Most Spam Comes From Just Six Botnets

Six 6 botnets are responsible for 85 percent of the world’s spam.

The spam experts at Marshal go into great detail about how these six operations are hijacking computers around the world and using them to clog the Internet pipes with more garbage emails than anyone can ever imagine.

 Three weeks ago we noted the Mega-D botnet was the leading source of spam.  What a difference three weeks can make!  In that time, the malware behind Mega-D was identified as Ozdok.  Subsequently, we also posted that the Mega-D control servers went offline for around ten days during which time spam from this pesky botnet dropped to zero.

With the impact on Mega-D’s operations, Srizbi has now taken over as the leader of the spam pack responsible for nearly 40% of spam.  Srizbi is well known as a spamming Trojan, and an advanced one at that.  As we reported here, lately Srizbi has been particularly active in distributing spam with URLs that link to websites hosting more copies of the spambot.  Analysis of Srizbi indicates it is extremely stealthy, operating in full kernel mode, which, among other things, allows it to hide its network activities and bypass sniffer tools.  One interesting thing we noticed about Srizbi is that it provides continuous feedback and statistics to control servers about which email addresses were good, and which were bad.

Of the remaining spambots, Rustock is the most significant at 20%.   Rustock, also well known for its spamming capability, has been around for some time in various guises – a good analysis of it can be found here.  Other significant active spambots at this time include: Hacktool.Spammer (which has multiple other aliases including Spam-Mailer); the Pushdo family (aliases Pandex and Cutwail), also known for mass spamming of its malware with celebrity hooks; and of course the infamous Storm, which, in spam terms, remains a relatively minor player.