Report claims that 2009 was a year of stronger botnets and increased spam detections as cybercriminals learnt lessons from McColo

There has been an average rate of 87.7 per cent in detected spam in 2009, as a small number of botnets have become stronger.

According to the MessageLabs intelligence annual security report for 2009 from Symantec, cybercriminals have sharpened their survival skills and operated a volume and variety approach over the past 12 months.

It showed that there was a high of 90.4 per cent of detected spam in May, and a low 73.3 per cent in February. Paul Wood, MessageLabs intelligence senior analyst at Symantec, claimed that following the shutdown of McColo just over a year ago levels did drop but soon picked up again.

Wood said: “When McColo went offline there was a drop in volumes and it was bad for them because there was a lack of command and control and they were unable to talk to it. In 2009, technology has evolved to a new level where that will not happen again with them putting all of their eggs in one basket.

“We have seen a couple of days of downtime but with McColo it took a few weeks. They have really thought about disaster recovery and following McColo they have changed the domain name and the algorithm. We have also seen legitimate sites such as blogging or social networking but for the bot many have reacted in the same way.”

The report also said that the ten major heavyweight botnets, including Cutwail, Rustock and Mega-D, are now controlling at least five million compromised computers. It claimed that Cutwail was a dominating force across both spam and malware in 2009, and was responsible for issuing 29 per cent of all spam, or 8,500 billion spam messages between April and November 2009.

Cutwail also used its strength to spam out emails containing the Bredolab Trojan dropper. This was one of the major threats of 2009 as it was designed to give the sender complete control of the target computer which then could be used to deploy other botnet malware, adware or spyware onto the victim's computer.

Wood said: “The botnet has been a key trend and we have seen spamming botnets, there has been other ones trying to make an impression as have a large number of botnets at their disposal. These specific Trojans are mainly used as droppers.

“They are very flexible in terms of how they can be used and the application of genuine droppers can be used as you want for applications and these are then used to send other malware, so it may not be the bad guys having control of one botnet, they may have control of several. They are much more resilient than before and have learnt their lessons.”

Also, the first six months of 2009 saw many new finance-related attacks, as spammers and criminals sought to take advantage of the uncertainty surrounding the global economic downturn. In February, spam containing hyperlinks to a number of major well-known search engines delivered much of the early recession-based spam.

Another theme was trending-related spam, particularly regarding world events, festivities and news stories from 2009, including St. Valentine's Day, the H1N1 flu pandemic and the deaths of celebrities including singer Michael Jackson and actor Patrick Swayze.

Wood said: “It has been a big year in terms of events and the bad guys can utilise the trends and integrate into the spam. It has been a difficult year but with the numbers of events it is not something out of the norm, but with social networking so prevalent it is easy to look into the zeitgeist and find what tricks to use with the best return on the spam.

“In 2010 they will be able to tap into anything with certain news or that is localised because of social media.”

Sign up to our newsletters