Top botnets control 1M hijacked computers

Storm is a shadow of its former self, Kraken is just another name for Bobax, and the biggest botnet goes by the mouthful of "Srizbi," a noted botnet researcher said Wednesday as he released the results of his census of the various armies of hacked computers that spew spam.

Joe Stewart, director of malware research at SecureWorks, presented his survey at the RSA Conference, which opened Monday in San Francisco. The survey ranked the top 11 botnets that send spam; by extrapolating their size, Stewart estimated the bots on his list control just over a million machines and are capable of flooding the Internet with more than 100 billion spam messages every day.

[ For more security coverage, see InfoWorld's special report on the RSA Conference 2008 ]

The botnet at the top of the chart is Srizbi. According to Stewart, this botnet -- which also goes by the names "Cbeplay" and "Exchanger" -- has an estimated 315,000 bots and can blast out 60 billion messages a day.

While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.

"Storm is pretty insignificant at this point," said Stewart. "It got all this attention, so Microsoft added it to its malicious software detection tool [in September 2007], and that's removed hundreds of thousands of compromised PCs from the botnet."

The second-largest botnet is Bobax, which boasts an estimated 185,000 hacked systems in its collection. Able to spam approximately 9 billion messages a day, Bobax has been around for some time, but recently has been in the news again, albeit under one of its several aliases.

Other researchers, notably those at a security startup called Damballa, have been trumpeting a botnet dubbed Kraken -- sometimes spelled "Kracken" -- that they claim controls more then 400,000 computers. Stewart and others at SecureWorks believe Damballa has simply rebranded the older Bobax, which has several other nicknames besides Kraken, including "Bobic," "Oderoor," "Cotmonger," and "Hacktool.Spammer."

That mix-up over names is just one of the problems that Stewart hoped his research would solve, or at least reduce. "I've been covering botnets for a long time," he said, "and there's a lot of confusion about what botnets belong to what malware family. I want to try to shine some light on what malware belongs to what botnet, and what each botnet's doing."