Application security, Threat Management, Incident Response, Malware, TDR

TRACE: Six botnets generate 85 percent of spam

Six botnets, including the formerly dominant Mega-D, are generating about 85 percent of all spam emails, according to security researchers at TRACE (Threat Research and Content Engineering), a group of Marshal security analysts who constantly monitor and respond to internet security threats. .


With Mega-D's operators taking their botnet down for 10 days last month, the Srizbi botnet, which has become responsible for distributing 39 percent of the spam generated, took over as leader of the pack in February. The Rustock botnet, at 21 percent, is second with Mega-D third at nine percent; Hacktool.spammer, eight percent; Pushdo, six percent; and Storm, with two percent, completing the top six offenders, according to Marshal.


"We can't tell who owns these botnets, but Mega-D, the number one source in January, went quiet for 10 days in February, and the others ramped up, advertising some of the same products," Glen Meyers, a sales engineer for Marshal, told


The nature of the spam emails by the Srizbi, Mega-D and Rustock botnets – mostly promoting herbal remedies and "male enhancement" drugs, such as Viagra – indicates "that perhaps some of the same people are responsible for these botnets."


It could also be that "the advertiser is told by the botnet operator that he's shutting down and looks for an alternate source," Meyers said. "We can't know that from looking at the spam. We  can tell they're from a new source, but we don't know whether they're controlled by the same people or just the same advertisers."


Meyers said, "It appears the botnet operators are actually competing with each other."


The Storm botnet, which is comprised of an estimated 85,000 zombie computers, is now responsible for a mere two percent of all spam after having been the overwhelming source of spam a year ago.


Marshal's researchers believe the Mega-D operators took their botnet down because "the publicity actually scared them,” according to Meyers.


“It's been around for more than a year, and when we announced in January that it was the number one botnet, it spooked them and they took things offline," he said.


In late February, however, Mega-D enjoyed a resurgence and represented 21 percent of spam. At its peak in January, it was responsible for a third of the spam Marshal caught in its "spam traps," or bogus email accounts.


In its stead, Srizbi became especially active, attempting to spread itself through spam campaigns using celebrities as lures, according to Marshall.


Meanwhile, researchers at security vendor Sophos noted a resurgence in the Pushdo botnet, used widely by spammers late last year. Pushdo variants arrived almost weekly last summer, but that level died down in the first months of 2008, Richard Wang, manager of Sophos US labs, told


"We haven't seen much activity from Pushdo for a few weeks," Wang said. On Sunday, however, he said his team again saw someone sending out an aggressively large amount of spam with a new version of Pushdo.


By changing Pushdo codes frequently, its authors were able to get its spam past many organizations' perimeter defenses. Once inside, the spam typically delivers an encrypted payload that infects computer memory, rather than writing itself to disk, Wang said.


"It's difficult to tell what's going on with Pushdo, whether a single person or a group is behind it," Wang added.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.