You are on the Cert-IST public site
Quick review of the top botnets

Date :June 05, 2008

Publication: Article

While monitoring IT web sites media we frequently read articles announcing that a new "botnet" was discovered, and that its power exceeds previously known contenders. "Storm", "Stration", "Mega-D" are examples of the botnets that jostle on the front of the scene. In this article we make a quick review of these "top" botnets.

 
Botnet architecture

When considering their architectures there are two types of botnets:

  • The botnets that use a central server to control the bots.
  • The botnets that use a "Peer to Peer" (P2P) architectural model.

Note: The word "bot" is the contraction of the word "robot". We will use this terminology in the rest of this article as its use is common when talking about botnet.

Botnets with a central server
This first type of architecture is the most common. Compromised machines (which run the "bots") are often controlled by a set of servers (instead of a unique server). Typically, when a bot starts, it attempts to contact a set of servers (the list of servers is often hardcoded). The first server that answers to these queries becomes the "commander" (master) and the bot becomes the slave.  It will obey to the commands received from the master.

To neutralize this kind of "botnet" you have therefore "just" to shutdown the master servers.

Note: Some authors (see [1]) identify two sub-families for this architecture to differentiate the case where the central server is an IRC server (that constitutes the first sub-family) to the other cases (that constitutes the second sub-family) .

Peer to Peer Botnets
This second type of architecture is more recent (2006). It uses a "Peer to Peer" model  that is a meshed network without any central servers. Each "bot" communicates with its neighbouring "bots" and does not know about the rest of the network. The hacker who controls the botnet (the "bot herder") and transmits orders to one of the "bots" (it does not matter which bot it is). Any order will then spread across the entire network (each "bot" receiving the order forwards it to its neighbours). The advantage of this approach is that it is very difficult to neutralize such botnets because it requires to shutdown all the machines part of the botnet.

There is currently few P2P botnets, including : Storm, Nugache, SpamThru and Mayday. Several analysts explain that the P2P architecture is not worth the effort : it is complex to implement and regarding the lifetime cycle a classical "botnet" (centralised architecture) survives, the level of sophistication of the P2P seems unnecessary.

 

Botnet usages

There is a very large number of working "botnets" on Internet because today most of the viruses install a "bot" on the system they infect. These botnets are used to :

  • send SPAM. SPAM "botnets" are run by "organisations" which make SPAM as a business. They are professional.
  • perform DDoS attacks. You can find in that category large botnets operated by professionals (like for SPAM) or other botnets run by individuals (e.g. "script kiddies").

Of course the same "botnet" could be used for both the SPAM and the DDoS purposes.


The list of the top spam botnets

The biggest "botnets" are those used to send SPAM. We list here the best-known botnets, and uses a study published by SecureWorks (see [2]) to assess "botnets" powers. Unless otherwise stated, all these botnets use the "central server" architecture.

Srizbi: Since February 2008 Srizbi is the most powerful SPAM known botnet. It has been estimated that this botnet is composed of about 315 000 compromised machines (bots) and has the ability to send around 60 billion spam messages per day. From a technical point of view, Srizbi is famous because of the high level of sophistication of its "rootkit" module which makes it stealthy on infected machines.

Rustock: Estimated size: 150 000 bots / 30 billion emails per day.
This "bot" was originally specialized in "pump-and-dump" SPAM (SPAM which tries to influence the stock exchange market of cheap shares by convincing spammed recipients to buy shares).

Kraken and Bobax: Estimated size: 185 000 bots / 9 billion emails per day.
"Bobax" is one of the oldest spam botnets. It recently mutates into "Kraken".

Storm: Estimated size: 85 000 bots / 3 billion emails per day.
This botnet uses a "P2P" model, which makes it very difficult to shutdown. Storm (also known as "Storm Worm" or "Zhelatin") has sparked very long debates throughout the year 2007 because of its estimated size and because of its P2P model. It had been stated that 50 million systems had been infected during the summer 2007, but it had been denied later).
 

Mega-D (Ozdok): Estimated size: 35 000 bots / 10 billion emails per day.
The botnet was most virulent in January 2008, but its activity slowed down sharply in February. According to some sources this slowdown is voluntary and aims at avoiding attracting to much attention.

 

Stration: This botnet was widespread at the end of 2006, but it seems to have disappeared since then. It has often been considered as the main competitor of "Storm". It is worth to mention that botnets may target each others, this the case of "Storm" which is known to have launched denial of service attacks (DDoS) against systems hosting "Stration".

 

For more information: