New Botnets Emerge as Older Peers Limp Along


While botnets suffered a major setback late last year, the networks of hacker-controlled PCs are beginning to make their return, researchers said.

The Net’s major botnets — Storm and Srizbi — seem to have been dealt a crippling blow when their chief Web host, McColo, lost its access to the Internet. But a number of successors are already spreading rapidly and sending out increasing amounts of spam and malware.

“Srizbi and Storm don’t seem to be able to send out code any more, and we’ve got new botnets out there now,” Matt Sergeant, senior anti-spam technologist at MessageLabs, told He added that said he believes that botnet operators are regrouping and will begin launching more attacks later in the year.

Sergeant’s conclusions illustrate the difficulties facing security vendors and the online community at large in stopping the spread of botnets and spammers. Storm worm had been the biggest botnet through 2007 and most of 2008, infecting up to 50 million PCs. It was later overtaken by Srizbi, which battled with Rustock, another up-and-comer, for the No. 1 position.

When McColo’s ISPs shut off its Internet access, Storm and Srizbi largely went dormant and worldwide spam levels fell by up to 70 percent. But spam levels began increasing within weeks as new players emerged.

Google, for instance, told that it expects botnets’ spam activity to equal pre-McColo levels by the end of the month.

Behind the resurgence are a rogue’s gallery of botnets that include names like Mega-D, Xarvester and Donbot, according to MessageLabs’ research.

Of the group, Mega-D has emerged as the most prolific botnet, sending out about 26 million spams per minute on average. Each PC infected by this virus sends more than 589,000 e-mails a day.

Others are proving less of a threat — for the moment. Xarvester, for instance, looks like an old version of Storm but isn’t proving as dangerous, Sergeant said.

“It’s probably owned by the same people, but is not as capable as the newer versions of Storm we saw last year,” he said.

Yet others seem to be lying low. Donbot is a new botnet that has not yet begun sending out much spam, but MessageLabs said it has the potential to be more dangerous than it now is.

Likewise, Cutwail, also known as Pandex, existed before the McColo takedown. While it controls more infected PCs than Mega-D does, it only sends out five million spams a minutes on average, MessageLabs found. Sergeant added that it’s is a key botnet to watch.

[cob:Special_Report]Another problematic botnet that could be worse than Storm is W32/Waledac, which has capabilities that go way beyond those of the older worm, MessageLabs said.

Yet, it also is not sending out much spam, Sergeant said, adding that he’s concerned about this low level of activity among botnets and the code creating them.

“I think the botnet operators are just regrouping now,” he said. “Just taking down one ISP is not enough to stop them.”

There is also no clear explanation for why older botnets such as Waledac, Srizbi and Storm are more or less keeping quiet, he added.

“We’ve heard rumors that the original coder is not available to the owners of Srizbi and Storm, and they’ve had to go to older versions of their code and start from scratch,” Sergeant said. “But we’re not sure.”

Meanwhile, another new worm that could be bigger than Storm ever was is infecting PCs rapidly — but doing nothing else. Known variously as Downadup, Conficker and Confick, it has restricted itself to setting up botnets but has not yet sent out any spam.

News Around the Web