The criminals who ran Srizbi and Rustock have had far less success, said SecureWorks' Stewart. "Everyone fully expected Srizbi to come back," he noted, although that's not happened. Srizbi's controllers were stymied for a while by FireEye, which for a time was registering the domain names the bots would use to reconnect with new command servers. FireEye, however, was unable to finance the tactic indefinitely, and stopped.
"We're seeing Srizbi bots that are asking for [routing] domain names that aren't registered to anyone," said Stewart. He was unable to explain why the hackers had walked away from their botnets, but speculated that it was a business decision.
"The longer they left it, the more the botnet diminished," he said, noting that botnets continually lose machines as PCs are cleaned of the malware or taken out of service and replaced by new systems. "They have to make a decision, is it worth it to regain control or just build a new botnet?"
In the meantime, once-smaller players have grown in size as spammers turned to new providers. "'Xarvester' is one," said Stewart, "that has seemed to pick up a lot of traffic. It's somewhere between Mega-D and Cutwail in size, so it's moved into the top three with at least 130,000 bots."
Xarvester and another botnet, which Stewart has dubbed "Gahg," are spamming some of the same types of messages that once came from bots controlled by Srizbi's and Rustock's herders, he added.
"There aren't any new botnets, not so far," Stewart continued. But he warned that the criminals responsible for Srizbi and Rustock could very well be working on new malware and spreading it on vulnerable PCs. "That could be one reason why they haven't restored the [downed] bots, they could be in development right now."