Spam levels may have dropped, but botnets are still busy.
In fact, security researchers at this year's RSA Conference highlighted a mix of botnets both famous and unheard of that are growing on the strength of do-it-yourself kits and pay-per-install (PPI) systems.
Joe Stewart, director of malware research for Dell SecureWorks, reported that the most prolific spam botnet today is Rustock, which he estimates has 250,000 bots in its army. While in the past Rustock has periodically been overtaken by other botnets, it has pulled away because of the author's continued development to the botnet's codebase. Among its tactics: not mapping hostnames associated with the Rustock HTTP communication directly to the IP address of a Rustock controller, and having Rustock control servers run a TOR exit node to avoid disconnection by network administrators.
"It has probably the most thought and development, stealth, obfuscation [and] evasion built in to what it's doing, and it's evolved these things over the past few years," he said.
But while Rustock has the name and the fame, there are other botnets many people may not have heard of that have sneakily built up armies of bots by piggybacking on the growth of other malware. An example of this can be found with Lethic, which Stewart estimates has 75,000 bots. Lethic has been seen lately being installed by another bot known as "Butterfly" or "Bfbot." Bfbot botnets have been seen installing other spam Trojans as well, making the specific Bfbot system part of a growing ecosystem of pay-per-install operations.