Home / Blogs

The Distribution of Botnets Since Rustock Went Down

I pulled together some statistics on my collection of botnet statistics for the period of time between Rustock being shut down and Wednesday, April 6. I wanted to see the distribution of botnets per country—now that Rustock is down, which country has the most botnet infections (as measured by unique IP addresses that send us spam)?

The answer isn’t really that surprising and it is a trend that I have observed for many months. Here are the top five countries for botnet-infected IPs that I was able to identify:

  1. South Korea Korea is the worst of the botnet-infested countries with the most number of IP addresses. The number one botnet in Korea is Lethic by a long shot. No other botnet even comes close. Cutwail is number two but is over 100 times smaller than Lethic. On the list of countries that send us spam, Korea places third. The total amount of mail (at the envelope level) that is marked as spam from Korea is 66%. The “badness” of Korea is a trend I have observed for a long time. It has been gradually moving up and to see it this high is not surprising.
  2. Vietnam Vietnam is another up-and-comer that is number two on my list. The number one botnet in Vietnam is Maazben by a long shot. The next biggest is Fivetoone, followed by Festi. Each of these are an order of magnitude smaller than Maazben. On the list of countries that send us spam, Vietnam ranks 25th (which is quite low). However, the total amount of mail marked as spam from Vietnam is 62%.
  3. India India is a country that I have seen move up and down my list many times. But to see it as number three is a little surprising. The number of unique bot’ted IPs in India is only 2/3 as much as Korea, but this is still high. Unlike South Korea and Vietnam where the number one botnet greatly outnumbers the number two, India is different. The number one botnet is Cutwail and number two Grum is close behind. Bobax is a distant third. India ranks 12th in the countries that send us spam, and the total spam rate is 29%.
  4. Russia After the top three countries, there is a huge gap for the next most bot’ted country but Russia is number four. The most commonly seen botnet in Russia is Bagle. Bagle is number one in Russia by a wide margin but not nearly as much as South Korea’s or Vietnam’s botnet gaps. Russia ranks second in the countries that send us spam, and has a total spam rate of 73%. This is unusual to me because the Bagle botnet is not the biggest botnet I see, not by a long shot, nor is it the worst for cramming many messages into each envelope. Yet here we are, Russia is the number two spamming country to us and Bagle is the most prolific in that country.
  5. Indonesia Rounding up the top five for botnets that I can identify is Indonesia. I never would have expected this country to be on this list, yet here we are. The number one botnet in Indonesia is Xarvester. Number two is Maazben, but they really aren’t close. The majority of the countries in my list show that there is one botnet infection that tends to dominate the others. Indonesia ranks 26th in the countries that send us spam, and the total spam rate is 44%.

To put this in perspective, the United States is the number one country that sends us spam. It sends ten times more spam than the number two country (Russia). However, the total amount of mail from the US that is marked as spam is only 7%. [Disclaimer: we block a lot of spam at the network edge using IP blocklists. I am not including that data in my calculations]. The US is number six for bot’ted countries on my list and unlike the other countries, the top four botnets of asprox, darkmailer, sendsafe and lethic are all within striking distance of each other. Historically, the US had a lot of Rustock infections. Therefore, with the Rustock shutdown a month ago it is no surprise that we are seeing less spam from there.

One study that would be interesting to do is to compare the type of malware infections in these countries and see if there is any relation to the spambot infections in them. Maybe that’s something I’ll do in my spare time.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign


Sponsored byDNIB.com