• Date: February 25th, 2010
• Author: Michael Kassner

Latest reports have spam accounting for more than 95 percent of all email messages. You can thank botnets for most of that. Here’s what we’re up against.

While doing research for this project, I came across a blog series (first,
second, download that includes a PDF version and a PowerPoint presentation.

1: Grum (Tedroo)

Grum is the future for spam botnets. It’s a kernel-mode rootkit and thus hard to detect. It’s also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This botnet is of special interest to researchers. It’s relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.

Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam botnets are involved with it to some degree.

2: Bobax (Kraken/Oderoor/Hacktool.spammer)

Bobax confuses botnet hunters, being somewhat related to the Kraken botnet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.

Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That’s 15 percent. Or more impressively, 1,400 spam email messages per bot per minute. Bobax appears to be a botnet for hire, as the type of spam varies.

3: Pushdo (Cutwail/Pandex)

Pushdo started at the same time asStorm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is thedownloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.

The Pushdo/Cutwail botnet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.

4: Rustock (Costrat)

Rustock is another survivor. It was almost destroyed when
McColo was shuttered in 2008. But it’s back and currently the largest botnet, with almost two million bots. Before McColo, Rustock’s trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock’s signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.

Rustock is also known for forging legitimate email newsletters using image files.Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.

5: Bagle (Beagle/Mitglieder/Lodeight)

Bagle
is an interesting botnet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.

Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.

6: Mega-D (Ozdok)

Mega-D is famous — or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the botnet down by registering its command and control domains ahead of the botmasters. But the malware is programmed to constantly generate new domains, allowing the botmasters to eventually regain control.

Of the top 10 botnets, Mega-D is the smallest, consisting of 50,000 members. That’s not very many, considering it pushes out 11 billion pieces of spam daily. It’s second only to Bobax, when considering spam per bot per minute. Mega-D’s spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.

7: Maazben

Maazben has been around only since June 2009. Yet it’s of special interest to researchers. Maazben is the first botnet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don’t work if the infected computer is behind a NAT device.

The new technique must be working. Maazben is the fastest-growing botnet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.

8: Xarvester (Rlsloup/Pixoliz)

Xarvester came into the picture after the McColo shutdown. Researchers feel the Xarvester botnet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi botnet, one of the botnets affected by the closing of the McColo data center.

Currently, the Xarvester botnet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.

9: Donbot (Buzus)

The Donbot botnet is unique. It is one of the first botnets to useURL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.

Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.

10: Gheg (Tofsee/Mondera)

Three things stand out about the number 10 botnet. First, almost 85 percent of the spam from it originates in South Korea. Second,Gheg is one of the few botnets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.

Third, Gheg has options in how it sends spam email. It can act as a conventional proxy spambot. Or it can route spam messages through the victim’s Internet provider’s mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.

Grand total

Daren Lewis of Symantec keeps tabs on many of the botnets for MessageLabs and has come up with some startling numbers. Here are the overall statistics:

• 80 percent of all spam is sent by these 10 botnets.
• These 10 botnets send 135 billion spam messages a day.
• Five million computers belong to the 10 botnets.

The statistics are probably worse now, as I do not see any reduction in any of the spam filtering houses.

Final thoughts

Well, there you have it. I wouldn’t get rid of spam filtering devices or services just yet. To make matters worse, I keep close tabs on anti-spam research and do not see any solutions in the near future.

[UPDATE]: I just received an email from MessageLabs. The research arm of Symantec released the February 2010 Intelligence Report, and it’s full of valuable information. I thought it would be a good idea to share the link and mention some of the highlights.

The paper pointed out that Grum and Rustock are the current heavyweights, accounting for 32 percent of all spam delivered. The following figure (courtesy of MessageLabs) shows the output from the 10 most active spam-sending botnets. That’s a lot of green (Rustock) and purple (Grum).

You can view the original posts here.

original post:

In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level. In part 2, I looked at which one sends the most spam by total amount of bytes that they emit. Now, I’d like to put it all together; if we normalize the values, which botnet is responsible for sending out the most spam on a daily basis? Depending on how we measure it, there are a couple of answers.

To check this, first I took a look at the average number of message envelopes each botnet sends per day. I then normalized the value and used the lowest sending botnet as a base, assigning it a value of 1. I have removed lethic from this count because it seems to have fallen off the radar (is something wrong with my script?). The table is below:

Looking at this table here, sorting by the average amount of total envelopes each botnet sends per day, it isn’t even close (for the month of January). Rustock, by far, sends more individual spam messages than any other botnet by a factor of 10. Its net is so wide and the other botnets aren’t even in the running. Mega-d is next followed by cutwail2.

But if we measure the amount of bandwidth the individual receiving mail servers have to process, the numbers change. If we take the average number of messages/envelope, multiple by the average message size (kb) and multiple by the average number of message envelopes per day, then we get the total amount of traffic, in bytes, that each botnet sends. Doing this, the numbers change (remember that these are normalized values, not absolute values):

Looking at it this way, the worst botnet is cutwail followed by cutwail2. Rustock drops down to 3rd in the list, a distant 3rd but not far behind cutwail1. The other botnets bring up the rear, only looking out into the distance and wishing they were as cool as the others.

So there you have it, my study on which botnet sends out the most spam. I’ve shown my work and therefore these results should be reproducible in the future. I’m not totally convinced that my scripts are completely accurate and capturing all of the required information, however, as time passes I should be able to refine them and provide an even more accurate analysis on which botnet is the worst.

You can view the original post here.

original post:

Following up from my previous post, there are a couple of ways to measure which botnet sends the most spam. On the one hand, botnets can send 1 spam message but address it to a lot of different recipients, thus putting the cost of delivery heavily onto the recipient. This means that the spammer can have a small amount of nodes and the recipient has to assume the overhead of splitting the message up and delivery to multiple recipients. On the other hand, a botnet can be very wide and send a lot of messages to a lot of different people, but only address each message to one recipient. In this case, the overhead of delivery is shifted onto the sender since the spammer/botnet has to support and maintain a lot of different nodes.

But the total number of messages is only one way of looking at it. What about the total size of the message? If one botnet sends a 10 messages at 30 kb each, and other sends 100 messages at 3 kb each, the way we measure who sends the most spam varies. They are each sending the same amount of data. Regarding the 10 botnets I have been tracking this month, below is the botnet and the average size per message in kb that they send:

From here, we can see that cutwail1/2 send very large messages, and combining that with my previous post, we can see that they send a lot of messages per email envelope and the messages tend to be quite large. Cutwail imposes a very large strain onto the overall Internet infrastructure. Rustock, conversely, remains very hard to detect in terms of its footprint. It sends on average 1 message per email envelope, and these messages are quite small.

Lethic sends lots of messages per email, but the messages are small. Gheg doesn’t send very email emails per envelope either, but its messages tend to be larger.

So, what can we conclude from these figures? Rustock is a very efficient spammer, and cutwail is very inefficient (where efficiency is defined as how easy they hide themselves and the costs they impose on the recipient). Lethic is a new kid on the block but doesn’t impose large bandwidth costs, while the others are a mixture between the rustock/cutwail contrast.

Of course, can I definitively state which botnet sends the most spam? The answer is that it depends. While the Holy Grail of many businesses is that the more data you have, the better, I have found that this is not the case. Often times, more data only serves to make you more confused and unable to give a straight up answer.

You can view the original post here.

original post:

Around the Internet, and even on this blog, various analyses have been done on botnets and which one is responsible for sending the most spam. Whether it’s Rustock, Cutwail, or one of the new kids on the block (grum, gheg, or donbot), I don’t really see any consensus on which one is the spammiest.

There are a couple of ways to measure which botnet sends the most spam. You could do it by which one is sending spam from the most distinct IPs. You could also do it by which one sends the most amount of messages. But the most amount of messages has a couple of different ways of measuring it – by total number of envelopes, total number of messages, and total number of bytes.

The envelope level is different from the message level. For you see, a message envelope can have multiple messages. A message might be addressed to multiple recipients, in other words:

From: Guy Incognito
To: Frank Grimes, Lenny Leonard, Carl Carlson

This particular email would be one envelope and three messages, because the message has to get delivered to 3 people. So, at the message level, it is more costly to process a message with multiple recipients. You could scan the message before branching it out, but afterwards when it comes time to deliver the message, you would have to fork it out into each individual messages, and each of these messages costs bandwidth and storage.

At the message level, here are 10 botnets that I have been tracking for around a month along with the average number of recipients per message:

From this perspective, cutwail and lethic are the spammiest botnets. They send spam messages to lots of different recipients which results in higher infrastructure costs for the recipient (not to mention the filterer of the spam). Lethic is a fairly new botnet, I don’t have a lot of stats for it before November 2009. I wonder whether or not it is related to cutwail1/2 at all, seeing as how the behavior is so similar. I’d have to dig into our logs and see what the messages look like in order to see if there are enough similarities.

Rustock is way down the list. Rustock is a very clever botnet, contrasting it from cutwail1/2 and lethic. Rustock’s strategy is to have a botnet base a mile wide and an inch deep. In other words, the number of distinct IPs is far higher in Rustock than any other botnet (it isn’t even close). But the number of messages it sends per envelope is small, approaching 1.0. This allows it to have a wider footprint that is harder to detect. A bursty emission of spam from a small number of IPs is easier to detect than a scattered distribution of it coming from many, many more IPs. On the other hand, while the latter is harder to detect, the former does more damage to a network because of the additional load put onto a network during the peak traffic times.

The original post from Wednesday, February 03, 2010 can be viewed here

Note: We’re following various posts by different authors on this subject so keep checking back for more information.

Here’s a story from the Register about how modern spam filtering has forced a long-time Canadian publication to have to change it’s name.  It’s a good thing that Barracuda Spam & Virus Firewalls are easy to tweak and adjust!

Spam filters stuff Canadian Beaver

Venerable magazine to adopt less suggestive title

By Lester Haines

Posted on theRegister.co.uk 13th January 2010 14:41 GMT

Publisher Deborah Morrison explained to AFP: “The Beaver was an impediment online. Several readers asked us to change the title because their spam filters at home or at work were blocking it. I’ve even had emails bounce back because I had inadvertently typed the term in the heading."

She added: “Nearly a century ago, it probably seemed the perfect name for a magazine about the fur trade and Canada’s northwest frontier. There was only one interpretation for the word then. But you’re likely to find a lot of [porn] sites now if you search for the title of our history magazine online.”

The 90-year-old title will, after the Feb/March issue, be known as Canada’s History.

Other Beavers of note which can be found online are the newspaper of the London School of Economics Students’ Union, a Toronto restaurant offering a range of tongue-tingling delights and a film starring Mel Gibson and Jodie Foster. ®

The original story from TheRegister.

On Wednesday, December 9, 2009 at 06:20 (GMT), Project Honey Pot achieved a milestone:

It received its 1 billionth spam message. That message was a phishing scam regarding the United States Internal Revenue Service.

It was sent to an email address that had been harvested more than two years ago. More than just a single spam email, the billionth message represents the collective work of you and tens of thousands of other web and email administrators.

To celebrate that milestone, they have gone through 5 years of data to learn more about spammers and what they do. Below are some of their more interesting findings. You can also see the Full Report here.

Some Preliminary Statistics

• Monday is the busiest day of the week for email spam, Saturday is the quietest
• 12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the quietest
• Malicious bots have increased at a compound annual growth rate (CAGR) of 378% since Project Honey Pot started
• Over the last five years, you’d have been 9 times more likely to get a phishing message for Chase Bank than Bank of America, however Facebook is rapidly becoming the most phished organization online
• Finland has some of the best computer security in the world, China some of the worst
• It takes the average spammer 2 and a half weeks from when they first harvest your email address to when they send you your first spam message, but that’s twice as fast as they were five years ago
• Every time your email address is harvested from a website, you can expect to receive more than 850 spam messages
• Spammers take holidays too: spam volumes drop nearly 21% on Christmas Day and 32% on New Year’s Day

Users of email security and archiving service Postini were frustrated last week when the service began experiencing significant delivery problems.

Users were particularly angered by Postini’s lack of communication about the problem. Postini was acquired by Google in 2007. Similar to our CudaMail Anti-Spam Service, the service scans emails for malware. The problem seems to have been caused by a combination of a bad email filter update and “a power-related hardware failure.”

• http://www.informationweek.com/news/showArticle.jhtml?articleID=220600859
• http://news.cnet.com/8301-30684_3-10374344-265.html
• http://www.theregister.co.uk/2009/10/15/google_postini_snafu/
• http://www.computerworld.com/s/article/9139316/Postini_trouble_stymies_U.S._e_mail_users?taxonomyId=1

[Editor's Note (Pescatore): We used to call the telecommunications infrastructure "the cloud," and we had very high expectations of reliability. We even had required service levels for things like dial tone. Internet-based web services are today's cloud - boy, are they far from achieving dial-tone like reliability.]

- Shaun

It seems to have been going on for several weeks, but in the recent few days it’s apparently been getting much worse. Our CudaMail service has seen an increase in that type of spam recently as well. We’ve put some filters in place fortunately, but there has definitely been an increase.

A lot of it was the “SEO Google first page rankings” type.

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.”

Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video.

If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the
vendor’s website.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):

====
This entry is available at
http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign