Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.
Since the shutdown of the Rustock botnet in March, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
The overall impact has been that spam now accounts for 72.9% of email in June, returning to the same level as in April earlier this year. In June, 76.6% of this spam was being sent from botnets, compared with 83.1% in March. This marks a return to the same level of output as at the end of 2010. On average during 2010, 88.2% of spam was sent from botnets, falling to 77% by the end of the year. Despite these recent successes, botnets are still a dangerous force on the Internet and can be used for a variety of other purposes, from conducting distributed denial of service attacks (DDoS), carrying out fraudulent click-thrus on unsuspecting Web sites for financial gain, hosting illegal Web site content on infected computers (known as bots), harvesting personal data from infected users and installing spyware to track the activities of those users.
Global spam has generally been falling since the shutdown of the Spamit affiliate Web site in late September 2010, and the takedown of Rustock has accelerated this decline. Spamit was one of the main affiliate Web sites through which pharmaceutical spam was being promoted and pharmaceutical spam levels have fallen considerably in recent months. In the latest analysis, spam relating to pharmaceutical products has fallen to approximately 40% of all spam in June 2011. Pharmaceutical spam accounted for approximately 64.2% at the end of 2010.
Even though spam is currently at the lowest level it has been since the McColo takedown in November 2008, it is still a huge problem In March, following the disruption of Rustock, the largest spam-sending botnet, approximately 36.9 billion spam emails were in circulation each day during April. This number rose to 41.7 billion in May, before falling back to 39.2 billion in June.
A longer-term view shows that for the same period last year, spam accounted for 121.5 billion emails in global circulation each day, equivalent to 89.3% of email traffic in June 2010. Highlighting that over a twelve month period, a drop of 68.7% in volume resulted in a fall of only 16.4 percentage points in the overall global spam rate.
Figure 1 – Trend showing fluctuating global daily spam volume over twelve months
However, this does not mean that spammers are dead. This month’s report highlights the changing nature of the spam-sending botnet landscape and online pharmacy spam using two different angles: a spoof of an online video sharing service and a new online pharmacy brand, perhaps seeking to exploit the popularity of the “wiki” name in a number of high-profile Web sites. Also, May spam subject line analysis shows that adult spam continue to flourish.
This month we reviewed the state of the spam-sending botnet landscape, and concluded that despite earlier predictions, Bagle has not taken over the role of Rustock following its shutdown; the main reason being that we could not find any relevant connection between spam campaigns sent by those two botnets. However, it did appear much more likely that Grum has taken over at least in part some of the previous Rustock activity. Several spam events occurred in which the two botnets were clearly interconnected.
I hope you enjoy reading this very first combined report, and please feel free to contact me directly with any comments or feedback as to what you like or dislike about this new format. The new report and accompanying podcast may be downloaded from here: www.symanteccloud.com/globalthreats