Web-based Malware Escalates, Storm Calms Down

"This month we find ourselves fighting the cybercrime battle on many fronts, with the bad guys using an arsenal of weapons in order to detonate spam, viruses, phishing attacks and targeted Trojans, making it more important than ever to have a strong security shield in place."

by / May 1, 2008

Today, the results of MessageLabs Intelligence Report for April 2008 was released. Analysis shows that during April, the Storm botnet has dramatically decreased to just five percent of its original size, whilst Web-based malware has increased by 23.3 percent.

The introduction of new malicious software removal tools, which are aimed at targeting and removing Storm infections, are deemed responsible for the sudden reduction in Storm-infected machines, now estimated at approximately 100,000 compromised computers. Previously estimated at two million, the decline in Storm's botnet size is evident by the 57 percent decrease in malware-laden e-mails distributed by the Storm botnet during April.

While the Storm botnet decreased in size, analysis of Web-based malware identified that 36.1 percent of interceptions in April were new, an increase of 23.3 percent since March. MessageLabs also identified an average of 1,214 new Web sites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 619 per day compared with the previous month.

"April was a month of unpredictability with the mighty Storm botnet losing all but five percent of its anonymous army and Web-based malware reaching new levels," said Mark Sunner, Chief Security Analyst, MessageLabs. "This month we find ourselves fighting the cybercrime battle on many fronts, with the bad guys using an arsenal of weapons in order to detonate spam, viruses, phishing attacks and targeted Trojans, making it more important than ever to have a strong security shield in place."

On the cusp of the 30th anniversary of the first spam message, MessageLabs identified a new spamming technique being used to send authenticated spam e-mail via Yahoo!'s SMTP servers. This spam attack accounts for one percent of all spam intercepted in April and has been used to advertise services for Canadian Pharmacy, a well-known spam operation. By using the SMTP server and a DomainKeys Identified Mail (DKIM) authentication technique, the spammers can ensure that the e-mail generated is harder to block based on traditional anti-spam methods.

In addition, targeted attacks reached new heights this month, with approximately 70 targeted Trojans intercepted per day, an increase of 250 percent on the December 2007 levels of 28 per day. Leveraging interest in the Beijing 2008 Olympics Games, 13 separate Olympic themed attacks were intercepted over the past six months which use legitimate-sounding e-mail subject titles, such as "The Beijing 2008 Torch Relay" and "National Olympic Committee and Ticket Sales Agents." Some attacks purported to be from the International Olympic Committee, based in Lausanne Switzerland, however in reality all of the attacks but one were sent from an IP address within Asia Pacific.

Finally, MessageLabs has uncovered a new way that scammers are abusing professional social networking sites like Linked-In. For the first time, they are taking advantage of these sites to lend legitimacy to Nigerian 419 advance fee fraud scams by creating profiles with false credentials that pertain to the business involved in the scam.

Other Report Highlights

Web Security: Analysis of Web security activity shows 36.1 percent of all Web-based malware intercepted was new in April, as increase of 23.3 percent since March.

Spam: In April 2008, the global ratio of spam in e-mail traffic from new and previously unknown bad sources, was 73.5 percent (1 in 1.36 e-mails), a decrease of 0.3 percent on the previous month.

Viruses: The global ratio of e-mail-borne viruses in e-mail traffic from new and previously unknown bad sources, was 1 in 218.9 e-mails (0.46 percent) in April, a decrease of 0.13 percent since the previous month.

Phishing: April saw an increase of 0.05 percent in the proportion of phishing attacks compared with the previous month. One in 206.1 (0.49 percent) e-mails comprised some form of phishing attack. When judged as a proportion of all e-mail-borne threats such as viruses and Trojans, the number of phishing e-mails rose by 13.1 percent to 87.1 percent of all e-mail-borne malware threats intercepted

in April.

Geographical Trends:

  • In April, Hong Kong reclaimed the top-spot from Switzerland as the most spammed country with spam levels reaching 83.7 percent of all e-mail. The largest increase in spam levels was in Canada, with an increase of 5.85 percent.
  • Spam levels in the U.S. reached 70.1 percent in April, 75 percent in Canada and 66.2 percent in the UK. Germany's spam rate reached 70.6 percent and the Netherlands remained at 68.6 percent. Spam levels in Australia were 62.2 percent, 69.8 percent in China and 66.2 percent in Japan.
  • Virus activity fell across almost all regions in April, with the largest decrease in India at 0.69 percent, which takes it out of the top five targeted countries. Despite a decrease of 0.62 percent, Switzerland remains the most targeted country for viruses with levels of 1 in 119.8 e-mails.
  • Virus levels for the U.S. were 1 in 365.1 and 1 in 146.7 for Canada. In the UK, virus levels were 1 in 147.9 and 1 in 348.3 for Germany. In Australia, virus levels were 1 in 317.4 and 1 in 782 for Japan.

Vertical Trends:

  • Spam levels fluctuated across several industry sectors in April, with Manufacturing remaining the top vertical for spam activity at 82 percent. The greatest rise was noted in the Accommodation and Catering sector, where spam levels rose by 5.06 percent to 79.5 percent.
  • Spam levels for the Retail sector were 75 percent, 70.8 percent for Public Sector and 68 percent for Finance.
  • Virus levels fell across many industry verticals during April. Despite a drop of 0.07 percent, Accommodation and Catering claimed the most virus activity with 1 in 62.4 e-mails infected.
  • Virus levels for the Finance sector were 1 in 326.8, 1 in 273.5 for IT Services and 295.7 for Retail.