Botnets comprise majority of spam, Symantec reports

By Enterprise Innovation Editors | Oct 28, 2009

Botnets now comprise 87.9% of all spam sent worldwide, with a newer botnet called Maazben experiencing rapid growth since last May, and Rustock doubling in size to establish a predictable spamming pattern, Symantec reports recently.

According to MessageLabs Intelligence, Maazben’s growth has accelerated during the past month from 0.5% of all spam in August to 1.4% of all spam in September. Rustock is the largest in terms of number of bots at 1.3 to 1.9 million bots but has kept its output per bot relatively low. In addition, Rustock has settled into a predictable spam pattern beginning everyday at 3 a.m. ET, peaking at 7 a.m. ET and ceasing spamming at 7 p.m. ET. It then rests for eight hours before beginning again. Rustock is the only botnet with a regular spam cycle. One of the most dominant botnets, Rustock is responsible for ten% of all spam. As such, its spam pattern is reflected in overall total daily spam patterns.

“Over the past year, we have seen a number of ISP’s taken offline for hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”
Following the closure of these ISP’s over the past three months, two other botnets have had the opportunity to vie for Cutwail’s previous position as the most active botnet. Grum, half the size of Rustock but responsible for 23.2% of spam, and Bobax, responsible for 15.7% of spam, have both taken over as the most active botnets for spam distribution. Previously, Cutwail was responsible for 45.8% of spam.

Also in September, MessageLabs Intelligence analysis revealed that a decline in ‘domain tasting’, the practice of domain registration cancellation within a five day grace period, reported by ICANN (Internet Corporation for Assigned Names and Numbers) in June 2009 may be responsible for a change in the malicious nature of web sites, suggesting that malicious domains are now likely to be older, compromised websites rather than newly registered domains with a short lifespan as they were about one year ago.

An analysis of websites that are established with the pure intent to serve malware reveals that “young” domains, those that are registered up to three months before first being blocked for hosting malicious content, are small in number but the vast majority of them are blocked as malicious and founded with malicious intent. Ninety% of “young” domains are taken down within 38 days of registration.