Botnet activity drops as spam remains high but steady

By on

Real Host shutdown impacted Cutwail botnet.

Botnet activity has fallen significantly over the past month while levels of spam have remained steady.

The August 2009 MessageLabs Intelligence Report from Symantec found that activity levels for Cutwail, one of the largest botnets globally, fell by as much as 90 per cent following the shutdown of an ISP in Latvia.

The Latvian ISP Real Host was disconnected on earlier this month after it was alleged to be linked to command-and-control servers for infected botnet computers, particularly the Cutwail botnet which is responsible for approximately 15 to 20 per cent of all spam. Following the disconnection, global spam volumes immediately fell by as much as 38 per cent in the subsequent 48-hour period.

Meanwhile, the prolific botnet Donbot continued to use shortened URLs in its spam runs, peaking at distributing ten billion emails in just one day. 

Paul Wood, MessageLabs Intelligence senior analyst, Symantec, said: “Cutwail's activity levels fell by as much as 90 per cent following the disconnection of Real Host, but in a matter of days it was back to its former self, demonstrating just how powerful the Cutwail botnet really is in recovering and reinventing itself.

“ISPs have been blamed for helping botnet activity in the past, and taking these services down when unusual behaviour is monitored is an important part of the battle against cybercrime.”

In Fortinet's August 2009 Threatscape, it found that the ZBot was detected in record levels. Fortinet's Derek Manky claimed that several malware attack waves were evident in August, most notably on July 24 when a huge surge of ZBot activity occurred through HTML/Agent.E!tr.

Manky said: “In fact, this particular campaign posted record detection levels for a single-day run, surpassing that of the Sober worm in January 2006, the Storm worm in January 2007, and rogue security software in September 2008. The variant flooded on July 24th was HTML/Agent.E: in fact a ZBot variant attached in a MIME sample.”

Symantec further claimed that despite a brief variation in spam levels, the overall figures for August remain fairly steady at 88.5 per cent, taking advantage of the heightened interest in health-related issues due to the current swine flu pandemic and shortened-URLs.

Manky claimed that Fortinet had seen a considerable amount of spam campaigns, which carried dangerous attachments, and considerable volume with a classic money mule scheme in the form of a fake job advertisement.

Meanwhile, MX Logic's threat forecast and report for 2009 claimed that the overall spam volume slowed slightly in August with a drop of around two per cent, with spam levels accounting for 94.9 per cent of all emails sent.

The report said: “At these percentage levels, even the smallest increase in overall spam volume can have a devastating effect, particularly on small-scale email infrastructures struggling to keep up. We don't anticipate any dramatic declines in volume or levels as spam remains a highly popular and profitable delivery mechanism for cybercriminals.”

In future trends, it expects to see an increase in social networking spam and malware that is disguised as messages from someone the recipient knows. It also claimed that while many universities and colleges have taken steps to decrease the spread of viruses and malware on campus networks, most have been slow to invest in security technology or take significant action against the newer and more advanced Web 2.0 threats. This leaves potentially hundreds of thousands of college students vulnerable. This could result in pandemic levels of malware infections on college campuses.

Finally, it detected that healthcare-related spam is still the leading category of spam as the debate about US healthcare reform continues to heat up. It believes that there is a strong chance this will increase and forms of political ‘hacktivism' impacting the performance and availability of popular social networking sites will be seen.

The report said: “These highly concentrated attacks are becoming more common, and typically centre on highly controversial or political issues, hence their name.”

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?