At the RSA Conference, Joe Stewart, Director of Malware Research at Dell SecureWorks, presented the company’s report on the evolution of the spambot ecosystem.
Although the numbers show spam botnet sizes and spam volume to be down over last year, one trend that can be seen is spambots piggybacking on existing worms and viruses to extend their reach.
Spam is one of the biggest drivers of malware proliferation over the past ten years, and no end is in sight. However, there is an overall maturation to the spambot ecosystem these days. We’re seeing fewer new spambot families emerge, and only incremental changes in the existing spambot families. Development seems to proceed at a pace corresponding to the size of the botnet and the volume of spam sent by each.
In previous years, we have detailed the top spambot families and have described the characteristics that define them. To continue with that tradition, here is the current lineup of spambots responsible for most of the volume of spam on the Internet today.
Summary of botnets covered in the report
· Rustock (est. 250,000 bots)
· Cutwail (est. 100,000 bots)
· Lethic (est. 75,000 bots)
· Grum (est. 65,000 bots)
· Festi (est. 60,000 bots)
· Maazben (est. 30,000 bots)
· The Rest of the Pack (estimated 5,000-30,000 bots each)
· End of Mega-D.
Summary
Although the numbers show spam botnet sizes and spam volume to be down over last year, one trend that can be seen is spambots piggybacking on existing worms and viruses to extend their reach. In all, IP-based blacklists are now more effective than ever at detecting spambots and listing their IPs to be blocked by anti-spam measures. However, we recently reached a turning point with the end of new IPv4 space to be allocated and an increased focus on IPv6 adoption.
It remains to be seen how the new allocations of IPv6 space will affect the home PC users and ultimately the botnet ecosphere. One of the biggest problems with blacklisting of IPv4 addresses today is DHCP "churn", where an infected PC might change IP addresses several times a day. Depending on how IPv6 is rolled out at the ISP level, this problem may be solved or it could increase.
IP blacklisting is not a panacea for spam, however; spammers have already begun to use "reputation hijacking" as a means to bypass the blocking. This leads to even more potential for problems on the part of the ISP, which could mean increased cost to the consumer. Without more effective international cooperation between ISPs and law-enforcement and more stringent laws against massive malware operations, this cost is likely to continue to increase far into the future.