Six botnets behind 85% of all spam, says Marshal

Auckland-based research team warns of new growing botnet

Marshal’s TRACE team, headquartered in Auckland, claims it has identified six botnets that are responsible for 85% of all spam.

The Mega-D botnet, which Marshal reported on in February, is now being overtaken by the Srizbi botnet, responsible for distributing 39% of spam, according to the email and internet content security company. This is followed by the Rustock botnet, accountable for 21%, says the company.

Following the discovery of Mega-D’s control servers, spam sent from this botnet dropped to zero during mid February. But this week, Mega-D returned to represent 21% of spam after a 10-day period of inactivity, says Auckland-based Bradley Anstis, Marshal's VP of Products.

Because of this break, Mega-D only accounted for an average of 11% of spam during February, he says.

Srizbi, which has grown from nothing to become the leader of the pack in a very short time, has been particularly active in attempting to spread itself through spam campaigns using celebrities as lures, says Anstis.

Other significant active spam botnets at this time are Hacktool.Spammer — also known as Spam-Mailer among other names — and the Pushdo family, also known as Pandex and Cutwail. But the Storm botnet is responsible for only 3% of spam volumes at the moment, according to Marshal.

Anstis says the size of a botnet, measured by how many bots it has, does not necessarily correspond to how much spam it sends.

The Marshal TRACE (Threat Research and Content Engineering) team believes spammers may have access to multiple botnets.

Mega-D is known for focusing on male enhancement pills under such brand names as "Express Herbals" and "Herbal King". Other botnets, including Srizbi, Rustock, Hacktool.Spammer and Pushdo, have been sending spam with links to websites featuring the same "Express Herbals" web page, simultaneously, he says.

“It appears the spammers behind this campaign have access to more than one botnet to distribute their messages,” says Anstis. “It’s also a possibility that one group controls more than one of these botnets.”

All of Marshal's TRACE analysis is done in New Zealand, and this is where the three core researchers of the 24/7 operation are based, he says.

Join the newsletter!

Error: Please check your email address.

Tags spambotnetmarshalSecurity ID

Show Comments
[]