Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English
Translate This Page
Common Tasks
Search Form
Tag Cloud
Monthly Archives
Archives

The distribution of botnets since Rustock went down

MSDN Blogs > Terry Zink's Cyber Security Blog > The distribution of botnets since Rustock went down

The distribution of botnets since Rustock went down

14 Apr 2011 2:44 PM
  • Comments 2

I pulled together some statistics on my collection of botnet statistics for the period of time between Rustock being shut down and Wednesday, April 6.  I wanted to see the distribution of botnets per country – now that Rustock is down, which country has the most botnet infections (as measured by unique IP addresses that send us spam)?

The answer isn’t really that surprising and it is a trend that I have observed for many months.  Here are the top five countries for botnet-infected IPs that I was able to identify:

  1. South Korea

    Korea is the worst of the botnet-infested countries with the most number of IP addresses.  The number one botnet in Korea is Lethic by a long shot.  No other botnet even comes close.  Cutwail is number two but is over 100 times smaller than Lethic. 

    On the list of countries that send us spam, Korea places third.  The total amount of mail (at the envelope level) that is marked as spam from Korea is 66%.  The “badness” of Korea is a trend I have observed for a long time.  It has been gradually moving up and to see it this high is not surprising.

  2. Vietnam

    Vietnam is another up-and-comer that is number two on my list.  The number one botnet in Vietnam is Maazben by a long shot.  The next biggest is Fivetoone, followed by Festi.  Each of these are an order of magnitude smaller than Maazben.

    On the list of countries that send us spam, Vietnam ranks 25th (which is quite low).  However, the total amount of mail marked as spam from Vietnam is 62%.

  3. India

    India is a country that I have seen move up and down my list many times.  But to see it as number three is a little surprising.  The number of unique bot’ted IPs in India is only 2/3 as much as Korea, but this is still high.  Unlike South Korea and Vietnam where the number one botnet greatly outnumbers the number two, India is different.  The number one botnet is Cutwail and number two Grum is close behind.  Bobax is a distant third.

    India ranks 12th in the countries that send us spam, and the total spam rate is 29%.

  4. Russia

    After the top three countries, there is a huge gap for the next most bot’ted country but Russia is number four.  The most commonly seen botnet in Russia is Bagle.  Bagle is number one in Russia by a wide margin but not nearly as much as South Korea’s or Vietnam’s botnet gaps. 

    Russia ranks second in the countries that send us spam, and has a total spam rate of 73%.  This is unusual to me because the Bagle botnet is not the biggest botnet I see, not by a long shot, nor is it the worst for cramming many messages into each envelope.  Yet here we are, Russia is the number two spamming country to us and Bagle is the most prolific in that country.

  5. Indonesia

    Rounding up the top five for botnets that I can identify is Indonesia.  I never would have expected this country to be on this list, yet here we are.  The number one botnet in Indonesia is Xarvester.  Number two is Maazben, but they really aren’t close.  The majority of the countries in my list show that there is one botnet infection that tends to dominate the others.

    Indonesia ranks 26th in the countries that send us spam, and the total spam rate is 44%.

To put this in perspective, the United States is the number one country that sends us spam.  It sends ten times more spam than the number two country (Russia).  However, the total amount of mail from the US that is marked as spam is only 7%.  [Disclaimer: we block a lot of spam at the network edge using IP blocklists.  I am not including that data in my calculations].  The US is number six for bot’ted countries on my list and unlike the other countries, the top four botnets of asprox, darkmailer, sendsafe and lethic are all within striking distance of each other.  Historically, the US had a lot of Rustock infections.  Therefore, with the Rustock shutdown a month ago it is no surprise that we are seeing less spam from there.

One study that would be interesting to do is to compare the type of malware infections in these countries and see if there is any relation to the spambot infections in them.  Maybe that’s something I’ll do in my spare time.

Leave a Comment
  • Please add 4 and 6 and type the answer here:
  • Post
Comments
  • Kubulai
    18 Apr 2011 9:03 AM

    Would be nice to identify the zombie OS's -- is XP really bad? Is Win7 better? Are Macs or Linux boxes significantly involved in generating spam? Would national policy of some sort, such as re-installing or banning all of one kind of OS, tend to fix the problem?

  • Randy
    23 Apr 2011 9:25 AM

    What more government control?  :)  XP isn't bad if you know what you are doing.  I'd had XP on my main machine since it came out.  I have good surfing habits.  When I purposely click on a spam link I use NoScript on Firefox.  I use Webroot Spysweeper with AV, SuperAntiSpyware, and WinPatrol in real time to catch anything that may accidentally come in.

Page 1 of 1 (2 items)