Spam continues to surge as URL filtering fails to spot malicious sites

Spam has continued to surge in the early months of 2010, as pornography remains the most prevalent threat vector.

In Symantec's February 2010 MessageLabs Intelligence Report, analysis revealed a surge in spam levels in February to 89.4 per cent, an increase of 5.5 per cent from January. It put this down to an increase in spam emanating from the Grum and Rustock botnets, with the former's output increasing by 51 per cent to make it responsible for 26 per cent of all spam, up from its usual 17 per cent.

Paul Wood, MessageLabs Intelligence senior analyst, said: “Whether the spammers are trying to clear this spam run more quickly or have discovered that it is successful, they have certainly been using multiple botnets to distribute high-volume spam campaigns in February.

“The activities of this single spam operation have been driving recent global surges in spam rates and strongly impacting global spam levels in turn. Based on these latest spam patterns, we can predict additional surges in spam in the coming weeks.”

Fortinet's threatscape report for February revealed that pornography was the highest message tactic used in spam campaigns, with 63.6 per cent of messages using this vector. It also detected that of threat traffic detected, 84 per cent was malware, 15 per cent spyware and only one per cent was phishing.

As to who was behind these attack campaigns, it said that it knew that the engine driving the record-breaking spam runs was Cutwail, as some of the more prevalent spam campaigns driven by Cutwail distribute scareware/ransomware and it is popular because of the high amounts of profits available to cyber criminals.

It said: “Cutwail will also spam out botnet binaries (‘seeding campaigns') and other advertisements, which indicates Cutwail is likely hired out as a spamming service (crime as a service) for multiple cyber criminals. Thus, it is likely not just one individual and/or group is behind these campaigns. With record levels and Cutwail operating in parallel with Webwail - its web spamming counterpart – there's no doubt we will see much more troublesome activity from this pair in the future.”

MessageLabs claimed that only 0.56 per cent of botnet spam contains an attachment, with 6.2 per cent of spam from the Cutwail botnet containing an attachment and the Xarvester botnet sending out 3.1 per cent of attachment-based spam. It said that botnets send less than one per cent of their spam with an attachment.

Analysis by M86 Security Labs found that six of ten malicious URLs pass unnoticed through anti-virus scanners and URL filtering, even when the two approaches are used together.

Bradley Anstis, vice president of technical strategy at M86 Security, said: “Even though URL filters now check for more than 22 million malware signatures, seven times the number in 2004, websites are still no safer as malware and Web 2.0 threats increase at least as quickly.”

It concluded that static signatures or URL filtering technologies alone, or even together, are unable to protect end-users from contemporary threats such as zero-day attacks, malicious code served from legitimate sites and run-time created malware. To be successful, the best approach is one combining three layers including URL filtering, anti-virus scanning and real-time code analysis.

Sign up to our newsletters