Breakdown of all the major online threats in May

Latest MessageLabs Intelligence Report reveals that nine out of ten spam emails now contain a URL link in the message. In May, five percent of all domains found in spam URLs belonged to genuine web sites. Of the most frequently used domain names contained in spam URLs, the top four belong to well-known web sites used for social networking, blogging, file sharing and host other forms of user-generated content.

While Rustock is the botnet that uses the greatest number of disposable domains, Storm, which has recently returned to the spamming scene, is the only botnet that uses genuine domains in greater number than disposable domains. Sixty-five percent of spam from the Storm botnet uses a legitimate domain, many of which are for URL shortening services. Disposable domains are often used quickly after being first registered; and on average, 50 percent are used within nine days, before spammers switch to newer domains.

Figure 1: Top spam-sending botnets classified by domains used in spam

Also in May, MessageLabs Intelligence analyzed the growth of spam and botnets in some of the countries along the eastern coast of Africa, namely those which received greater broadband connectivity in July 2009. The proportion of global spam that comes from Africa overall has increased to 3 percent of global spam in May 2010 from just under two percent in April 2009, reflecting an extra 1.2 billion spam emails being sent from Africa daily compared to one year ago.

While historically countries not in the eastern portion of the continent have sent the majority of spam from Africa, this output has shifted east over the past year. The proportion of spam coming from the rest of Africa has decreased from 86 percent to 80 percent while that coming from countries located in the eastern region has increased from 13 percent to 19 percent. This rise originated most notably from Kenya, Rwanda and Uganda where spam output has increased to 7.2, 6.3 and 5.7 times respectively the amount that was being sent one year ago.

Finally in May, MessageLabs Intelligence intercepted a malware attack featuring the theme of the soccer World Cup competition due to begin in June 2010. Composed in Portuguese and featuring the branding of one of the event sponsors, the email was sent from an IP address in Macau, China.

Other stats from the report include:

Spam: In May 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 90 percent (1 in 1.11 emails), an increase of 0.3 percentage points since April.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 211.6 emails (0.473 percent) in May, an increase of 0.18 percentage points since April. In May 22.6 percent of email-borne malware contained links to malicious websites, a decrease of 6.3 percentage points since April.

Endpoint Threats: MessageLabs Intelligence can now analyze additional threats against endpoint devices such as laptops, PCs and servers and the trends surrounding them following the launch of our new Hosted Endpoint Protection service. Malware may penetrate an organization in many ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. For example, “AutoRun” is a feature of Windows that allows an executable to be run when a removable drive is connected to a computer. The most frequently blocked malware for the last month was the Sality.AE virus, which spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

Phishing: In May, phishing activity was 1 in 237.1 emails (0.42 percent) an increase of 0.2 percentage points since April. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had increased by 10.3 percentage points to 80.6 percent of all email-borne malware and phishing threats combined.

Web security: Analysis of web security activity shows that 12.4 percent of all web-based malware intercepted was new in May, an increase of 1.5 percentage points since April. MessageLabs Intelligence also identified an average of 1,770 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 5.6 percent since April.