Botnet activity takes a major step up as new senders are detected

News by Dan Raywood

Botnets now account for 87.9 per cent of all spam sent, as new senders are detected.

Botnets now account for 87.9 per cent of all spam sent as new senders are detected.

The Symantec September and Q3 2009 MessageLabs Intelligence report revealed a new botnet named ‘Maazben' that is experiencing rapid growth since it was first detected in late May, while Rustock has begun a predictable spamming pattern.

MessageLabs Intelligence senior analyst at Symantec, Paul Wood, claimed that an average of 1.4 per cent of all spam is being sent from Maazben, but it has increased its peak activities. MessageLabs was expecting its growth rate ‘to creep up in terms of the amount of spam that we will be tracking'.

Wood said: “In terms of the spam that it has been sending out, we have been seeing gambling and casino related spam so if you have seen anything in your inbox like that it has probably come from there. This could increase or even double its output by the end of the year; it is really ramping up its activity now.”

Meanwhile the Rustock botnet has settled into a predictable spam pattern beginning every day at 3am UK time, peaking at 7am and ceasing spamming at 7pm. It then rests for eight hours before beginning again. MessageLabs claimed that Rustock is the only botnet with a regular spam cycle.

Wood said: “Most botnets when they first emerge, and when they are very small, will be prevalent in certain parts of the world, now it is spread far and wide and some elements of that are from botnet sending out at a certain time of day. Until now this has not been very active but it will send out a large quantity of spam because the burst will have an impact.

“This peaks at three billion messages being sent per hour, it was previously once a fortnight and now it is operating every day. Cutwail was always on and sent around 600 million messages but no more than 900 million to one billion at its peak.”

The report claimed that as one of the most dominant botnets, Rustock is responsible for ten per cent of all spam. As such, its spam pattern is reflected in overall total daily spam patterns.

According to MessageLabs Intelligence, Maazben's growth has accelerated during the past month from 0.5 per cent of all spam in August to 1.4 per cent of all spam in September. Rustock is the largest in terms of number of bots at 1.3 to 1.9 million bots but has kept its output per bot relatively low.

Wood said: “However, this won't always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

The report also claimed that two other botnets have had the opportunity to vie for Cutwail's previous position as the most active botnet. Grum, half the size of Rustock but responsible for 23.2 per cent of spam, and Bobax, responsible for 15.7 per cent of spam, have both taken over as the most active botnets for spam distribution.

“In the top five list in this survey, all the botnets (with the exception of Maazben) have been around for some time and we have a list of small botnets, but there is other sources of spam such as webmail, but 87.9 per cent of all spam comes from botnets and the number is increasing. Since McColo was shut down last year, the bad guys have learnt a harsh lesson and may have business continuity plans in place,” said Wood.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews