Symantec Announces September and Q3 2009 MessageLabs Intelligence Report
September 2009 by Symantec
Symantec Corp. announced the publication of its September and Q3 2009 MessageLabs Intelligence Report. Analysis highlights that botnets are now responsible for sending 87.9 percent of all spam. A newer botnet, Maazben, has experienced rapid growth since its infancy in late May mainly sending out casino-related spam while Rustock, one of the oldest and largest botnets, has doubled in size since June and established a predictable spamming pattern. According to MessageLabs Intelligence, Maazben’s growth has accelerated during the past month from 0.5 percent of all spam in August to 1.4 percent of all spam in September. Rustock is the largest in terms of number of bots at 1.3 to 1.9 million bots but has kept its output per bot relatively low. In addition, Rustock has settled into a predictable spam pattern beginning everyday at 3 a.m. ET, peaking at 7 a.m. ET and ceasing spamming at 7 p.m. ET. It then rests for eight hours before beginning again. Rustock is the only botnet with a regular spam cycle. One of the most dominant botnets, Rustock is responsible for ten percent of all spam. As such, its spam pattern is reflected in overall total daily spam patterns.
“Over the past year, we have seen a number of ISP’s taken offline for hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”
Following the closure of these ISP’s over the past three months, two other botnets have had the opportunity to vie for Cutwail’s previous position as the most active botnet. Grum, half the size of Rustock but responsible for 23.2 percent of spam, and Bobax, responsible for 15.7 percent of spam, have both taken over as the most active botnets for spam distribution. Previously, Cutwail was responsible for 45.8 percent of spam.
Also in September, MessageLabs Intelligence analysis revealed that a decline in ‘domain tasting’, the practice of domain registration cancellation within a five day grace period, reported by ICANN (Internet Corporation for Assigned Names and Numbers) in June 2009 may be responsible for a change in the malicious nature of web sites, suggesting that malicious domains are now likely to be older, compromised websites rather than newly registered domains with a short lifespan as they were about one year ago.
An analysis of websites that are established with the pure intent to serve malware reveals that “young” domains, those that are registered up to three months before first being blocked for hosting malicious content, are small in number but the vast majority of them are blocked as malicious and founded with malicious intent. Ninety percent of “young” domains are taken down within 38 days of registration.
“It is not surprising that with a small window of opportunity for younger domains, the attackers register domains much faster,” Wood said, “suggesting that attackers are working very hard to set up new domains and compromise new websites. However, in an effort to keep up with the rapid turnover of domains, the bad guys are often serving up the same malware.”
Furthermore, an analysis of older domains, those that have been registered for more than three months and compromised to serve malware, indicates that the majority, 90 percent, of these websites are taken down after 138 days, much longer than their younger counterparts. MessageLabs Intelligence found that overall, 80 percent of domains being blocked as malicious for serving up malware are in fact compromised, legitimate websites.
“It is of greater benefit to an attacker to compromise a legitimate website as opposed to setting up a newer, specialized domain to serve up malware,” Wood said. “Fundamentally, using legitimate websites to spread malware reduces the labor for the cybercriminals and extends the lifetime of the malware. Moreover, by taking advantage of the Add Grace Period, a policy that allows scammers to register a domain at no cost and cancel after five days, ‘domain tasting’ and ‘domain kiting’ have become common practice for cybercriminals, allowing them to beat the system without ever paying for malware distribution.”
Other report highlights:
Spam: In September 2009, the global ratio of spam in email traffic from new and previously unknown bad sources was 86.4 percent (1 in 1.2 emails), reflecting a 2.1 percent decrease since August. Spam levels for Q3 2009 averaged 88.1 percent, compared with 81.0 percent for Q3 2008.
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 399.2 emails (0.25 percent) in September, a decrease of 0.09 percent since August. In September, 39.8 percent of email-borne malware contained links to malicious websites, an increase of 22 percent since August. In Q3 2009, email-borne malware activity averaged 1 in 330.3 emails compared with 1 in 122.5 for Q3 2008.
Phishing: In September, phishing activity was 1 in 437.1 emails (0.23 percent) an increase of 0.06 percent since August. When judged as a proportion of all email-borne threats such as viruses and Trojans, the number of phishing emails had decreased by 11.1 percent to 75.8 percent of all email-borne malware threats intercepted in September. Phishing activity in Q3 2009 reached 1 in 368.6 compared with 1 in 330.5 for the same period in 2008.
Web security: Analysis of web security activity shows that 12.3 percent of all web-based malware intercepted was new in September, an increase of 0.4 percent since August. MessageLabs Intelligence also identified an average of 2,337 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 33.4 percent since August.
• Denmark was the most spammed country in September with spam levels at 95.6 percent of all email.
• In the US, spam increased to 91.8 percent and 91.2 percent in Canada. Spam levels rose to 91.7 percent in the UK.
• The largest increase in spam was for Sweden where spam levels rose by 7.2 percent to 89.6 percent. In the Netherlands, spam levels reached 91.9 percent, Austria remained unchanged at 90.7 percent, Hong Kong reached 93.4 percent and spam levels in Japan were at 89.4 percent.
• Virus activity in Switzerland rose by 0.08 percent, the largest increase for all countries, placing Switzerland at the top of the virus table for September.
• Virus levels for the US were 1 in 552.5 and 1 in 393.8 for Canada. In Germany, virus levels were 1 in 358.5, 1 in 666.2 for the Netherlands, 1 in 626.5 for Australia, 1 in 328.7 for Hong Kong and 1 in 552.0 for Japan.
• Switzerland was the most active country for phishing attacks with 1 in 246.4 emails, followed by the UK with 1 in 252.3.
•In September, the most spammed industry sector with a spam rate of 94.7 percent was the Engineering sector.
• Spam levels for the Education sector were 93.8 percent, 92 percent for the Chemical & Pharmaceutical sector, 92.2 percent for Retail, 90.6 percent for Public Sector and 90.6 percent for Finance.
• Virus activity in the Education sector fell by 0.36 percent but remained at the top of the table with 1 in 209.7 emails being infected in September.
• Virus levels for the Chemical & Pharmaceutical sector were 1 in 288.2, 1 in 346.4 for the IT Services sector, 1 in 682.0 for Retail, 1 in 262.2 for Public Sector and 1 in 579.2 for Finance.