Mayday botnet bigger than Dorf/Storm?

There has been quite a lot of discussion lately around the alleged appearance of a new botnet dubbed Mayday by researchers from Damballa . The discussion followed publishing of an article on the Dark Reading website.

According to the article, the new botnet is more powerful than botnets created as a result of infection by various variants of Dorf/Storm Trojan. I was understandably concerned with this new development, especially with the claim that the new botnet evades the detection by anti-virus software. To be honest, I found this claim to be quite unlikely as there is a very small probability that any high-profile botnet similar to Dorf in size would escape many sensors, spamtraps and honeypots placed by many security vendors, including Sophos.

It seems like guys from Symantec had similar concerns about it. After some research, they found out their software already detected the Trojan responsible for creation of the botnet as a variant of W32/Mytob worm, but they decided to reclassify it as Trojan.Daymay. I have used our regular channels to request more information and acquire the sample to make sure we already detected it. I was pleased that the sample is already proactively detected by Sophos as Mal/Generic-A. So, it turns out that anti-virus software has no problem detecting the Trojan, but that was not a big surprise. Victims of various botnets are usually home users running older unprotected Windows versions, followed by unsuspecting owners of various Linux based compromised hosts.

I will have a more detailed look into this Trojan as I am interested in the way how the botnet is created. One thing I could see immediately is that the main purpose of the Trojan is sending spam, using a website with a domain to report its presence and download additional control information. Watch this space for more information.

Overall, my conclusion is that there was an amount of hype in the published article. The push often comes from the keen PR departments of new companies that need media exposure to raise their public profile. I am not saying that the threat does not exist, but it looks like its profile is significantly lower than it was implied.