Evaluating Botnet Capacity

Botnets are now responsible for distributing 87.9% of all spam, an increase of 2.9% since Q2 2009. With approximately 151 billion unsolicited messages each day being distributed by compromised computers, understanding who is responsible for such unprecedented levels is always of interest as, much like the threat landscape, the botnet landscape is ever changing. As highlighted in the latest analysis from MessageLabs Intelligence, the largest botnet now appears to be Rustock with an estimated 1.3 million to 1.9 million compromised computers in its control. However, estimated at half Rustock’s size, the most active botnet in terms of spam distribution is now the little-known botnet, Grum.

Both Grum and another botnet called Bobax have overtaken Cutwail as the most active spam-sending botnets, currently responsible for 23.2% and 15.7% of all spam respectively. Although significant in their own rights, their size and power highlight the dominance that Cutwail had in June 2009, when it was responsible for 45.8% of all spam, before it was dented significantly by the recent ISP closures.  

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly.  MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June.  Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

In terms of overall spam output, this speedy growth rate has rocketed Maazben to seventh place, behind Grum, Bobax, Cutwail, Rustock, Bagle and Mega-D. Spammers have been using Maazben mostly to send Casino related spam, such as in the example below (Figure 1).

Figure 1       

The latest analysis from MessageLabs Intelligence, as shown in Figure 2 below, reveals the most active botnets.

Figure 2  

Figure 3  

Over the past year, a number of ISPs have been taken offline for hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power. On September 20, 2008 California based ISP Intercage was disconnected from the Internet and shortly thereafter in November 2008, another California-based ISP, McColo, was taken offline when evidence of criminal activity originating from its network was uncovered. McColo Corporation was believed to have provided services to some of the world’s largest cyber-criminal operations. In the days following the ISP’s demise, spam originating from Srizbi, Rustock and Mega-D all took a nosedive.  Until then, Srizbi had been responsible for as much as 50% of all global spam, leaving a significant gap in the botnet market that would later be filled by new botnets and some of Srizbi’s smaller rivals.

Following the demise of these ISPs in 2008, additional ISPs were taken down as recently as June and August 2009, including Pricewert in the U.S. and Real Host in Latvia, both of which we reported in previous MessageLabs Intelligence reports. However, the botnet technology has also evolved significantly since the end of 2008 and the most recent closures now have a seemingly limited impact on the botnet activity, with downtime and outages lasting for only a few hours, rather than weeks or months as before.

This is an excerpt of the September MessageLabs Intelligence Report. Read the entire report or listen to the podcast.