets to use URL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.

Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.

10: Gheg (Tofsee/Mondera)

Three things stand out about the number 10 botnet. First, almost 85 percent of the spam from it originates in South Korea. Second, Gheg is one of the few botnets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.

Third, Gheg has options in how it sends spam email. It can act as a conventional proxy spambot. Or it can route spam messages through the victim’s Internet provider’s mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.

Daren Lewis of Symantec keeps tabs on many of the botnets for MessageLabs and has come up with some startling numbers. Here are the overall statistics:

  • 80 percent of all spam is sent by these 10 botnets.
  • These 10 botnets send 135 billion spam messages a day.
  • Five million computers belong to the 10 botnets.


This entry was posted in Technical Archive. Bookmark the permalink.