According to Phil Hay, whilst this comes as a surprise, it also comes against a backdrop of the downing of the Rustock spambot and a large number of changes in the bot landscape in recent months.
Along with Donbot - another oldie from 2006, Infosecurity notes - Hayes notes that these two botnets would not have got a mention in the bot charts just six months ago, "but now, clearly, someone has breathed new life into these spamming machines."
"Xarvester first came to our attention over two years ago, when it rose to prominence after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi", said Hay in his latest security blog.
"We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit footprints in Xarvester spam templates. So when we recently came across a Xarvester bot, we decided to take a closer look", he added.
Interestingly, M86 notes that the sample used was not named as Xarvester by any anti-virus vendor - Microsoft, for example, has been calling it Bymot, and AVG called it simply SpamTool.
A look at the strings in the malware body, says Hay, confirmed to his team that what they were looking at was Xarvester, as they had seen these strings in previous Xarvester bots.
"The spambot itself is relatively simple. When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam", he said.
"Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain is downloaded in the package", he added.
The M86 Security researcher goes on to say that the headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body.
This is, he noted, unusual when compared to many of the other bots seen today that vary headers regularly.