Srizbi now leads the spam pack

Three weeks ago we noted the Mega-D botnet was the leading source of spam.  What a difference three weeks can make!  In that time, the malware behind Mega-D was identified as Ozdok.  Subsequently, we also posted that the Mega-D control servers went offline for around ten days during which time spam from this pesky botnet dropped to zero.

Since then, we have also identified more of the malware behind other leading spam types that we receive in our TRACE spam traps.  So what does the spambot picture look like now?  Here are our statistics for February:

With the impact on Mega-D's operations, Srizbi has now taken over as the leader of the spam pack responsible for nearly 40% of spam.  Srizbi is well known as a spamming Trojan, and an advanced one at that.  As we reported here, lately Srizbi has been particularly active in distributing spam with URLs that link to websites hosting more copies of the spambot.  Analysis of Srizbi indicates it is extremely stealthy, operating in full kernel mode, which, among other things, allows it to hide its network activities and bypass sniffer tools.  One interesting thing we noticed about Srizbi is that it provides continuous feedback and statistics to control servers about which email addresses were good, and which were bad. 

Of the remaining spambots, Rustock is the most significant at 20%.   Rustock, also well known for its spamming capability, has been around for some time in various guises - a good analysis of it can be found here.  Other significant active spambots at this time include: Hacktool.Spammer (which has multiple other aliases including Spam-Mailer); the Pushdo family (aliases Pandex and Cutwail), also known for mass spamming of its malware with celebrity hooks; and of course the infamous Storm, which, in spam terms, remains a relatively minor player. 

One thing to note is that the size of a botnet, measured in terms of how many bots it has, does not necessarily correlate with how much spam it sends.  As we saw two weeks ago, Mega-D’s 35,000 strong botnet was responsible for considerably more spam that the Storm’s botnet, estimated at 85,000 bots.  In our lab, we have observed huge variation in the rate at which different bots pump out spam.

The relationships between these spam botnets are murky.  Mega-D is known for concentrating on male enhancement pills called ‘Megadik’ or ‘VPXL’ under such brand names as ‘Express Herbals’ and ‘Herbal King’.   Apart from Mega-D, recently we have noticed no less than four other major spambots, Srizbi, Rustock, Hacktool.Spammer and Pushdo, simultaneously spamming email with links to websites with the exact same ‘Express Herbals’ web page, as below.  Obviously the spammers behind this campaign have access to more than one botnet to distribute their messages.

Investigation into the changing nature of these spamming botnets, and the malware behind them, is a major area of ongoing research for TRACE.  If you have any information that you would like to share with us regarding these botnets, please send us an email at the following address: