The size and volume of spam botnets are down over the last
year, and much of this can be attributed to the effectiveness of IP-based blacklists. However,
this defense method is no panacea as scammers have found new methods like reputation
hijacking to circumvent these roadblocks, and bots continue to extend their
reach by piggybacking on existing worms and viruses.
New research from Dell’s Secureworks
Counter Threat Unit detailing the evolution of spambots in 2011 showed that Rustock,
with some 250,000 bots, is the world’s most prolific spambot. In recent years it
has shared the top spot with others, but because of the unrelenting addition of
stealth tactics added to Rustock’s code base, which allow it to hide deep
inside the Windows operating system where anti-malware products won’t find it,
it is now uncontested as the world’s number one bot.
Among the bot’s cloaking
methods are: waiting days after infection before starting to spam; avoiding
disconnect by network admins by running a Tor exit node; disguising requests as online forum posts with encrypted content by using HTTP to
communicate with controllers; and by not mapping directly to the IP address of
the Rustock controller to avoid takedowns.
Cutwail came in at second place with an estimated army of
100,000 bots. Cutwail is similar to Rustock in that it uses custom encryption
to disguise its communications, but differs in that it is in essence a
conglomeration of botnets adhering to one of three major coding revisions.
In third place is the 75,000 strong Lethic botnet. Lethic, which
was reportedly shut down last January, is a unique bot because it strays
away from the traditional template-based spamming method that delivers a spam mail template to each bot, along with a
list of email addresses to which the spam should be sent. While
less efficient than the previous method, Lethic uses a
connect-back scheme that causes the bot to reach out to the Lethic controller
to begin receiving traffic. It then uses a simple encryption method to
avoid detection. Lethic is also being installed to help seed up-and-coming bots
Close behind Lethic with 65,000 bots
is the Grum Bot. It attempt to send messages from the infected PC directly to
the destination mailserver, but Grum falls back on a feature known as
proxylocking, or falling back to relaying the messages through the ISP’s
mailserver if an ISP is blocking TCP port 25 outbound. Like Rustock,
Grum uses HTTP for communication, but it has been morphing traffic to avoid
detection of late.
The last of the really big botnets is
Festi, with 60,000 bots. This bot has been aggressively establishing itself by
seeding with another pay-per-install bot, Virut. Festi has also been developed
as a distributed denial-of-service
platform, and has been seen in recent weeks launching attacks against Russian sites.
The remaining botnets operate with under 30,000 bots. Noteworthy
among them are the Maazben, Asprox, Fuflo,
Fivetoone/DMSpammer, Xarvester, Bobax, Gheg, and Bagle bots. Dell’s research indicates
that their tapering off in size may be intentional because smaller bots demand
less attention from the anti-malware community and in general fewer resources
to stay afloat. This may also be the reason that some of these bots have had
marathon careers of as long as eight years.