Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Which Botnet Is Worst? Report Offers New Perspective On Spam Growth
- From: Howell, Paul
- Date: Thu Oct 01 06:23:42 2009
At
http://www.darkreading.com/securityservices/security/perimeter/showArtic
le.jhtml?articleID=220300610
Rustock might be biggest, but Grum is worst offender, MessageLabs study
says
Sep 30, 2009 | 06:09 PM
By Tim Wilson
DarkReading
In the early days of botnets, size was the main measure of the threat.
But as the malicious networks become more sophisticated, researchers
say, the biggest networks aren't always the worst offenders.
In a new report (PDF) issued yesterday, researchers at Symantec's
MessageLabs unit offered a detailed analysis of the size and output of
current botnets, including venerable spam carriers, such as Rustock, as
well as emerging offenders, such as Grum and Maazben. One of the
report's conclusions: Size doesn't always matter.
Rustock, for example, is still the largest of the botnets, with an
estimated size of between 1.3 million and 1.9 million nodes. Cutwail is
next in size, with an estimated 1 million to 1.5 million bots.
But neither of these two botnets is the largest proliferator of spam,
according to Paul Wood, senior analyst at MessageLabs and one of the
authors of the report. That title goes to a rapidly emerging botnet
called Grum, which delivered an average of 39.9 billion spam messages
per day last quarter -- more than 23 percent of all the spam on the
Internet.
"Despite the fact that it's half the size of Rustock, Grum is generating
much more spam," Wood says. "It's getting each bot to do a lot more
work."
Bobax, a botnet that has been around for more than two years, is also
becoming more efficient, generating more than 27 billion messages per
day and 15.2 percent of all Internet spam, the report says. That means
each Bobax node generates more than 1,400 spam messages per minute.
Botnet operators have discovered that many ISPs don't immediately
recognize the huge output of individual bots because each bot's
performance is affected only on the upload, not on the download, Wood
says. "Your computer might be a bot, but it might not affect your
download performance very much," he observes. "It's only when users try
to upload something and experience a performance problem that the ISP
gets a complaint."
As they become more sophisticated, botnet operators are finding ways to
make their infrastructures more efficient, Wood says. A new botnet,
Maazben, accounted for only 0.5 percent of Internet spam 30 days ago,
but now is generating 4.5 percent -- about 2.4 billion messages a day --
at its peak. As with Bobax, each Maazben bot is highly productive,
pushing out nearly 1,300 spam messages per minute.
The operators of Rustock also are becoming more calculated in their
approach, Wood says, but in a different way. For years, the botnet
generated huge spikes of spam "every fortnight or so," and then would go
quiet for long periods, he says. Now Rustock is becoming more regular in
its activity, outputting large batches of spam from 3 a.m. to 7 a.m.
(U.S. Eastern time) each day, and then going silent after 7 p.m.
"We don't know why it's operating on this schedule, but there's clearly
some automation going on there," Wood says. "Is there some sort of
maintenance period? Is it doing something else during that time? It's
hard to tell. But clearly, with its size Rustock is capable of much
greater activity."
No matter what their size or how efficiently they operate, botnets
clearly are at the heart of the spam problem, MessageLabs says.
According to the report, botnets generated an average of more than 150
billion messages per day last quarter -- nearly 88 percent of all the
spam on the Internet.
"The takedown of ISPs like McColo definitely helped, but it doesn't
solve the problem," Wood says. "Already we see botnet operators
spreading traffic across multiple ISPs, effectively giving themselves
better backup than some enterprises have."
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
