A report by e-mail and content security firm Marshal claims that just six botnets (define) are responsible for almost 90 percent of spam, but others in the spam filtering business disagree with the report’s findings.
For the month of February, Marshal found that the most dominant botnet spewing out junk e-mail was not the vaunted Storm worm but a network called Srizbi, which first emerged last summer. Symantec reports Srizbi as a “Trojan horse that sends spam and uses a rootkit to hide itself.”
Srizbi seems to be in the seeding stage, as it were, because all it’s doing now is perpetuating itself. It sends out spam to other people so they open a link that infects them with the Srizbi Trojan
Marshal has it accounting for 39 percent of spam it discovered in February. Just the month prior, the botnet Mega-D, so dubbed because it was selling male sexual enhancement products, was the major nuisance, with 35 percent of the spam.
Glen Myers, an engineer with Marshal, said Mega-D lost its place because it shut down for 10 days. Why he does not know, but he said that didn’t lessen the amount of spam on the Internet. “It just moved to other networks.
That’s why other networks came in so high,” he told InternetNews.com.
“I don’t know if that means there’s a relation between people running botnets or if advertisers are moving their content around.”
Storm, by contrast, only accounted for two percent of the spam in the Marshal report. That seems extremely low considering how resilient and ubiquitous the worm was. “Storm got a lot of publicity, and people started specifically targeting that worm. That is impacting their ability to use it,” said Myers.
Paul Piccard, director of threat research for Webroot Software, agrees on that point. “We have seen a decrease in the Storm network. There’s been less instances and samples of Storm that we’ve seen recently. There’s been a large push by security vendors to roll out signatures that detect and remove Storm,” he said.
However, he’s not so sure that just six botnets are responsible for the millions of spam messages floating around on the Internet. “If it was only six, we would have a much easier time protecting our customers, said Piccard. “It’s a little misleading to say there’s six botnets because there’s multiple variants of each. There are some times close to 100 variants to specific pieces of malware.”
Scott Montgomery, vice president of global technical strategy for Secure Computing, was even more blunt in his assessment. “Their premise is that the snapshot from their spam traps constitutes fact. Srizbi is a pretty neat little Trojan, I just think their scale is way off. To think this ten million machine behemoth Storm botnet is not relevant, I don’t think is reflective of what’s going on,” he said.
But Myers defends the findings, saying it’s a “true application of the 80/20 rule, that 80 percent of the spam comes from the top 20 percent of botnets. We’ve already seen an example of this in February when the Mega-D botnet went down and everything moved to Srizbi.”
As security gets better at blocking Storm, he argues, spammers “are less likely to send out waves of Storm as they get diminishing returns because everyone is looking for Storm. How many people are looking for Rustock?” he said, in reference to a botnet that said accounted for 20 percent of spam in February.
Don’t count Storm out, warned Piccard. “Remember, when you can create variants very quickly and create new pieces of malware, it’s not uncommon for malware to make a comeback later on,” he said. “Right now could be a quiet period for Storm but we could see an uptick in activity in a few weeks to a month from now.”
Article courtesy of InternetNews.com