Sudden massive bot recruitment campaign by Srizbi botnet drives malicious spam up 9.9%, according to researchers at Marshal

A massive bot recruitment campaign appears to be behind a record surge early this month in the volume of malicious spam -- from 3 percent of all spam traffic to nearly 10 percent, according to researchers with Marshal’s TRACE team .

The Srizbi botnet, which has been making bigger waves these days than the fizzling Storm botnet, is the main driver of this malware-laden spam, according to Marshal, which says malicious spam traffic tripled within just one week. Srizbi is behind nearly half of all spam, malicious or otherwise, according to the researchers.

“When you see a 9.9 percent jump in one week, that’s significant. They either accidentally sent out too much spam or are on an ambitious recruitment drive at the moment,” says Bradley Anstis, vice president of products for Marshal. Anstis says he thinks it’s more the latter.

MX Logic last week reported a worm that had generated over 8 million spam messages in an apparent attempt to recruit bots for Srizbi. (See New Worm Spawns More Than 8M Spam Messages.)

Srizbi still hasn’t captured the same amount of attention as Storm, even though it’s been quietly gaining steam. Last month, Marshal reported that Srizbi was sending over 60 billion spam messages (malicious and non-malicious) each day, more than all other botnets put together. And SecureWorks earlier this year ranked Srizbi as the largest spamming botnet. (See Srizbi Botnet Sending Over 60 Billion Spams a Day and SecureWorks Unveils Research on Spamming Botnets.)

“Normally these botnets go under radar, but Srizbi has not operated under normal rules,” Anstis says. Malicious spam, mainly for recruiting bots, accounts for only 1 to 2 percent of all spam from most botnets, while Srizbi had been pumping out about 3 percent.

Joe Stewart, director of malware research for SecureWorks, says the spike in nasty spam could have more to do with Srizbi's makeup -- it's technically a collection of botnets. "Keep in mind that Srizbi is multiple botnets, each rented out to different spammers," Stewart says. The increase in spam traffic could just be one of its "customers" conducting a big spam run, according to Stewart.

According to Marshal, one Srizbi spam run for bots contains the first part of the potential victim’s email address in the subject line, plus a message about the victim looking “stupid” in a video, which is an attachment that contains the malware. Another tack is Classmates.com spam, where the message tries to tempt the user to click on a link to check a “new message” or to meet new “friends.”

Marshal considers the Srizbi botnet one of the biggest Internet threats today. “What we’re trying to do is to get [the industry] to pay attention to it as much as they do to Storm,” Anstis says. “We’re hoping to get a lot more focus on this to help eradicate it.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights