New serious botnets have emerged, even though last year’s shut-down of a California web hosting company eradicated several prominent ones.
Joe Stewart , director of research at security software firm SecureWorks , said "Srizbi" and "Storm", the botnets he ranked as No. 1 and No. 5 respectively, in an April 2008 botnet census, had gone.
Srizbi, and to a lesser degree "Rustock," were crippled two months ago when McColo , a company that has long been hosting botnet command-and-control servers, was cut off from the Internet by its upstream providers after researchers accused it of harboring cyber-crime activity. Stewart was one of the researchers who had beaten the McColo drum.
When McColo's connection to the Internet was severed, spam volumes immediately plunged as spammers were unable to use Srizbi or Rustock bots to send their junk mail.
But the relief was short-lived. "There was a time when the bot numbers were diminishing, and we made up some ground," acknowledged Stewart. Now, however, other botnets have come into prominence. Some of them were well-known before the McColo take-down, but had been relatively small, while others have come out of obscurity.
The result? "Spam isn't quite up to the pre-McColo level, but it's easily within the 80% to 90% range," said Stewart, citing numbers consistent with other estimates. Symantec , for example, estimated this month's spam level at 80% of that before the McColo shut-down.
Botnets have rebounded for several reasons, most notably because they're profitable, said Stewart, who recently repeated his census of April to come up with a new ranking of botnets.
"Cutwail," the biggest beneficiary of the demise of Srizbi, took the top spot in Stewart's revised chart. It boasts an estimated 175,000 compromised PCs, up from 125,000 in April. "Cutwail's spam output actually increased shortly after [McColo], so it probably picked up some customers from other botnets," said Stewart.
As he did last year, Stewart estimated the botnet sizes by first "fingerprinting" each botnet with their implementations of SMTP (Simple Mail Transfer Protocol), then took a one-day spam traffic sample from each bot to extrapolate a total number of infected PCs in each botnet.