Recently, Symantec said in its February 2008 State of Spam report that 78.5 percent of all e-mail is spam; they also said most of that is now coming from Europe. That's a change from previous reports that had suggested servers in North America were responsible. What the Symantec report doesn't explicitly state is that much of the European spam doesn't come from individuals sitting at their desks pumping out lists. Europe is one of the hotbeds for the Storm worm botnet, notorious for automatically co-opting its victims into spam relays. For example, with the release of a Valentine's Day theme-spam barrage in early February, Dr. Jose Nazario of Arbor Networks estimated that Storm has grown by as much as 50 percent in new infections. More ominous, Nazario says, is "the fact (Storm) is generating lots of money means that it's in (the creator's) interests to keep grooming it, keep growing it." Worse Storm isn't the only big, bad botnet in town.
One new botnet that's making news is Mega-D. Nazario said that Mega-D got its name because the botnet is known to send out what is called in the business "enlargement spam." Think Viagra. Nazario said "This is a piece of malware that comes out typically on Friday afternoon, generally with a subject...telling you, for example, to go look at Angelina Jolie naked or Britney Spears having a fight with Angelina, things like that." He said the e-mail is sent primarily to Europe and North America. "Once people go ahead and have a look, they're nailed."
With the release of a Valentine's Day theme-spam barrage in early February, Dr. Jose Nazario of Arbor Networks estimated that Storm has grown by as much as 50 percent in new infections.
In February, a U.K. security company Marshal declared Mega-D the biggest source of new spam on the Internet, outpacing Storm. This brought a degree of skepticism from other security researchers, such as Joe Stewart of SecureWorks. He told the U.K.'s The Register that Mega-D had far less infections than Storm and wasn't spreading very fast.
Mega-D is really Storm Lite?
There's also speculation that Mega-D might be just be a dedicated subpartition of Storm. Nazario said Storm is one of the most high-profile of the active botnets to use encrypted command and control instructions, allowing the creators to lease off parts of the larger network to others. Fortunately, the encryption used by Storm isn't strong, and most researchers are able to access the data inside.
But without close examination of the malware code itself, Nazario said that can't yet be determined. Currently Marshal is working with Arbor Networks and others to determine what's what. Marshal spokesperson Phil Hay said in an e-mail to CNET "one thing is for sure, (Mega-D) is responsible for a huge amount of spam."
Marshal spokesperson Phil Hay said in an e-mail to CNET 'one thing is for sure, (Mega-D) is responsible for a huge amount of spam.'
But Mega-D has company. Another security company, Damballa, has been tracking another spam producing botnet called MayDay. While the number of infections aren't anywhere close to Storm, MayDay has infiltrated some Fortune 500 networks, which gives some cause to worry because the actual number of infections could be higher.
MayDay uses HTTP to communicate, making the botnet harder to detect because the signal to noise ratio is much higher. Presently, HTTP bots appear to be limited to the Russian Federation and nearby countries, but Nazario and others wonder whether HTTP botnets could be the next big thing in criminal malware.