A report by e-mail and content security firm Marshal claims that just six
For the month of February, Marshal found that the most dominant botnet
spewing out junk e-mail was not the vaunted Storm worm but a network called
Srizbi, which first emerged last summer. Symantec reports
Srizbi as a “Trojan horse that sends spam and uses a rootkit to hide
Srizbi seems to be in the seeding stage, as it were, because all it’s doing now is perpetuating itself. It sends out spam to other people so they open a link that infects them with the Srizbi Trojan
Marshal has it accounting for 39 percent of spam it discovered in
February. Just the month prior, the botnet Mega-D, so dubbed because it was
selling male sexual enhancement products, was the major nuisance, with 35 percent of the spam.
Glen Myers, an engineer with Marshal, said Mega-D lost its place because it shut down for 10 days. Why he does not know, but he said that didn’t lessen the amount of spam on the Internet. “It just moved to other networks.
That’s why other networks came in so high,” he told InternetNews.com.
“I don’t know if that means there’s a relation between people running
botnets or if advertisers are moving their content around.”
Storm, by contrast, only accounted for two percent of the spam in the
Marshal report. That seems extremely low considering how resilient and ubiquitous the worm was. “Storm got a lot of publicity, and people started specifically targeting that worm. That is impacting their ability to use it,” said Myers.
Paul Piccard, director of threat research for Webroot Software, agrees on that point. “We have seen a decrease in the Storm network. There’s been less instances and samples of Storm that we’ve seen recently. There’s been a
large push by security vendors to roll out signatures that detect and remove Storm,” he said.
However, he’s not so sure that just six botnets are responsible for the
millions of spam messages floating around on the Internet. “If it was only
six, we would have a much easier time protecting our customers, said
Piccard. “It’s a little misleading to say there’s six botnets because
there’s multiple variants of each. There are some times close to 100
variants to specific pieces of malware.”
Scott Montgomery, vice president of global technical strategy for Secure
Computing, was even more blunt in his assessment. “Their premise is that the snapshot from their spam traps constitutes fact. Srizbi is a pretty neat little Trojan, I just think their scale is way off. To think this ten million machine behemoth Storm botnet is not relevant, I don’t think is reflective of what’s going on,” he said.
But Myers defends the findings, saying it’s a “true application of the
80/20 rule, that 80 percent of the spam comes from the top 20 percent of
botnets. We’ve already seen an example of this in February when the Mega-D
botnet went down and everything moved to Srizbi.”
As security gets better at blocking Storm, he argues, spammers “are less
likely to send out waves of Storm as they get diminishing returns because
everyone is looking for Storm. How many people are looking for Rustock?” he
said, in reference to a botnet that said accounted for 20 percent of spam in
Don’t count Storm out, warned Piccard. “Remember, when you can create
variants very quickly and create new pieces of malware, it’s not uncommon
for malware to make a comeback later on,” he said. “Right now could be a
quiet period for Storm but we could see an uptick in activity in a few weeks to a month from now.”