Report: Spam Dominates E-Mail, Grows 14 Percent in 2010

• By Dian Schaffhauser
• 07/21/10

The volume of e-mail and Web threats continues increasing, and United States-based servers are hosting more than twice as much malicious code as the next two contenders combined, according to the latest security report from M86 Security, which sells security software. The report, which covers the first half of 2010, noted several trends: Spammers are trying out new developments to circumvent security controls and using increasingly sophisticated attacks; spam and mass Web site infections continue to be huge problems; and many of the exploits take advantage of legacy software vulnerabilities that have long been patched by the vendors but not necessarily by users.

Based on M86 research the volume of spam has grown by 14 percent in the first six months of 2010, totaling about 88 percent of all inbound e-mail to organizations. However, just five botnets are responsible for three-quarters of that spam. Aside from consuming network resources, this spam is the primary means for distributing and advertising malware, the authors explained.

Two bots, in particular, generate more than half of that spam. The top one is Rustock, which produces 43 percent of all spam. Coming in second is Mega-D, which generates 10 percent. Both are template driven, according to M86, which allows them to "generate variety" to avoid quick detection by filtering programs; the spam-sending component periodically contacts a control server for a new spam template. The goal of both forms of spam is to promote cheap drugs and pharmacies online--a category that dominates, making up nearly 81 percent of all spam.

As reported previously by the company, botnet operators sign up for affiliate programs and take a cut of every sale generated by their spam. In fact, M86 recommends that the efforts to limit spam by taking down rogue ISPs be redirected to targeting Canadian Pharmacy specifically, which pays a hefty referral fee for successful transactions. This brand generates 67 percent of all spam and is the same one promoted through Rustock and Mega-D. Taking down Canadian Pharmacy, said the report's authors, "might make a bigger impact on spam than targeting the ISPs."

Interestingly, contrary to popular belief, China and Russia don't host most of the malicious code driving bots. That dubious feat, according to M86, is held by the United States, which hosts 43 percent of all malicious code (versus 14 percent for China and four percent for Russia).

The report also offered an interesting explanation about how the coordinated attacks that recently struck Google, Adobe, and Juniper worked by exploiting the built-in trust among friends on social networks. "The perfect example of such an attack is Operation Aurora," the authors wrote. "The attacks began by identifying employees at the target organization that might have credentials to access the information the attackers were after. The next step was to infiltrate the social networks of these employees, since there is an inherent trust placed in one's social network. The goal was to send messages to the targeted employees from contacts within these social networks, lowering the targets' suspicion level and improving the chances that they would click the link in the message." The links in those messages pointed to a Web page with an exploit for Internet Explorer. Once that attack succeeded, the operation would hunt for ever higher level credentials and more workstations to exploit.

The report also covered the automated widespread infection of legitimate Web sites by the returning Asprox botnet, one that has been around since 2007 but that has evolved from being used for phishing e-mails to include SQL injection functionality. In June, M86 Security Labs found that the number of infected Web sites went from 2,000 to 13,000 in just a few days, illustrating the highly automated nature of the Asprox attacks, and the fact that many Web sites remain vulnerable.

Because existing techniques for "covering their tracks" are becoming less effective, cybercriminals have begun using combined attacks, which are more complex and difficult to detect, noted the authors. For example, to limit the effectiveness of security detection mechanisms in use currently, the attack might try splitting malicious code between Adobe ActionScript language--built into Adobe flash--and JavaScript components on the Web page.

The report offered several recommendations for countering the threats of malware, including educating users--particularly on how to identify authentic e-mail and links and use social network privacy settings--and staying up to date with patches and software versions.