A spam-sending Trojan dubbed "SpamThru" is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru exploited numerous tactics to eliminate detection and enhance outreach such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection. Furthermore, SpamThru employed the "spam cannon" technique and by utilizing a template for each spam it sent out and combining it with a list of email addresses, each zombie was able to pump out millions of spam emails and avoid detection.
The other contributing factor to the increase this month was the Trojan dropper called Warezov, one of the most aggressive Trojans seen this year. The initial strain of Warezov was seen on 14 August, however the most aggressive and virulent batch of variants appeared at midnight on 26 October. MessageLabs seized over 900,000 copies of the virus in the first 24 hours, when tens of thousands of copies of each variant were released in numerous batches. With each batch being different from the previous one, even a few bytes changed in the code allowed the Trojan to pass undetected though traditional anti-virus protection.
Being a dropper it is uncertain as to what the Trojan is being used for, however it seems clear that there is a connection with the huge rise in spam levels around the world. Whether Warezov is connected to the SpamThru Trojan remains to be seen and analysis continues."
In recent months, the focus has predominately been on targeted virus attacks and spam has hardly received any attention, however with the arrival of SpamThru and Warezov it looks as though the bad guys have been honing their skills and are now back in full force with new techniques to dupe traditional protection resources," said Mark Sunner, CTO, MessageLabs. "As seen in previous years, we expect spam levels to continue to rise during the coming weeks and months as the spammers intensify their efforts around the holiday season."
Other report highlights
Spam: In October, the global ratio of spam in email traffic from new and unknown bad sources was 72.9 percent (1 in 1.37 emails), an increase of 8.5 percent on the previous month. This is the sharpest rise in spam levels since January 2006, when an increase of 9.2 percent was experienced.
Viruses: The global ratio of viruses in email traffic from new and previously unknown bad sources destined for valid recipients was 1 in 100.3 emails (1.0 percent) in October, a decrease of 0.12 percent since last month. Despite these lower numbers, October witnessed the alarming attack from the Warezov Trojan, resulting in a continuous burst of new variants unable to be detected by traditional means. The net effect from Warezov was an explosion in the number of spam-sending zombies on the Internet, further aggravating an already acute spam problem.
Phishing: October showed a slight decrease of 0.06 percent in the proportion of phishing attacks compared with the previous month. One in 190 (0.53 percent) emails comprised some form of phishing attack. When judged as a proportion of all email-borne threats, the number of phishing emails has stabilized after a significant increase of 30.7 percent in September. 52.9 percent of all malicious emails intercepted by MessageLabs in October were phishing attacks, an increase of 0.5 percent on the previous month. Phishing attacks continue to be targeted mostly at banks that have not yet deployed any two-factor authentication security measures.
* Israel was the top target for spam in October, with an increase of 9.1 percent, while the US has overtaken Ireland to take second position with a rise of 11.5 percent.
* The largest rise in spam was in India where spam levels increased by a massive 20.5 percent to 49.3 percent. The country also remains the hardest hit country in terms of virus activity, with 1 in 16 of all inbound email traffic being affected.
* Virus activity in the US fell by 0.26 percent to 0.73 percent (1 in 135.7) of emails, pushing it to the bottom of the list in October, closely followed by the Netherlands with 1 in 134 of emails.
* Australia, previously at the bottom of the list, saw the biggest increase in viruses to rank 12th in October, increasing by 0.4 percent to 1.2 percent (1 in 84.1) of email traffic.
* Education, Manufacturing and Telecoms remain in the top 5 vertical listings for spam attacks, all achieving 10.0 percent or higher increases this month.
* IT Services spam levels rose the most with a 18.2 percent increase, taking it to third position.
* Virus traffic destined for Business Support Services fell by 2.8 percent to 3.3 percent (1 in 30.3) of emails, the most significant decrease of all sectors but it still retains its position as the most attacked sector.
The October 2006 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at http://www.messagelabs.com/Threat_Watch.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.