Festi Botnet spins up to become one of the main spamming botnets

Posted on behalf of Dan Bleaken, Malware Data Analyst

MessageLabs Intelligence has been tracking a new botnet, ‘Festi’ since the beginning of August.

Gradually, Festi has steadily increased its output of spam from virtually insignificant volumes up to 3-6% of daily spam.  In terms of spam volumes, 3-6% is estimated at a massive 1.5-3 billion spams per day globally.  This increase in output has been achieved both by gradually increasing the amount of spam sent from each Festi bot, and by recruiting new bots to the botnet.

At the moment it is spewing out 2 variants of spam. 

The first variant, is ‘male enhancement‘ type mails containing .cn domains, leading to a Canadian Pharmacy Website

Typical subjects such as:
Paradise in your bed
Very-very Magic Stick
Strong stick
Magic stick
Hard stick tonight
All night long

Website:
 

The other variant is geared more towards the Christmas product spamming season, it’s watch spam containing links to .com domains:

Typical subjects such as:
casablanca leather band
classic automatic
submariner limited coca cola edition
classic quartz
omega de ville co axial chronograph
Hermes Watches

Website:
 

In terms of Festi’s global ranking among the botnets, Festi has become one of the spamming heavyweights.  Currently, Festi is fifth after the giant ‘Big-4’ botnets: Cutwail, Bagle, Grum and Rustock (which among them account for more than 80% of global spam).  I wonder how Festi’s relative dominace will develop over the coming weeks...