Botnet activity drops as spam remains at high but steady level

News by Dan Raywood

Botnet activity has fallen significantly over the past month while levels of spam have remained steady.

Botnet activity has fallen significantly over the past month while levels of spam have remained steady.

The August 2009 MessageLabs Intelligence Report from Symantec found that activity levels for Cutwail, one of the largest botnets globally, fell by as much as 90 per cent following the shutdown of an ISP in Latvia.

The Latvian ISP Real Host was disconnected on the 1st August after it was alleged to be linked to command-and-control servers for infected botnet computers, particularly the Cutwail botnet which is responsible for approximately 15 to 20 per cent of all spam. Following the disconnection, global spam volumes immediately fell by as much as 38 per cent in the subsequent 48-hour period.

Meanwhile the prolific botnet Donbot continued to use shortened URLs in its spam runs, peaking at distributing ten billion emails in just one day. 

Paul Wood, MessageLabs Intelligence senior analyst, Symantec, said: “Cutwail's activity levels fell by as much as 90 per cent following the disconnection of Real Host, but in a matter of days it was back to its former self, demonstrating just how powerful the Cutwail botnet really is in recovering and reinventing itself.

“ISPs have been blamed for helping botnet activity in the past, and taking these services down when unusual behaviour is monitored is an important part of the battle against cybercrime.”

In Fortinet's August 2009 Threatscape, it found that the ZBot was detected in record levels. Fortinet's Derek Manky claimed that several malware attack waves were evident in August, most notably on the 24th July when a huge surge of ZBot activity occurred through HTML/Agent.E!tr.

Manky said: “In fact, this particular campaign posted record detection levels for a single-day run, surpassing that of the Sober worm in January 2006, the Storm worm in January 2007, and rogue security software in September 2008. The variant flooded on July 24th was HTML/Agent.E: in fact a ZBot variant attached in a MIME sample.”

Symantec further claimed that despite a brief variation in spam levels, the overall figures for August remain fairly steady at 88.5 per cent, taking advantage of the heightened interest in health related issues due to the current swine flu pandemic and shortened-URLs.

Derek Manky claimed that Fortinet had seen a considerable amount of spam campaigns, which carried dangerous attachments, and considerable volume with a classic money mule scheme in the form of a (fake) job advertisement.

Meanwhile MX Logic's threat forecast and report for 2009 claimed that the overall spam volume slowed slightly in August with a drop of around two per cent, with spam levels accounting for 94.9 per cent of all email sent.

The report said: “ At these percentage levels, even the smallest increase in overall spam volume can have a devastating effect, particularly on small-scale email infrastructures struggling to keep up. We don't anticipate any dramatic declines in volume or levels as spam remains a highly popular and profitable delivery mechanism for cybercriminals.”

In future trends, it expects to see an increase in social networking spam and malware that is disguised as messages from someone the recipient knows. It also claimed that while many universities and colleges have taken steps to decrease the spread of viruses and malware on campus networks, most have been slow to invest in security technology or take significant action against the newer and more advanced Web 2.0 threats. This leaves potentially hundreds of thousands of college students vulnerable. This could result in pandemic levels of malware infections on college campuses.

Finally it detected that healthcare related spam, is still the leading category of spam as the debate about US healthcare reform continues to heat up. It believes that there is a strong chance this will increase and forms of political ‘hacktivism' impacting the performance and availability of popular social networking sites will be seen.

The report said: “These highly concentrated attacks are becoming more common, and typically centre on highly controversial or political issues, hence their name.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews