Highlights
- Collectively the top botnets are capable of sending over 100 billion spams per day
- Srizbi maintains the top spot both in terms of number of bots and spamming capacity
- Storm is only a fraction of its former self, and is rapidly becoming a minor player
- Bobax, probably the longest-lived of the template-based spamming botnets is still around, and ranks #2 in number of bots
- Ozdok/Mega-D is still relatively small in numbers, but makes up for its diminutive size with aggressive amounts of spam sent per bot
Introduction
In the last four years, spambots have made a transition from proxy-based spamming to template-based spamming. The first proxy-based spam botnet was Sobig, circa 2003, and it was quite impressive for its day. However, spammers rapidly discovered that even though they were able to disguise their origin by proxying through infected hosts, they still had to expend a lot of resources (and money) maintaining banks of machines and network connectivity to pump spam through the proxy servers day and night. In addition, the introduction of consumer-level NAT routers caused many of these proxies to be unreachable from the Internet, since the infected computers had private (RFC1918) IP addresses.
Around 2004 we saw the first template-based spamming botnets, designed to solve this problem. By sending bots a spam template along with a list of email addresses, the work (and wait) of connecting to remote mailservers could be offloaded to each individual bot. With the switch to a template-based system, spam botnet efficiency increases exponentially.
Fingerprinting Spambots
Since each individual bot implements the SMTP protocol with minor differences, it is possible to develop fairly effective network-based signatures to differentiate between the different botnets, that don't rely significantly on message headers/content. Although SecureWorks is not an anti-spam company, we have significant vision into networks receiving vast amounts of spam. This, combined with the intelligence we have gathered over the past several years around spambots, gives us the ability to collect some useful statistics concerning just how big these botnets are, and how well they work. Below is some of this data, which we hope will be of use in helping other parties understand the current state of botnet spam and classifying the individual malware more accurately.
Counting Botnet Sizes
In order to count the botnet sizes, we take a sample of one day's spam traffic from that bot across our customer base. Then, using probabilistic counting methods, extrapolate the likely total number of bots in the botnet. Simply put, if we see the same bots sending the same spam to multiple customers, it is more likely that the botnet size is smaller than a botnet where we rarely see the same IP address sending spam to more than one of our customers in the same time period. Based on data gathered from control server logs we've obtained in the past, we have confirmed that this method of counting can be fairly accurate in estimating botnet sizes.
We also try to list other information that may be of use to analysts, including alternate names for the malware. We've tried to leave out generic names that are used when AV companies don't recognize an established malware family, such as Mailbot, Spamtool, Spambot, Agent, Delf, Pakes, etc. Also, we try to avoid listing names that are frequently misassigned, such Tibs, Peed and Zlob. Although these are not generic names, the wrong malware is frequently given these names due to the massive amount of cross-installation of malware occurring these days, driven by pay-for-install exploit sites. Also, where possible, we try and list strings that might be found in the binary or network traffic of the spambot - however, in most cases the malware is packed/encrypted, and will need to be unpacked before any such strings can be found in the malware.
With that said, here are the biggest spam botnets we are seeing:
| Srizbi | |
|---|---|
| Estimated # of bots: | 315,000 |
| Alternate names: | Cbeplay, Exchanger |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 60 billion spams/day |
| Control: | encrypted, UDP and TCP ports 4099 |
| Rootkit-enabled: | Yes |
| Identifying strings: | \SystemRoot\Minidump\%s, Udp6, Tcp6, MachineNum |
| Notes: | With the combination of stealth and an efficient SMTP engine, Srizbi is a highly capable botnet spamming machine. However, Srizbi is not a monolithic botnet - it is split between several customers of Reactor Mailer, with over a dozen control servers. Because of this, a wide variety of spam can be seen coming from Srizbi at any given time. In addition, Srizbi is one of the most active botnets attempting to seed new infections by advertising links to porn-related video files of different celebrities, which are actually new copies of Srizbi. Srizbi has emerged over the past year as the distributed part of the long-established Reactor Mailer web-based spam tool. Reactor may have used proxy servers in the past, but at some point a re-write of the software was commissioned by the head of the company, known only as "spm". The author who did the re-write of the backend is a contract programmer living in Smila, Ukraine. It is unclear as to whether or not he wrote the Srizbi trojan also, but it is a likely possibility. |
| Bobax | |
|---|---|
| Estimated # of bots: | 185,000 |
| Alternate names: | Bobic, Oderoor, Cotmonger, Hacktool.Spammer, Kraken |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 9 billion spams/day |
| Control: | encrypted, TCP port 447 |
| Rootkit-enabled: | No |
| Identifying strings: | cCdipsuxX%, w:\projects\b3\release\core.pdb |
| Notes: | Despite reports of its demise, Bobax continues to be a strong player in the spam arena. At one time, Bobax was solidly in the business of sending mortgage spam, but lately has been seen mailing low-interest loan spam. |
| Rustock | |
|---|---|
| Estimated # of bots: | 150,000 |
| Alternate names: | RKRustok, Costrat |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 30 billion spams/day |
| Control: | HTTP with encryption, TCP port 80 |
| Rootkit-enabled: | Yes |
| Identifying strings: | tmpcode.bin, unluckystrings, filesnames |
| Notes: | Although Rustock started out in the stock spam business, it has branched out, and can currently be seen sending out pharmaceutical spam. |
| Cutwail | |
|---|---|
| Estimated # of bots: | 125,000 |
| Alternate names: | Pandex, Mutant (related to: Wigon, Pushdo) |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 16 billion spams/day |
| Control: | HTTP with encryption, TCP port 4080 |
| Rootkit-enabled: | Yes |
| Identifying strings: | Poshel-ka ti na hui drug aver |
| Notes: | Cutwail is the most common spambot installed by the Pushdo malware installer system, but it's not the only one. We've also seen Srizbi, Storm, Xorpix and Rustock installed on the same host together with Pushdo and Cutwail.Canadian Pharmacy spam is one of the things we most commonly see with Cutwail, but other types of spam are sent. Sometimes the botnet is used to send social-engineering emails in order to seed more infected hosts with Cutwail. |
| Storm | |
|---|---|
| Estimated # of bots: | 85,000 (only 35,000 send email) |
| Alternate names: | Nuwar, Peacomm, Zhelatin |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 3 billion spams/day |
| Control: | HTTP on random ports with base64/zlib encoding, P2P-based server directory |
| Rootkit-enabled: | Yes |
| Identifying strings: | [blacklist], [peers] |
| Notes: | Although Storm has been rumored to be quite large in the past, it has dropped to a more reasonable size. In addition only Storm bots behind NAT firewalls actually send spam. This makes the capacity of the spam-sending part of the Storm botnet smaller than most of the other lesser-known botnets. However, those other hosts don't go to waste, they are used as fast-flux HTTP and DNS hosts for the spam system. Storm spent a lot of time sending pump-and-dump stock spam in the past, but occasionally will send pharmaceutical spam and job-offer (phishing mule) emails. When it's not spamming, Storm is sending links to fake greeting card sites which use browser exploits and social-engineering to infect more users with Storm. |
| Grum | |
|---|---|
| Estimated # of bots: | 50,000 |
| Alternate names: | Tedroo |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 2 billion spams/day |
| Control: | HTTP on TCP port 80 |
| Rootkit-enabled: | Yes |
| Identifying strings: | Hi all, Already start, $TO_HEXMAIL, /spm/s_alive, /spm/s_tasks |
| Notes: | Although little-known, Grum has accumulated a seizable botnet over the past year by sending spam with supposed porn URLs which actually point to browser exploiting pages. This botnet usually sends URLs hidden in non-related HTML, so it may be the botnet referred to by anti-spam vendor Marshal as "HTML". Ultimately the links lead to Canadian Pharmacy sites. |
| OneWordSub | |
|---|---|
| Estimated # of bots: | 40,000 |
| Alternate names: | Unknown |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | Unknown |
| Control: | Unknown |
| Rootkit-enabled: | Unknown |
| Identifying strings: | Unknown |
| Notes: | Although we see a significant amount of spam emanating from this botnet, as of yet the malware behind it has yet to be identified. Due to the format of the spam it is sending, we believe this is the same botnet which anti-spam vendor Marshal refers to as "One Word Sub". This botnet has been seen sending Canadian Pharmacy spam. |
| Ozdok | |
|---|---|
| Estimated # of bots: | 35,000 |
| Alternate names: | Mega-D |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 10 billion spams/day |
| Control: | encrypted, TCP port 443 |
| Rootkit-enabled: | No |
| Identifying strings: | KILL_LAZZY_ON_CONNECT, KILL_LAZZY_MX |
| Notes: | Although Ozdok has a relatively small set of bots compared to some of the other botnets listed here, it is quite capable of pumping out a generous amount of spam, most of it related to enlargement products, but designer knock-offs and other spam are frequently seen. |
| Nucrypt | |
|---|---|
| Estimated # of bots: | 20,000 |
| Alternate names: | Loosky, Locksky |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 5 billion spams/day |
| Control: | HTTP with encryption, TCP port 3133 |
| Rootkit-enabled: | Yes |
| Identifying strings: | 1f34ff45, taskmon.sys, /synctl/upd |
| Notes: | Relatively small yet capable botnet - may have been evolving for a few years. Last seen sending Canadian Pharmacy spam. |
| Wopla | |
|---|---|
| Estimated # of bots: | 20,000 |
| Alternate names: | Pokier, Slogger |
| SMTP engine: | Template-based |
| Control: | encrypted, TCP port 8080 |
| Total botnet spam-sending capacity: | 600 million spams/day |
| Rootkit-enabled: | Yes |
| Identifying strings: | %sxtempx.xxx, %.250s.lzo, ctxlsp.dll, psrip.dat, mailgrab_emails.dat, OE-MSO2000 |
| Notes: | Wopla is frequently installed by drive-by exploits in the same way as Srizbi, Rustock and Cutwail, although it doesn't appear to have been spread as widely. An interesting feature – Wopla can send spam direct-to-MX or by logging into at least one public webmail service. Bots which send spam through webmail providers will probably continue to increase in number, since the spam can evade IP-based blocklisting, and must rely solely on content-detection (or fingerprinting/anomaly detection at the webmail provider). Wopla seems to be primarily dedicated to porn spam. |
| Spamthru | |
|---|---|
| Estimated # of bots: | 12,000 |
| Alternate names: | Spam-DComServ, Covesmer, Xmiler |
| SMTP engine: | Template-based |
| Total botnet spam-sending capacity: | 350 million spams/day |
| Control: | encrypted, multiple TCP ports |
| Rootkit-enabled: | No |
| Identifying strings: | hs5p, XSMTPX |
| Notes: | Another botnet which cut its teeth mailing stock spam in 2006 and 2007, nowadays can be seen sending pharmaceutical spam. |
Other Spambots
In addition to these bots, there are several other template-based spam botnets, and still many more proxy-based botnets. Creating network-based fingerprints for proxy botnets is much more difficult, because ultimately you are fingerprinting the mailer engine, not the bot itself. In the case where the same spam tool might utilize multiple proxy botnets, it would greatly skew the results.
One template-based botnet (Warezov/Stration/Opnis) that was a major player six months ago has completely dropped off of the radar. Warezov was known for sending Chinese pump-and-dump stock spam. Perhaps it is no coincidence that in the same time frame that we stopped seeing Warezov spam/malware, the notorious spam kingpin Alan Ralsky was arrested and charged (among other things) with sending pump-and-dump stock spam for Chinese companies.
Conclusion
Template-based spam botnets are here to stay. Not only that, based on what we've seen in the lab we don't believe they've even achieved the level of efficiency of which they could be capable, as can be demonstrated by the wide range of capacity between the different botnets relative to their sizes. However, it may be somewhat surprising to some that less than a million hosts are responsible for the majority of spam, when we constantly hear statistics that suggest anywhere from 10% to 60% of all Windows PCs are infected with some sort of malware. It could be quite possible that all these botnets are massively larger, but most of the bots are unable to send spam, either because they are behind an SMTP-blocking firewall or located at an ISP which does not allow direct-to-MX mail from their customer base. If this is the case, perhaps the botnet counts we see here will drop even further. But, as has been the case in the past, spammers will simply adapt, and find new methods to pummel the world's networks.