Top botnets control 1M hijacked computers
They can dump more than 100B spam messages on users daily
Computerworld - Storm is a shadow of its former self, Kraken is just another name for Bobax and the biggest botnet goes by the mouthful of "Srizbi," a noted botnet researcher said today as he released the results of his census of the various armies of hacked computers that spew spam.
Joe Stewart, director of malware research at SecureWorks Inc., presented his survey at the RSA Conference, which opened Monday in San Francisco. The survey ranked the top 11 botnets that send spam. By extrapolating their size, Stewart estimated the bots on his list control just over a million machines and are capable of flooding the Internet with more than 100 billion spam messages every day.
The botnet at the top of the chart is Srizbi. According to Stewart, this botnet -- which also goes by the names "Cbeplay" and "Exchanger" -- has an estimated 315,000 bots and can blast out 60 billion messages a day.
While it may not have gotten the publicity that Storm has during the past year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. In fact, Storm is No. 5 on Stewart's list.
"Storm is pretty insignificant at this point," he said. "It got all this attention, so Microsoft added it to its malicious software detection tool [in September 2007], and that's removed hundreds of thousands of compromised PCs from the botnet."
The second-largest botnet is Bobax, which boasts an estimated 185,000 hacked systems in its collection. Able to sent approximately 9 billion unsolicited e-mails per day, Bobax has been around for some time but has recently been in the news again, albeit under one of its several aliases.
Other researchers, notably those at a security start-up called Damballa Inc., have been trumpeting a botnet dubbed "Kraken" -- sometimes spelled "Kracken" -- that they claim controls more then 400,000 computers. Stewart and others at SecureWorks believe Damballa has simply rebranded the older Bobax, which has several other nicknames besides Kraken, including "Bobic," "Oderoor," "Cotmonger" and "Hacktool.Spammer."
That mix-up over names is just one of the problems that Stewart hoped his research would solve, or at least reduce. "I've been covering botnets for a long time," he said, "and there's a lot of confusion about what botnets belong to what malware family. I want to try to shine some light on what malware belongs to what botnet, and what each botnet's doing."
To try to bring some organization to competing claims, often contradictory, of which botnets are on the rise and which on the skids, Stewart first "fingerprinted" each botnet. "There are enough differences to the SMTP 'fingerprints' for each botnet that we could separate them pretty accurately," he said.
|Botnet||# of bots||Spam capability|
Individual bots implement the SMTP (Simple Mail Transfer Protocol) with minor variations, Stewart said. By developing network-based signatures, he was able to differentiate the collections.
He also estimated the size of each botnet by taking a one-day spam traffic sample from that bot -- the sample derived from SecureWorks' client base -- and then using probabilistic counting methods, extrapolated to come up with a botnet total. Stewart said that past data collected from control server logs confirmed this estimating technique as "fairly accurate."
The whole idea, he added, was to make it easier for everyone to keep track of the most dangerous botnets. "I hope this lets other researchers classify and track botnets better," said Stewart. "Bobax, for instance, flew under the radar for over two years because of confusion. It was still around, but [antivirus] vendors stopped recognizing [the malware]."
End users should get something out of his work, too. "I think it matters a lot to end users what a botnet's called. They go to look for information, perhaps after they've been infected, and all they have is that it's 'Agent XYZ,'" he said. But unless everyone is one the same page, that "Agent XYZ" may simply be a new alias. "Then they'd find hardly any information on what it is or what data it may be after," Steward said. "They won't have a clear picture.
"I hope this trickles down to end users," Stewart concluded.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts