As part of the study's findings, TRACElabs determined that the Rustock and Xarvester malware provided the most efficient spambot code, enabling individual zombie computers to send 600,000 spam messages each over a 24 hour period.
"Over the past few years, botnets have revolutionized the spam industry and pushed spam volumes to epidemic proportions despite the best efforts of law enforcement and the computer security industry. Our intention was to better understand the origins of spam, and the malware that drives it," said Phil Hay, senior threat analyst, Marshal8e6 TRACElabs.
TRACElabs deliberately infected its lab computers and observed the behavior of the bot malware. Researchers looked at what changes it made to the registry, what ports it communicated over and observed how much spam each bot type was capable of sending.
The company's research extended to nine botnets that TRACElabs considered to be the largest spammers or the strongest up-and-comers, including: Xarvester, Mega-D, Gheg, Grum, Donbot, Pushdo, Bobax, Rustock and Waledac. These botnets collectively account for more than 70 percent of the world's total spam volume according to Marshal8e6.
Marshal8e6 will make the findings available on the company's TRACElabs Web site and will be updated on an ongoing basis.
"Results of our research provide our customers with optimum spam protection. Part of this research involves understanding the origins of spam and particularly botnets which are the engines used to distribute most spam today. This helps us develop algorithms and processes which track spam according to the botnet it was sent from," explained Hay.
"By sharing our botnet research and highlighting the worst offenders, we hope to provide a resource that will aid other researchers in the fight against spam. One of our objectives over the past few years has been to emphasize the dominant role that a handful of key botnets play in the spam we see today," continued Hay. "Ultimately, we wish to focus the wider security community on the key botnets in the hopes that we can collectively pool our efforts to disrupt these botnets and reduce the overall volume of spam in circulation."
The results of the Marshal8e6 botnet research can be found at http://www.marshal8e6.com/trace/bot_statistics.asp.
Marshal8e6 Threat Research and Content Engineering lab (TRACElabs) researches spam, phishing, Web exploits and malware. It is also responsible for the anti-malware defense and updates for Marshal8e6's suite of content security solutions, including MailMarshal SpamCensor, and Zero Day updates. Data and analysis from TRACElabs is continually updated and accessible online at www.marshal8e6.com/TRACE/.
Marshal8e6 is a global provider of Secure Web Gateway (SWG) and email security products. We are the only security company able to provide integrated, reliable and effective enterprise-class multi-layered solutions. Our deep expertise in Web and email allows us to correlate real-time threat intelligence to protect organizations from current and emerging threats. With 20,000 customers and 16 million end users in 96 countries, the company is privately held and based in Orange, California with international headquarters in London and offices worldwide. For more information about Marshal8e6, please visit http://www.marshal8e6.com.