The botnets that I track are dominated by a few of them – rustock, cutwail, and bagle-cb. Rustock is the one that appears far more heavily than others, but what about the smaller players?
When my scripts are working properly (which is about 50% of the time), I keep tabs on ten botnets. I have recently upgraded that to twelve. But I thought I would take a one-day snapshot to see where some of these botnets are sending spam from. Let’s take a look at two: gheg and grum. Below are tables of the top 15 countries for originating IP for spam.
Looking at gheg, it is dominated by South Korea, no other country comes close. The United States, which is well known for being a haven of spamming, is only number 5 on gheg’s list yesterday and it is dwarfed by South Korea. The gheg bot seems to be highly concentrated here.
But what about grum? It’s a botnet we don’t see too often on my blog. What does its profile resemble?
The grum botnet’s profile is quite a bit different than grum’s. Whereas most spam from gheg originates out of South Korea, a good chunk of grum’s does as well but not nearly as much as a total. The United States comes in at number 3. Of course, what is unsurprising about grum is that Russia is number 1. When we think of spam, many of us think of eastern Europe and especially Russia (at least I do). The grum botnet conforms to that stereotype completely. Yet Russia is only #9 on gheg’s list. To me, this suggests that gheg’s base of operations is in the far east while grum’s is in eastern Europe.
In future posts, I’ll take a look at a few more. Who knows, maybe one do I’ll a very large whitepaper on the statistical profiles of botnets.