Storm Botnet Responsible for One Fifth of All Spam

"Storm's focus on spam seems to be just the tip of the iceberg as e-mails containing malware and phishing attacks from the Storm botnet are now growing in numbers."

by / April 3, 2008

The prolific Storm botnet is responsible for 20 percent of all spam in the first quarter of 2008, according to MessageLabs Intelligence Report for March 2008. Analysis highlights that messages selling male enhancement drugs accounted for 41 percent of Storm's efforts. In addition to spam, more than four million e-mails from the Storm botnet have been intercepted since January containing links to malware or aimed at launching phishing attacks.

"Storm celebrated its first birthday at the start of the year and commemorated the anniversary with a significant run of nostalgic spam. More than 78 percent of the spam it spewed out this quarter was either focused on male enlargement drugs, replica watches or spam of a sexual nature," said Mark Sunner, Chief Security Analyst, MessageLabs. "Storm's focus on spam seems to be just the tip of the iceberg as e-mails containing malware and phishing attacks from the Storm botnet are now growing in numbers."

Other nostalgic events within the spam landscape this month include the appearance of stick-man art within a new image-spam campaign. The amateur-looking artwork, advertising the weight loss drug Hoodia, is the first of its kind and although the spam run looks the same, the images and subject lines frequently change in order to evade traditional signature detection.

MessageLabs Intelligence also highlights the change in the perception of social networking sites within the business environment with 11 percent of companies now blocking access specifically to Facebook compared to three percent who have pro-actively set up rules to allow access.

"Businesses are now becoming wise to the possible impact of social networking and pro-actively raising their defense barriers against data loss, threats and employee productivity," Sunner said. "Moreover, the possibility of spoofing Facebook accounts is no longer an impossible notion and may be the next major aspect in identity theft."

Other report highlights:

Web Security: Analysis of Web security activity shows 9.2 percent of all Web-based malware intercepted was new in March. MessageLabs also identified an average of 595 new sites per day harboring malware and other potentially unwanted programs such as spyware and adware.

Spam: In March 2008, the global ratio of spam in e-mail traffic from new and previously unknown bad sources, was 73.8 percent (1 in 1.36 e-mails), an increase of 1.1 percent on the previous month. Spam levels for Q1 2008 are 1.1 percent lower than Q4 2007 and 3 percent lower than Q1 2007, but 14.1 percent higher than the same period in 2006.

Viruses: The global ratio of e-mail-borne viruses in e-mail traffic from new and previously unknown bad sources, was 1 in 169.2 e-mails (0.59 percent) in March, a decrease of 0.36 percent since the previous month. Virus levels for Q1 2008 are 0.72 percent higher than for Q4 2007 and 0.06 percent lower than Q1 2007. Virus levels are 1.47 percent lower than the same period in 2006.

Phishing: March saw a decrease of 0.57 percent in the proportion of phishing attacks compared with the previous month. One in 228.7 (0.44 percent) e-mails comprised some form of phishing attack. When judged as a proportion of all e-mail-borne threats such as viruses and Trojans, the number of phishing e-mails had fallen by 13.5 percent to 74 percent of all e-mail-borne malware threats intercepted in March. Phishing levels for Q1 2008 are almost unchanged since Q4 2007. Compared with Q1 2007, phishing levels are 0.14 percent higher and 0.34 percent higher than Q1 2006.

Geographical Trends
o In March, spam levels in Switzerland rose by 6.15 percent since February, surpassing levels in Hong Kong where they fell by 0.76 percent during the same period.
o Spam levels in the US were 70.7 percent in March, 69.1 percent in Canada and 61.1 percent in the UK. Germany's spam rates reached 70.1 percent and 68.6 percent in the Netherlands. Australia experienced levels of 61.3 percent, 66.8 percent in New Zealand, 68.8 percent in China and 65.5 percent in Japan.
o Virus activity fell across most regions in March, except in Austria, Italy and

Sweden where virus levels increased by less than one percent. The largest decrease occurred in Israel where virus levels fell by 1.2 percent. Swizerland replaces Israel as the most targeted country for viruses even with a 0.54 percent decrease in virus levels.
o Virus levels for the US were 1 in 245.1 and 1 in 180.3 for Canada. In the UK, virus levels were 1 in 137.7 and 1 in 255.6 for Germany. In Australia, virus levels were 1 in 215.7, and Japan reached 1 in 257.4.

Vertical Trends
o Spam levels fluctuated across several industry sectors rose in March, with manufacturing and education being the top two verticals targeted with the highest levels of spam with 82.1 percent and 80.4 percent respectively. The greatest rise was noted in the IT services sector, where spam levels rose by 4.6 percent to 79.9 percent.
o Spam levels for the retail sector were at 78 percent, 70.6 percent for public sector, 69.5 percent for chemical/pharmaceutical and 68.1 percent for finance.
o Similarly, virus levels for many industry sectors decreased during March. education was the exception where virus levels rose by 0.06 percent.
o Virus levels for the finance sector were 1 in 231.5, 1 in 232.2 for IT services and 173.5 for retail.