New botnet threats emerge in the New Year from Lethic and Bagle
Early January saw a rise in activity from both the Lethic and Bagle spambots.
A blog post by Rodel Mendrez, threat analyst at M86 Security, said on the 7th January that at that stage, they were not certain how big the Lethic botnet is. ‘However as it is currently responsible for about eight to ten per cent of the spam in our traps, we figure it is a sizeable botnet', he said.
Mendrez said: “Most of Lethic's command and control servers are hosted by an ISP based in Chicago called FDCservers.net. Looking around, others have also noticed this provider.
M86 Security estimated that it was the fourth most prevalent botnet, after Rustock (32.8 per cent), Mega-D (21.6 per cent) and Bobax (12.1 per cent). The Bagle 2 botnet was only responsible for around 1.9 per cent of spam sent.
In a blog posting in early December 2009, Jose Nazario, manager of security research at Arbor Networks, said: “Lethic is yet another spambot to join the fray. It is unclear what its future holds, and we do not know when it emerged. However this shows how ‘full' the ‘ecosystem' for spambots is. Lethic's complexity is minimal when compared to other spam botnets (no rootkit seen, etc) but it appears effective enough at this time.”
Commenting, Paul Wood, MessageLabs intelligence senior analyst at Symantec, said that Symantec Hosted Services started tracking Lethic on 31st December 2009, where it accounted for 2.5 per cent of all spam.
Wood said: “On 1st January 2010 it rose to just under four per cent and carried on roughly around that level for another six days. On the 8th January, it peaked at 5.25 per cent of all spam, then over the next two days its traffic dropped off to nothing and has yet to return.”
He explained that the spam that it is sending is a roughly even mix of pharmaceutical (all linking to ‘Canadian Pharmacy' websites), and replica watches. The pharmaceutical websites linked to are all hosted in Beijing, while the replica watch sites are all hosted in Seoul.
Referring to the Bagle botnet, Wood said that the interesting thing was that Bagle has been sending exactly the same spam as Lethic over this same period.
Wood said: “The templates for the pharmaceutical and watch spam coming from Lethic are identical to ones from Bagle, and include hyperlinks to the same websites. This suggests that either the people who created the Bagle botnet have also created a second botnet (Lethic) and are using both to send out spam for their clients, or that the people behind the spam runs have paid for or recruited more than one botnet gang in order to increase output and are using both botnets at the same time.”
The Bagle botnet, in contrast to the early detections by M86, has been very active in the last two weeks. It accounted for 10.39 per cent of all spam sent on the 29th December and hovered from eight per cent of spam sent up to 14 per cent on New Year's Day. Its activity dropped from the 7th January until today, when it had been responsible for 8.67 per cent of all spam.