Spam and Botnets Litter E-Mail Usage

• By Dian Schaffhauser
• 12/11/09

According to a recent report from Symantec's MessageLabs, an average of 87.7 percent of e-mail delivered is spam, up 6.5 points from 2008's 81.2 percent. That equates to 107 billion spam messages delivered globally every day, most coming from compromised computers. MessageLabs provides hosted e-mail and Web security services.

The shutdown of botnet-hosting service providers such as McColo in late 2008 and Real Host in August 2009, according to the "MessageLabs Intelligence 2009 Security Report," has pushed cyber criminals to re-evaluate and enhance their command and control backup strategy. Their goal: to recover from a major shutdown in hours, rather than weeks or months. Symantec's security researchers predicted that in 2010 botnets will become autonomous, with each node containing an internal means to recode itself in order to coordinate and extend its own survival.

Heavyweight botnets, including Cutwail, Rustock, and Mega-D, now control 5 million compromised computers. The first of those--Cutwail--was responsible for issuing nearly a third of all spam. Another, the Bredolab Trojan, gives the sender complete control of the target computer to deploy other botnet malware, adware, or spyware onto the victim's computer. By October 2009 that had circulated through about 3.6 billion malware e-mail messages, according to Symantec.

The most concerning security threat monitored this year, according to the company, was Conficker/Downadup, a worm created in November 2008 that allows its creators to remotely install software on infected machines. An update to the malware in April 2009 provided functionality that enables it to better evade detection. According to the Conficker Working Group, a consortium of vendors and other organizations, Conficker is of particular concern because as it hasn't yet been determined how the infected machines will be used. Microsoft made headlines in February 2009 for offering a bounty of $250,000 for the identity of the people responsible for creating Conficker, which exploits a Windows server service.

"2009 was the year that the threat landscape sharpened its skills, rather than just relying on large spam runs and malware attacks. We intercepted more variants with increased sophistication, efficiency as well as improvements in technology," said Paul Wood, senior analyst with MessageLabs. "We stopped more than 21 million different types of spam campaigns in 2009, more than twice the amount seen in 2008, and saw a 23 percent increase in malware variants year-on-year. The significant increases suggest that, thanks to the increased availability of specialized criminal toolkits, it was easier to create, distribute, and use spam and malware than ever before."

Another major challenge in 2009 was driven by the mass adoption of shortened URLs for use on social networking and micro-blogging sites. These can disguise the true Web site a visitor will link to, making it harder to anti-spam filters to identify a given message as spam.

Finally, CAPTCHAs (or "completely automated public Turing test to tell computer and humans apart") have taken their share of hits. CAPTCHA-breaking tools have surfaced, allowing cyber criminals to pass over this automated barrier for proving the user is a real human being and letting them create high volume numbers of real accounts for Web mail, instant messaging, and social networking Web sites. A new type of business has emerged that uses people specifically to interpret and enter the CAPTCHA text. According to Symantec's research, each worker can be expected to receive $2 to $3 per 1,000 accounts created; accounts are then sold to spammers for around $30 to $40. Some major Web sites that rely on CAPTCHAs are considering new forms of tests, such as large libraries of photographic images, in which the user must be able to analyze or interact with the image in such a way that would be very challenging for a computer program.