SOURCE: Marshal

March 03, 2008 10:24 ET

Marshal Uncovers Six Botnets Responsible for 85 Percent of All Spam

Mega-D Botnet Suppressed; New Srizbi and Rustock Botnets Now Account for 60 Percent of All Spam

ATLANTA, GA--(Marketwire - March 3, 2008) - Marshal's TRACE team today announced it has identified six botnets that are currently responsible for 85 percent of all spam.

Following the recent dominance of the Mega-D botnet, which Marshal reported on in early February, the Srizbi botnet is now responsible for distributing the lion's share of spam -- 39 percent, followed by the Rustock botnet which is responsible for 21 percent.

Three weeks ago, Marshal reported the Mega-D botnet was the leading source of spam. After the announcement, researchers identified the malware behind the 35,000-strong botnet as Ozdok. The subsequent discovery of Mega-D's control servers saw spam sent from this botnet drop to zero during mid February.

"This week, Mega-D returned again to represent 21 percent of spam after a 10-day period of inactivity," said Bradley Anstis, Marshal's Vice President of Products. "Due to the break, Mega-D only accounted for an average of 11 percent of spam during February. At its peak last month, it was responsible for a third of all the spam we caught in our spam traps. While the recent publicity spooked the Mega-D spammers into taking their control servers offline, they have now clearly re-established themselves elsewhere.

"While Mega-D faltered, Srizbi emerged as the leading spam botnet in February. It is advanced and extremely stealthy malware," Anstis continued. "Lately, Srizbi has been particularly active in attempting to spread itself through spam campaigns using celebrities as lures."

Other significant active spam botnets at this time include: Hacktool.Spammer (which has multiple aliases including Spam-Mailer) and the Pushdo family (alias Pandex and Cutwail) which is also known for mass spamming malware with celebrity hooks.

The notorious Storm botnet, which is comprised of an estimated 85,000 bots, currently is responsible for only three per cent of spam volumes.

"The size of a botnet, measured by how many bots it has, does not necessarily correlate with how much spam it sends," explained Anstis. "Our TRACE team has observed huge variations in the rate at which different spambots pump out spam."

The Marshal TRACE team also believes spammers may have access to multiple botnets.

Mega-D is known for concentrating on male enhancement pills, under such brand names as 'Express Herbals' and 'Herbal King.' In addition to Mega-D, other botnets including Srizbi, Rustock, Hacktool.Spammer and Pushdo have been simultaneously sending spam with links to websites featuring the same 'Express Herbals' web page.

"It appears the spammers behind this campaign have access to more than one botnet to distribute their messages," said Anstis. "It's also a possibility that one group controls more than one of these botnets.

"By highlighting these spam botnets, we hope the security industry can collectively target these major spamming sources and in doing so significantly reduce spam volumes," Anstis concluded.

Further information and statistics regarding these botnet threats can be found at Marshal's TRACE Center website.

About Marshal

Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal's Americas headquarters is in Atlanta, Georgia, with corporate headquarters in London (UK) and offices in Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at

About the Marshal TRACE Team

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at TRACE services are provided as part of standard product maintenance that includes updates to Marshal's unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides "Zero Day" security protection against new email and virus exploits the day they emerge.

Contact Information