Bagle Botnet Takes Over As Top Spammer

At one time the Rustock botnet was the granddaddy of them all when it came to spamming, but it’s been knocked off the top of the hill by a not so new kid on the block-Bagle. So far this year the Bagle botnet is in the lead for most spam volume, and is currently responsible for 1 out of every 5 spam messages sent. Bagle was one of 2009’s top three botnets but for some reason was relatively quiet last year.

Bagle was first detected in 2004 and then, like now, only sent pharmaceutical and designer knock off spam. It started by distributing the malicious code needed to propagate itself as fake Excel files, and then as fake text files. In an effort to pique the recipient’s curiosity, the files had names that suggested they were cracked versions of popular software suites or a large archive of porn. It also began using P2P networks to distribute its malware.

Rustock was previously king until its mysterious shutdown during the holidays. In early January it awoke and its spam volume soared by 98%. Like Bagle it pumps out pharmaceutical spam, although it has switched from Canadian Pharmacy spam to a brand new campaign for a new pharmacy site called Pharmacy Express. It’s possible Pharmacy Express is the product of the shady affiliates left high and dry after SpamIt and the Mega-D botnet were shut down last fall. The Xarvester and Lethic botnets also went quiet over the holidays, raising speculation that they may be connected somehow.