On 31 December 2009 MessageLabs Intelligence began tracking a new botnet, named 'Lethic'. At that time, it accounted for 2.5 percent of all spam. On 1 January 2010 it rose to just under 4 percent of all spam and carried on at roughly around that level for another six days. On 8 January, it peaked at 5.25 percent of all spam (which is around 5.25 billion spam globally per day), then over the next 2 days its traffic dropped off to nothing and has yet to return.
The last spam MessageLabs Intelligence tracked from Lethic was received on the 9 January. This drop off is due to community action by Neustar and several ISPs and seems to have effectively 'killed' Lethic.
The spam Lethic has been sending is roughly an even mix of Pharma (all linking to Canadian pharmacy websites as usual) and replica watches. The pharma websites linked to are all hosted in Beijing, the replica watch sites are all hosted in Seoul.
A sample of pharma spam
Which links to:
And a sample of replica spam
Which links to:
One interesting thing we noticed is that Bagle, another botnet, was sending exactly the same spam as Lethic over that same period. The templates for the pharma and watch spam coming from Lethic are identical to ones being seen from Bagle, and link to the same websites (below is a Bagle sample screenshot, which you can see is identical to the Lethic sample above).
This suggests that either the people who created the Bagle botnet also created a second botnet (Lethic) and are using both to send out spam for their 'clients', or that the people behind the spam run paid for/recruited more than one botnet gang with the purpose of increasing output. At this point, this run of spam is now coming only from Bagle, but only time will tell if Lethic really is dead, or if it will recover. In terms of global spam though, the day of the demise of Lethic briefly saw a small drop in traffic, but almost immediately it was back to normal.