The capacities of the botnets closed last year and early this year are gradually being restored, with the share of spam in mail traffic averaging 82.5% in the second quarter. This is an increase of 3.9 percentage points compared to Q1 and 0.3 percentage points higher than the average figure for 2010. Spammers, however, have had to operate according to a new set of rules since their resources were targeted for closure.
The second quarter saw an increase in the number of botnets, although they were all relatively small with none accounting for such large shares of spam traffic as Cutwail or Rustock did in the past. Either the spammers still haven’t increased capacities to where they can send millions of spam emails daily or they are deliberately not risking everything on a single major botnet.
These shifts in the second quarter have resulted in the sources of spam being more evenly spread out unlike in the past when three countries were regularly responsible for half of all world spam. The zombie machines used to spread spam emails are now located in virtually every country of the world. This signals an end to the spammers’ geographical expansion, with no territories now left untouched by the botmasters.
Sources of spam.
In the second quarter of 2011, spam was sent most actively from developing countries: India (+4.26 percentage points), Brazil (+3.14 percentage points) and Indonesia (+1.66 percentage points).
India’s contribution to the total volume of spam in Q2 increased by almost five percentage points compared to Q1 and totaled 14.06%. This is down to the presence of millions of unprotected, unpatched machines that can remain active in zombie networks for long periods of time, making India a happy hunting ground for botmasters.
“Developing countries are attractive for botmasters due to the absence of effective anti-spam legislation and low IT security levels, while developed countries are of interest because of their fast, widely available Internet connections,” explains Darya Gudkova, Head of Content Analysis & Research at Kaspersky Lab. “Therefore, it comes as no surprise that the US remains a very attractive bridgehead for cybercriminals creating botnets. The US may well have dropped out of the group of leading spam senders following the anti-botnet campaign by law enforcement agencies in autumn 2010, but after the command centers of a big botnet were closed, the cybercriminals started to create a new one almost straight away.”
This is confirmed by changes in the Top 10 most popular malicious programs detected by Kaspersky Lab antivirus solutions on the territory of the US. In February, the majority of malware sent to the country were malicious programs designed to steal users’ financial data (banking Trojans) or to extort money from users (pornblockers and rogue antivirus programs). However, in March and April more than half of the Top 10 entries were Trojan downloaders for installing malware on a user’s computer that added the infected machine to a botnet.
Malware in mail traffic.
The rise in the share of emails containing malicious attachments recorded in Q1 continued in the second quarter: the average percentage of emails with malicious attachments increased by nearly 0.81 percentage points, reaching 3.86%. Four of the top 10 malicious programs detected most often by Kaspersky Lab’s email antivirus are mail worms. As well as collecting email addresses and distributing themselves via mail traffic, some worms also install other malicious programs once they have penetrated a victim computer.
Malicious attachments were most frequently found in mail traffic received in Russia (12.5%). The US came second with 12.21%, an increase of 1.8 percentage points compared with Q1. Vietnam was third, accounting for 7.43% of all email antivirus detection activity (+0.46 percentage points).
In Q2 of 2011, we saw a new stage in spam evolution as spammers started making use of cloud services. Some emails contained links to the Google services, which in turn redirected users to advertising sites or phishing pages. Users are less likely to suspect pages like these because they are located on popular resources (for example Google Docs) and the connection is performed via the HTTPS protocol which supports encryption.
The distribution of spam has lost its global character as spammers are forced to use smaller botnets as effectively as possible. This means they have to choose their audiences more carefully and engage in what is known as ‘spear phishing’ or targeted phishing. In such cases, the cybercriminals know the target person’s name and even the name of the company they work for or are dealing with. Armed with this data it is very easy for criminals to gain the user’s confidence.