Srizbi, Rustock and the Big Four

Recently there has been an interesting debate going on as to whether the Srizbi and Rustock are rival botnets or are controlled by the same group.  

The first point is that the two botnets are not the same.  Each botnet has a distinct way of communicating with its command and control servers.  And each spambot type has distinct ways of sending messages i.e. spam.  At TRACE, we track some of these traits and publish those results in our spam statistics page.  Below is the latest update, which highlights the recent fortunes of the ‘Big Four’, namely Srizbi, Rustock, Pushdo and Mega-D.  These four currently account for over 80% of spam received in our spam traps.

Beyond these facts however, the question of the relationships between the major botnets is both interesting and murky.

Back in February we observed all the ‘Big Four’ simultaneously spamming messages with links to ‘express herbals’ websites.  In June we also discovered both Srizbi and Rustock spamming messages with links to the same web exploit templates called ‘r.html’.  And in July we found Srizbi, Rustock, Mega-D and Grum all spamming messages with links leading to a rogue ‘anti-virus’ program.  This suggests, at the very least, the major botnets have common customers.

The folks at FireEye have produced some interesting snippets of information which hint there may be even closer links.  The team found the IP addresses of the control servers of Srizbi, Rustock, and Pushdo are on the same subnet hosted at the same ISP. Recently, we have also seen Mega-D connect to control servers on the very same subnet, suggesting it too should be added to that list.

It kind of makes sense for multiple botnets to be controlled by a single group.  The situation may be analogous to a multi-product business that milks its cash-cows, and nurtures its rising stars.  If a botnet gets taken out or otherwise fails, the spammers have other systems to turn to.  Some botnets may also be better at flying under the radar, or evading spam filters, than others.  In other words, the spammer’s eggs are not all in one basket.