Botnet masters are spreading their resources

With the takedown of the Pushdo/Cutwail, Bredolab and Rustock, the number of “zombified” US computers has decreased so much that the country is no longer considered one of the leading distributors of spam.

Even European countries have fallen down the ladder on the list of top spam sources, replaced by those located on the Asian and South American continent.

Having noticed that in some of the top spam countries the number of infected computers falls by a few percents as in others rises by nearly the same amount, Kaspersky Lab researchers have analyzed the information gathered on the top 11 countries on that list and have come to the conclusion that botnets in various countries are very likely run by the same people.

Taking into consideration the fact that the size of botnets continually changes and that there are smaller, “local” botnets in every country that interfere with the measuring of the weekly spam traffic, they have noticed that some of these countries present a similar dynamic when it comes to spam distribution, namely:

• India and Brazil;
• Ukraine, Taiwan and Thailand;
• Indonesia and Peru;
• Korea, Italy, Vietnam and Russia.

“Synchronous distribution of spam from countries located on different continents does not mean that computers in these countries are united in one big botnet,” explain the researchers. “Several small zombie networks can also operate synchronously, receiving commands for distributions from the same individuals.”

As botnets can be run from anywhere in the world, it stands to reason that the bot herders have decided to concentrate their infection efforts on countries that still don’t have effective laws regulating internet activity. Also, another logical step for them is to spread their botnets throughout various countries in case that one of them comes to the conclusion that a nation-wide alert to infected users (along with disinfection instructions) is a good idea.