A botnet used solely to send junk e-mail promoting penis enlargement products has taken over from the Storm botnet as the most prolific sender of spam, according to security researchers.
The botnet Mega-D -- so named because of the products being offered by the spam it generates -- now accounts for 32 percent of all spam being captured by security firm, Marshal.
"This exceeds the level of spam being generated by the Storm botnet at its height, which was at 21 percent of the total spam we captured," Marshal VP of products Bradley Anstis told ZDNet.com.au. "Storm has now reduced to less than two percent of the spam we're tracking at the moment."
Efforts by antivirus vendors and initiatives such as Microsoft's malicious software removal tool have helped counter the spread of the Storm botnet, said Anstis. However, botnet operators appear to be applying lessons learned from the reaction against Storm. Unlike the Storm botnet, which attracted too much media attention, the operators of Mega-D are growing the number of bots they control because they have received little exposure, he added.
However, Anstis said Mega-D is gaining momentum through regions such as Asia and North America -- mimicking spread of the Storm botnet -- which are characterised by high broadband penetration and low antivirus protection.
And like Storm, Mega-D's controllers are using trojans which change on a regular basis to avoid signature-based detection, and working on a distributed peer-to-peer basis to prevent it being shut down. The trojan also turns itself off when it detects it is within a virtualised environment -- commonly used by AV vendors to analyse and report on spam.
"It turns itself off if it runs into a virtualised environment. AV vendors use this for virus analysis so if it detects this it turns itself off and pretends it's not there. It can tell if it's running on a VMware shell or other virtualised shells," said Anstis.
This was one of the features the operators of the Storm botnet did not develop until June last year, he added.
The main method of infection is by luring potential victims to visit fake Web pages and mimicking social networking sites. "They're using Facebook by creating e-mail messages that look like Facebook invites to view information. But when you click on the link it tells you to update your Flash Player. When you do that you're actually installing the trojan," said Anstis.
In order to maintain the deception, the victim will then actually be able to view the content being offered through the link.
According to Marshal's research, 70 percent of all spam is coming from five botnets: Mega-D, Pushdo, HTML, One Word Sub and Storm.