Botnet activity takes a major step up

Botnets now account for 87.9 per cent of all spam sent as new senders are detected.

The Symantec September and Q3 2009 MessageLabs Intelligence Report revealed a new botnet named ‘Maazben' is experiencing rapid growth since it was first detected in late May, while Rustock has begun a predictable spamming pattern.

MessageLabs Intelligence senior analyst Paul Wood claimed that an average of 1.4 per cent of all spam is being sent from Maazben, though it has increased its peak activities, with MessageLabs expecting its growth rate "to creep up in terms of the amount of spam that we will be tracking".

Wood said: “In terms of the spam that it has been sending out, we have been seeing gambling and casino-related spam, so if you have seen anything in your inbox like that it has probably come from there. This could increase or even double its output by the end of the year; it is really ramping up its activity now.”

Meanwhile, the Rustock botnet has settled into a predictable spam pattern beginning everyday at 3am (UK time), peaking at 7am, and ceasing activity at 7pm. It then rests for eight hours before beginning again. MessageLabs claimed that Rustock is the only botnet with a regular spam cycle.

Wood said: “Most botnets when they first emerge, and when they are very small, will be prevalent in certain parts of the world. Now it is spread far and wide and some elements of that are from botnets sending out at a certain time of day. Until now this has not been very active but it will send out a large quantity of spam because the burst will have an impact.

“This peaks at 3 billion messages being sent an hour, it was previously once a fortnight and now it is operating everyday. Curtwail was always on and sent around 600 million messages, but no more than 900 million to one billion at its peak.”

The report claimed that, as one of the most dominant botnets, Rustock is responsible for ten per cent of all spam. As such, its spam pattern is reflected in overall total daily spam patterns.

According to MessageLabs Intelligence, Maazben's growth has accelerated during the past month from 0.5 per cent of all spam in August to 1.4 per cent of all spam in September. Rustock is the largest in terms of number of bots at 1.3 to 1.9 million, but has kept its output per bot relatively low.

Wood said: “However, this won't always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

The report also claimed that two other botnets have had the opportunity to vie for Cutwail's previous position as the most active botnet: Grum - half the size of Rustock but responsible for 23.2 per cent of spam - and Bobax - responsible for 15.7 per cent of spam - have both taken over as the most active botnets for spam distribution.

“In the top five list in this survey, all the botnets (with the exception of Maazben) have been around for some time and we have a list of small botnets. There are other sources of spam such as webmail, but 87.9 per cent of all spam comes from botnets and the number is increasing. Since McColo was shut down last year, the bad guys have learnt a harsh lesson and may have business continuity plans in place,” said Wood.

See original article on scmagazineuk.com