Botnets Guilty for 87% of 2009 Global Spam Mail

News on cybercriminal, growth, ISP impacts plus old, new domains

Oct 1, 2009 Yahan Wu

Everyday, between four to six million people across the globe turn on their computers to find spam mails, security threatened by cybercriminals without users' knowledge.

Botnets, also known as computers that form robotic networks, controlled by cybercriminals and used to send out more than 87 percent of all unsolicited mail, equating to around 151 billion emails a day. Locations that are populated with a higher density of small-to-medium sized businesses are generally areas that are subjected to the highest levels of spam. On the other hand, the least spammed places are often home to some of the world’s largest companies.

The global spam rate for September 2009 is 87 percent, according to a report released by Symantec, a firm providing security, storage and systems management solutions. The investigation found that the top global targets by spammers are in the engineering and education market sectors with spam levels reaching more than 93 percent.

New Botnet Maazben Growing Rapidly

A newer botnet (a jargon term for a collection of software robots, or bots, that run independently and automatically), Maazben, has experienced rapid growth since its beginnings in late May, mainly sending out casino-related spam while Rustock, one of the oldest and largest botnets, has doubled in size since June and established a predictable spamming pattern.

Maazben’s growth has increased during the past month from 0.5 percent of all spam mail in August to 1.4 percent of all spam mail in September, according to MessageLabs Intelligence, a source of data and analysis for messaging security issues, trends and statistics. Rustock is the largest in terms of the number of bots at 1.3 to 1.9 million bots but has kept its output per bot relatively low.

On top of that, Rustock has settled into a predictable spam pattern that starts everyday at 3 a.m. ET, then peaking at 7 a.m. ET and stops spamming at 7 p.m. ET. It then rests for eight hours before beginning again. Rustock is the only botnet with a regular spam cycle. One of the most dominant botnets, Rustock is responsible for ten percent of all spam.

“Over the past year, we have seen a number of ISP’s taken offline for hosting botnet activity resulting in a sink or swim case and a subsequent shift in botnet power,” said Paul Wood, MessageLabs Intelligence Senior Analyst at Symantec in the September 29, 2009 article Symantec Announces September and Q3 2009 MessageLabs Intelligence Report: - Latest Investigation of Spam from Botnets Reveals Rapid Growth and New Players.

“This has undermined the power of more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge.”

“However,” Wood continued, “this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

Market Competition of Botnet Players

Two other botnets have had the opportunity to compete for Cutwail’s previous position as the most active botnet after the closure of these ISP’s over the past three months. Grum, half the size of Rustock but responsible for 23.2 percent of spam, and Bobax, responsible for 15.7 percent of spam, have both taken over as the most active botnets for spam distribution. Previously, Cutwail was responsible for 45.8 percent of spam.

Malicious Domains Likely to be Older Websites

MessageLabs Intelligence’s September analysis also showed that a decline in “domain tasting”, or the practice of domain registration cancellation within five days, reported by ICANN (Internet Corporation for Assigned Names and Numbers) in June 2009 may be responsible for a change in the malicious nature of websites. This suggests that malicious domains are now likely to be older, compromised websites instead of newly registered domains with a short lifespan as they were about one year ago.

An analysis of websites that are established with the pure intent to serve malware, short for malicious software, reveals that “young” domains, those that are registered up to three months before first being blocked for hosting malicious content, are small in number but the vast majority of them are blocked as malicious with malicious intent. Ninety percent of “young” domains are taken down within 38 days of registration.

An analysis of older domains, those that have been registered for more than three months and compromised to serve malware, indicates that the majority, or 90 percent, of these websites are taken down after 138 days, much longer than their younger counterparts. MessageLabs Intelligence found that overall, or 80 percent of domains being blocked as malicious for serving up malware are in fact compromised, legitimate websites.

“It is of greater benefit to an attacker to compromise a legitimate website as opposed to setting up a newer, specialized domain to serve up malware,” Wood said.

“By taking advantage of the Add Grace Period, a policy that allows scammers to register a domain at no cost and cancel after five days, ‘domain tasting’ and ‘domain kiting’ have become common practice for cybercriminals, allowing them to beat the system without ever paying for malware distribution.”

The copyright of the article Botnets Guilty for 87% of 2009 Global Spam Mail in Internet is owned by Yahan Wu. Permission to republish Botnets Guilty for 87% of 2009 Global Spam Mail in print or online must be granted by the author in writing.

Botnet software