Back in early February, we covered the rapid rise of the Mega-D botnet and its various social-engineering-based attack methods. At the time, there was some question as to what malware was behind the creation of Mega-D (it has since been identified as Ozok), and no definite time frame as to when the botnet might be shut down. Now, according to security firm Marshal, Mega-D's profile is shrinking, thanks to a 10-day control server failure, but another botnet, Srizbi, is quickly moving into the gap.

Srizbi is a spambot trojan that has been on a self-propagating kick of late. The attack vector in this case is unsophisticated and involves a great deal of celebrity porn spam. We recently reported on the malware market's increasing preference for multilingual hackers, but the folks behind Srizbi apparently haven't gotten that memo; a screenshot of one offending advertisements informs potential prey that "The pornos is New!"

Anyone dumb enough fooled into clicking on such a link is handed a file to download. Once downloaded and run, the system in question is infected with a number of other Trojans, including Srizbi itself. Wash, rinse, repeat, and the entire cycle starts over again. Srizbi's attack methodology is relatively primitive compared to Mega-D's; the latter attempted to mimic social web site emails and actually displayed Flash animations once users had installed a "Flash update."

Srizbi is not alone in the post-Storm botnet world. Marshal estimates that six botnets account for 85 percent of the total spam sent world-wide. Srizbi is currently in the lead, with 39 percent of the "market," followed by Rustock at 20 percent, Mega-D at 11 percent, Hacktool.Spammer at seven percent, Pushdo (6 percent), and Storm (two percent).

These numbers track the amount of spam each botnet is producing rather than the total number of systems infected by each botnet. The two numbers can vary widely; At its peak, the Storm network accounted for 21 percent of all spam and contained an estimated 85,000 bots. Mega-D, on the other hand, grew to encompass 32 percent of the spam network in early February, but contained only an estimated 35,000 bots.

One interesting development that may also provide further proof that the botnet industry is commercializing is the mounting body of evidence that suggests multiple botnets are being used to advertise a single product or group of products. Over the past few weeks, Marshal picked up advertisements for the "Express Herbals" website from sources infected by Srizbi, Rustock, Hacktool.Spammer, and Pushdo.

If this trend continues, it may indicate the growth of a twisted competitive advertising environment in which fraudulent companies with useless products actively "advertise" over certain botnets. The attractiveness of any given botnet might even be evaluated in terms of its size, audience composition, and resistance to attack. The idea of a competitive botnet market in which various companies with established botnets compete for a black hat corporation's advertising dollars is somewhat twisted, but its a logical step for an industry that's reinventing itself on increasingly commercial terms.

Further reading