Kaspersky Lab: Botnet closures fail to stem flow of spam in the first quarter of 2011
May 2011 by Kaspersky
The closure of the Rustock botnet command centres on 16 March 2011 did not impact spam traffic as dramatically as last year’s Pushdo/Cutwail and Bredolab closures. The quantity of spam fell by about two per cent, but increased shortly after; according to Kaspersky Lab’s quarterly spam report.
“This could be due to the closure of SpamIt, a large pharmaceutical partner program, and the fact that Rustock, which specialised in pharmaceutical spam, may well have ceased sending out mass mailings at the end of last year. It is also possible that the cybercriminals preferred to lie low for a while given the interest in botnets shown by law enforcement agencies towards the end of 2010,” explains Darya Gudkova, head of content analysis and research at Kaspersky Lab.
As a result, the amount of spam detected in mail traffic in the first quarter of 2011 was just under 80 per cent. This was a slight increase compared with the previous quarter, but was considerably less than the corresponding figure for last year.
Sources of spam
The Asian and Latin American share of the total volume of spam worldwide grew, while the amount of spam originating from eastern and western Europe fell. Africa also joined the list of the most active spam senders with the volume of unsolicited messages coming from African countries exceeding that of the USA and Canada. These figures are in line with Kaspersky Lab’s forecasts that botnets would start shifting to regions with less effective or non-existent anti-spam legislation. However, cybercriminal activity suggests that in future botnets will also be developed in better protected regions.
Spammer tricks and techniques
Spammers also made use of some tried and tested techniques to avoid detection. Sending out spam emails containing a link to a video clip advertising anti-spammer services was one of them. Another trick saw emails that read “Stop sending me spam” allegedly written by an angry recipient. The email was in fact itself spam with a link leading to a malicious site.
Malware in mail traffic
Trojan-Spy.HTML.Fraud.gen maintained its leading position in the Top 10 rating of malicious programs distributed via mail traffic in the first quarter of 2011. The most notable entries in the Top 10 malicious program to spread spam via email belonged to a mail worm family, which accounted for four of the rating’s ten entries.
The 2011 Q1 report highlights how the volume of phishing emails was very small and accounted for only 0.03 per cent of all mail traffic. PayPal and eBay remained in the unenviable position of being the organisations most frequently targeted by phishers. “Notably, in the first quarter of 2011 Google services such as Google AdWords and Google Checkout were attacked less. The phishers switched their attentions to the highly popular Brazilian social network Orkut which is owned by Google,” said Maria Namestnikova, senior spam analyst at Kaspersky Lab. “It is worth mentioning that user accounts belonging to Google’s services, including Orkut, are interconnected. Thus, having acquired credentials for one of these accounts, a cybercriminal can access any Google service registered to the same user.”