Marshal uncovers six botnets responsible for 85 per cent of spam

Published 29th February 2008

LONDON, 28 February, 2008 – Marshal’s TRACE team today announced it has identified six botnets that are currently responsible for 85 per cent of all spam.

Following the recent dominance of the Mega-D botnet, which Marshal reported on in early February, the Srizbi botnet is now responsible for distributing the lion’s share of spam – 39 per cent – followed by the Rustock botnet which is responsible for 21 per cent.

Three weeks ago, Marshal reported the Mega-D botnet was the leading source of spam. After the announcement, researchers identified the malware behind the 35,000-strong botnet as Ozdok. The subsequent discovery of Mega-D’s control servers saw spam sent from this botnet drop to zero during mid February.

“This week, Mega-D returned again to represent 21 per cent of spam after a 10-day period of inactivity. Owing to the break, Mega-D only accounted for an average of 11% of spam during February. At its peak last month, it was responsible for a third of all the spam we caught in our spam traps. While the recent publicity spooked the Mega-D spammers into taking their control servers offline, they have now clearly re-established themselves elsewhere,” said Bradley Anstis, Marshal VP of Products.

“While Mega-D faltered, Srizbi emerged as the leading spam botnet in February. It is advanced and extremely stealthy malware. Lately, Srizbi has been particularly active in attempting to spread itself through spam campaigns using celebrities as lures,” added Anstis.

Other significant active spam botnets at this time include: Hacktool.Spammer (which has multiple aliases including Spam-Mailer) and the Pushdo family (alias Pandex and Cutwail) which is also known for mass spamming of its malware with celebrity hooks.

The notorious Storm botnet, which is comprised of an estimated 85,000 bots, currently is responsible for only three per cent of spam volumes.

“The size of a botnet, measured by how many bots it has, does not necessarily correlate with how much spam it sends. Our TRACE team has observed huge variations in the rate at which different spambots pump out spam,” said Anstis.

The Marshal TRACE team also believes spammers may have access to multiple botnets.

Mega-D is known for concentrating on male enhancement pills called ‘Megadik’ or ‘VPXL’ under such brand names as ‘Express Herbals’ and ‘Herbal King’. In addition to Mega-D, other botnets including Srizbi, Rustock, Hacktool.Spammer and Pushdo, have been simultaneously sending spam with links to websites featuring the same ‘Express Herbals’ Web page.

“It appears the spammers behind this campaign have access to more than one botnet to distribute their messages,” said Anstis. “It’s also a possibility that one group controls more than one of these botnets”.

“By highlighting these spam botnets, we hope the security industry can collectively target these major spamming sources and in doing so significantly reduce spam volumes,” he added.

Further information and statistics regarding these botnet threats can be found Marshal’s TRACE Center website at http://www.marshal.com/trace/traceitem.asp?article=567

About Marshal
Marshal is a global leader in Content Security across multiple protocols, enabling organisations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven Email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and web against internal abuse and external threats such as viruses, spam and malicious code. More than seven million users in 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal is headquartered in Atlanta (USA) and London (UK) with further offices in Paris (France), Munich (Germany), Johannesburg (South Africa), Houston (USA), Sydney (Australia) and Auckland (New Zealand). More information is available at www.marshal.com.

About the Marshal TRACE Team
TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyses spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides “Zero Day” security protection against new email and virus exploits the day they emerge.