Spam levels surge with global pharmacy-spam push

Gordon Peters
Tuesday, 02 March 2010 13:46

IT Industry - Market

Microsoft Office 365

Related Articles

• AVG launches web security centre for SMBs, IT managers
• Mass global steal by cybercrims facilitated by botnet
• Exploits overtake Trojans as major e-threats
• BBC exposes global cybercrime risk
• Yet another security warning for online Valentines!

There has been a worldwide surge in spam levels over the past month which Symantec primarily puts down to an increase in spam emanating from the Grum and Rustock botnets.

In its February MessageLabs intelligence report, Symantec says its analysis revealed spam levels rose to 89.4 percent, an increase of 5.5 percent since January.

MessageLabs intelligence senior analyst, Paul Wood, said that over the past year, Grum had experienced relatively little change in spam volumes, but from 5 February, Grum’s output increased by 51 percent making it responsible for 26 percent of all spam, up from its usual 17 percent.

Wood said that another significant spike in spam volumes occurred on 17 February, when global spam volumes increased by 25 percent pushing spam volumes to their highest for the month. The spike was caused by an increase in output from the Rustock botnet, and according to Wood both spikes in activity were related to a Canadian pharmacy-style spam run, which now accounts for 65 percent of all spam.

“Whether the spammers are trying to clear this spam run more quickly or have discovered that it is successful, they have certainly been using multiple botnets to distribute high-volume spam campaigns in February.

“The activities of this single spam operation have been driving recent global surges in spam rates and strongly impacting global spam levels in turn. Based on these latest spam patterns, we can predict additional surges in spam in the coming weeks.”

Symantec reports that, while spam volumes grew in February, the size of spam messages simultaneously shrank, as did the number of spam emails containing attachments. Over the past year, the number of attachments diminished from 10 percent in April 2009 to less than one percent in February 2010, according to Symantec, with the average file size of a spam email falling from 5 Kb in October 2009 to 3.3 Kb in February 2010.

“Rather than attach images to emails directly,” Wood said, “spammers are choosing to host the image online with a free image hosting service thus reducing the average file size of a spam email and enabling the botnets to send a greater volume of spam per minute.”

Symantec also reports that currently only 0.56 percent of botnet spam contains an attachment, however some botnets use attachments more than others. For instance, 6.2 percent of spam from the Cutwail botnet contains an attachment and the Xarvester botnet sends 3.1 percent of attachment-based spam. However, other botnets send less than one percent of their spam with an attachment.

Also in its February report, Symantec reveals that, finally the Waledac botnet made a recent comeback before its 22 February demise, and the security firm says it is believed by many to be the botnet that replaced the now defunct Storm botnet, Waledac which had been relatively quiet since January 2009.

According to Symantec, Malware from Waledac first spiked in January 2009 and a year later in January 2010, each spike accounting for approximately one percent of all malware intercepted. In response to a complaint filed by Microsoft, a temporary restraining order was granted, resulting in 277 domain names believed to be associated with the Waledac botnet being taken offline.

“Malware connected to Waledac are not distributed by the botnet itself but are sent by other botnets,” Wood said. “Recently, Waledac malware has been sent from the Cutwail botnet. Also noteworthy is that spammers using the Waledac malware seem particularly focused on the major free webmail hosting services using email addresses in use by individuals. Waledac is adept at evading traditional dormant honeypot addresses.”

Symantec also reports:
•    Spam: In February 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 89.4 percent (1 in 1.12 emails), an increase of 5.5 percent since January.

•    Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 302.8 emails (0.33 percent) in February, an increase of 0.02 percent since January. In February 30.5 percent of email-borne malware contained links to malicious websites, an increase of 17.3 percent since January.

•    Phishing: In February, phishing activity was 1 in 456.3 emails (0.22 percent) an increase of 0.04 percent since January. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had increased by 5.1 percent to 56.1 percent of all email-borne threats.

•    Web security: Analysis of web security activity shows that 41.6 percent of all web-based malware intercepted was new in February, a decrease of 0.1 percent since January. MessageLabs Intelligence also identified an average of 4,998 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 184 percent since January.

In its report on geographical trends, Symantec says that spam levels in Australia in February reached 89.5 percent.  This compares with the most spammed country – Italy – where spam levels were 93.4 percent.   In the United States spasm levels reached 90.2 percent of all emails, with 88 percent in Canada and in the UK, where spam actually fell to 88.6 percent.

On phishing attacks in February, Symantec says China was the most active country with one in 150.7 emails.