New botnet threats emerge from Lethic and Bagle

By on

New Year brings new challengers.

Early January saw a rise in activity from both the Lethic and Bagle spambots.

A blog post by Rodel Mendrez, threat analyst at M86 Security, said on January 7 that at that stage, they were not certain how big the Lethic botnet is.

"However as it is currently responsible for about eight to ten per cent of the spam in our traps, we figure it is a sizeable botnet," he said.

He added: “Most of Lethic's command and control servers are hosted by an ISP based in Chicago called Looking around, others have also noticed this provider."

M86 Security estimated that it was the fourth most prevalent botnet, after Rustock (32.8 per cent), Mega-D (21.6 per cent) and Bobax (12.1 per cent). The Bagle 2 botnet was only responsible for around 1.9 per cent of spam sent.

In a blog posting in early December 2009, Jose Nazario, manager of security research at Arbor Networks, said: “Lethic is yet another spambot to join the fray. It is unclear what its future holds, and we do not know when it emerged. However this shows how ‘full' the ‘ecosystem' for spambots is. Lethic's complexity is minimal when compared to other spam botnets (no rootkit seen, etc) but it appears effective enough at this time.”

Commenting, Paul Wood, MessageLabs intelligence senior analyst at Symantec, said that Symantec Hosted Services started tracking Lethic on December 31, where it accounted for 2.5 per cent of all spam.

Wood said: “On January 1 it rose to just under four per cent and carried on roughly around that level for another six days. On the 8th January, it peaked at 5.25 per cent of all spam, then over the next two days its traffic dropped off to nothing and has yet to return.”

He explained that the spam that it is sending is a roughly even mix of pharmaceutical (all linking to ‘Canadian Pharmacy' websites), and replica watches. The pharmaceutical websites linked to are all hosted in Beijing, while the replica watch sites are all hosted in Seoul.

Referring to the Bagle botnet, Wood said that the interesting thing was that Bagle has been sending exactly the same spam as Lethic over this same period.

Wood said: “The templates for the pharmaceutical and watch spam coming from Lethic are identical to ones from Bagle, and include hyperlinks to the same websites. This suggests that either the people who created the Bagle botnet have also created a second botnet (Lethic) and are using both to send out spam for their clients, or that the people behind the spam runs have paid for or recruited more than one botnet gang in order to increase output and are using both botnets at the same time.”

The Bagle botnet, in contrast to the early detections by M86, has been very active in the last two weeks. It accounted for 10.39 per cent of all spam sent on December 29 and hovered from eight per cent of spam sent up to 14 per cent on New Year's Day. Its activity dropped from January 7 until today, where it had been responsible for 8.67 per cent of all spam.

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?