A Festi-vous for the Rest of Us

Prefect — Sat, 07 Nov 2009 02:48:24 +0000

On Thursday, Darren Lewis of MessageLabs, the venerable e-mail security firm now owned by Symantec, published findings for a new botnet called Festi which rocketed into a top ten spot in the rankings of the largest spam sending botnets in September. First classified in August, Festi rose in September to propagating a high water mark of around three billion spam messages per day. The spam e-mails lead users back to web sites selling pharmaceutical products (primarily male enhancement) and watches/jewelry. The increase in spam messages tied to this botnet is due both to compromised bots sending out a larger number of spam messages as well as an increase in the number of infected machines: 60% of which are located in Asia, 18% in Europe, and 9% in North America.

Propagation

As detailed in the graph presented by MessageLabs, Festi’s responsibility for worldwide spam (as tracked by MessageLabs) spiked in a period of approximately one week in September, and after experiencing a slight drop off has started to sustain around a 5% share of worldwide spam.

Source: MessageLabs" title="festi_botnet" width="300" height="144" class="size-medium wp-image-1511" />

% of Spam: Festi - Source: MessageLabs

The Big Boys, et al.

Most of the world’s spam originates from a handful of botnets. Below you can see approximately where Festi now fits into that list. While botnets get a good deal of attention based around the capability to carry out distributed denial of service (DDOS) attacks, their primary usage at this point appears to be sending out spam.

*Spam Messages per Day by Botnet*
Name:	Messages:
Grum	39,882,623,356
Bobax	27,005,335,534
Cutwail/Pandex	19,093,814,547
Rustock	17,237,275,104
Bagle	14,018,452,695
Mega-D*	11,634,914,843
Festi	~3,000,000,000
Maazben	2,429,738,977

*Note that Mega-D is apparently falling fast.

Spam origination sources, Q3 2009 - Data Source: MessageLabs

Spam Messages

Variant 1

MessageLabs noted two variants of Spam, the first e-mail type comes with subjects such as Paradise in your bed, Very-very Magic Stick, Strong Stick, Magic stick, Hard stick tonight, or All night long and sends you to a pharmaceutical site registered with a .cn (China) domain:

First e-mail variant.

Pharmaceutical site the e-mail links to.

Variant 2

The second variant comes with subjects such as casablanca leather band, classic automatic, submariner limited coca cola edition, classic quartz, omega de ville co axial chronograph, or Hermes Watches and contains links to a web site selling watches and jewelry:

Second e-mail variant.

Prestige Replicas site (watches/jewelry) the link in the e-mail opens.

In Conclusion

It's getting to be that time of year.

Based on its relatively quick rise, Festi will get more attention in the near term and will be worth tracking to see where it eventually lands amongst the largest botnets globally.

Sorry, we couldn’t resist the title, its the first thing we thought of when we heard the name ‘Festi’. Now for the feats of strength…

References

Festi Botnet spins up to become one of the main spamming botnets

Related Posts:

Praetorian Prefect » spam