Keeping track of botnets

  • Article

A couple of months ago, I posted a one-day snapshot of how much spam we see from individual botnets.  I’ve been keeping track since July 29 on the biggest ones that have names, and only for IPs that get past our RBLs.  At the time of my first post, I thought that the stats wouldn’t really change much over time and that at any given time, they would be more or less the same.

That’s only partially true.

It turns out that rustock is the highest spamming botnet and is followed by bagle-cb, then cutwail (that surprises me about cutwail).  However, there is variation.  Rustock is the biggest sending botnet but only about half the time.  There is great variation amongst the others.  Below is a chart for the first month after I started tracking it, with the biggest spamming bot for that day highlighted in green.  It is tracking the total amount of mail marked as spam and divided up amongst all of them, expressed as a percentage of the total.

image

The number of “victories” for each botnet:

Rustock – 13
Bagle-cb – 10
Cutwail – 11

But below is a chart of the next month.  Rustock gets first place again, but there is more variation amongst the smaller botnets. Bagle and cutwail run out of gas while darkmailer and grum pick up the slack.  In reality, darkmailer is a bit of a darkhorse in all this because it tends to get overshadowed by the big three botnets and often comes in second (a lot like every sports team I ever cheer for – this should not be interpreted to mean that I am cheering for these botnets, I merely use the term as an analogy).

image

Number of “victories” for the winners:

Rustock – 15
Bagle-cb – 5
Cutwail – 4
Darkmailer – 3
Grum – 3
Mega-d - 1

The weird thing is that at first, whenever I would check the stats, I would dump everything into a text file, then use cat file.txt | grep rustock.  This was a quick way to see who’s spamming.  I would see that at the start of my tracking, rustock had large stats but after a while, it shrank down.  I thought that there was something wrong with my script to track this stuff even though nothing had changed.  I couldn’t figure it out.  But as it turns out, it appears that the worst of the botnets are cyclical in nature (based upon my two month data set).  I will continue to track this going forward to see who is the worst, and when rotations shift.

Interestingly, as an investor (who hasn’t put much money to work in months), I couldn’t help but think about how this relates to investing.  In the markets, sectors rotate.  Semi-conductors lead at some parts of the year, and six months later it is the pharmaceuticals.  These cycles are difficult to predict and the advice some give is to buy the index funds that tracks everything; since market timing is nearly impossible, you should purchase the index to ensure you catch the upswings on everything.

I was thinking, after viewing these stats, that botnet timing is nearly impossible to predict… other than rustock will be the worst about half the time.  Hmm, I guess that’s where the analogy ends.  Well, so much for that.