Sometimes I read articles about the size of botnets.  For example, this article on Krebs on Security is called “Who’s Behind the World’s Largest Spam Botnet?”  Krebs names grum as the biggest botnet.

How is the size of the botnet measured?  There are multiple ways, here are three:

  1. Which botnet contains the most distinct sending IP addresses.
  2. Which botnet sends the most spam messages.
  3. Which botnet contains the most computers.  These computers might be using the same IP or they may be dormant.

I collect statistics on (1) and (2), but not (3).  Microsoft does collect malware statistics through its Microsoft Security Essentials A/V software, as well as the Malicious Software Removal Tool, but I can’t correlate its data with my own (we use two different sources to identify them).

But using this, which are the top 10 botnets by distinct number of IP addresses since Jan 1, 2012 (that have sent mail to our services, YMMV)?

Top Botnets by IP since Jan 1, 2012

  1. [95.7] cutwail     
  2. [82.1]grum        
  3. [41.8] lethic      
  4. [23.7] bobax       
  5. [14.5] fivetoone   
  6. [11.3] darkmailer  
  7. [10.5] maazben     
  8. [2.0]  gheg        
  9. [1.4]  sendsafe 
  10. [1.0]  s_torpig   

The numbers in square brackets are the normalized values of number of IPs.  For example, cutwail contains 95.7 times as many distinct IPs as s_torpig.

Top Botnets by # emails since Jan 1, 2012

  1. [185.8] lethic
  2. [33.4]   cutwail
  3. [32.0]   grum
  4. [11.2]   darkmailer
  5. [8.5]     maazben
  6. [7.0]     bobax
  7. [3.2]     spamsalot
  8. [3.1]     gheg
  9. [2.1]     fivetoone
  10. [1.0]     phish

Going by these numbers, grum is the second largest by IP address and the third largest by volume of mail, but it is significantly smaller when it comes to volume of mail.  It deserves the name of “one of the largest botnets” but by our data it is not the largest one that sends spam to us.

The biggest one is either cutwail or lethic.  I’d list grum third.