Arbor Networks: Security to the Core

Just to close the loop on this…

Phil Hay from the TRACE team at Marshal got back to me yesterday afternoon regarding my query about Mega-D. He provided some clarifications on some of what he referred to as “misleading press reports”. Here’s a quick summary of his message:

• The TRACE team identifies and tracks spambots based on characteristics of the spam messages the analyze - most consist of unique patterns in the message header
• Contrary to some misleading press reports, they have NOT yet identified the malware responsible for the Mega-D spam.
• Mega-D type spam is the number one type of spam they’re seeing at present
• The spam originating from this spambot was dubbed Mega-D after a wave of “MegaDik” type spam it produced in late 2007.
• They’ve been tracking spam with these characteristics for over a year and don’t consider it a new botnet.
• During this time the volume of spam from Mega-D has grown to represent 32% of all spam they receive in their spamtraps
• They’ve never seen a Storm botnet send this type of spam.
• They’re chief aim with the release was to raise the profile of what the’re calling Mega-D spam, to encourage the industry to further investigate and share information regarding the malware behind it.
• They’re very open to working with industry and sharing information of these sorts, for a common good, and to assist other researchers as well.
• Phil even provided some sample messages for us to analyze

So, this makes a lot more sense to me. After a bit of prodding, it does appear to NOT be Storm, though Cutwail and some of the related malware may indeed be the source, as suggested here.

Thanks for Phil and the folks at Marshal for taking the time to clarify things!

This entry was posted on Tuesday, February 5th, 2008 at 11:55 am and is filed under Arbor Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.