SOURCE: MessageLabs, Inc.

September 05, 2007 13:57 ET

MessageLabs Intelligence: Latest StormWorm Developments Through Worldwide Botnet of 1.8 Million Computers

55,000 New Malicious Websites Blocked in August

NEW YORK, NY and LONDON--(Marketwire - September 5, 2007) - MessageLabs, the leading provider of messaging security and management services to businesses, today announced the results of its August MessageLabs Intelligence Report. The new data reveals the latest StormWorm developments involving virtual postcards and YouTube video requests to distribute the Trojan code, and the increase in new malicious websites appearing every day.

In recent weeks, MessageLabs has observed a large increase in emails containing links to virtual postcards and YouTube video invites, including a significant outburst on August 15 which comprised 600,000 emails distributed in 24 hours. This is the latest development from the StormWorm botnet, now estimated to comprise 1.8 million computers worldwide.

Although the body text and subject line keep changing, the emails always consist of simple text or HTML including a single link to an IP address. That IP address refers to another infected machine within the botnet which subsequently redirects to a back-end server in an attempt to infect the victim with a copy of the StormWorm Trojan code. The back-end server automatically re-encodes the malware every thirty minutes to make signaturing difficult for traditional anti-virus vendors.

Similar to the techniques adopted by other botnets like Warevoz, the location of the command and control servers used to manipulate the botnet are safeguarded behind a rapidly changing DNS technique known as 'fast-flux,' a similar method to the bullet-proof hosting schemes that spammers have often used in the past, making it difficult to locate and take down hosting sites and mail servers.

"The StormWorm Trojan continues to be at the forefront of the threat landscape through its tactic of reinventing itself in different disguises," said Mark Sunner, Chief Security Analyst. With such a commanding botnet now in force and no signs of it waning, vigilance needs to be increased and enforced on all unknown and also known web links and attachments."

As a result of this latest StormWorm activity, the number of emails which contained links to malicious code significantly increased in August to 19.5 percent, a rise of 19 percent on the July figure of 0.5 percent.

Further analysis on web trends reveals the steep increase in the number of new malicious websites appearing every day. In August, a daily average of 1,772 new malicious sites were identified and blocked, an average increase of 783 per day since July.

Other report highlights:

Web Security: Analysis shows that 10.8 percent of the malware intercepted in August was new. Analysis of policy-based traffic highlighted that adult-orientated content poses a greater risk for SMBs with 6.2 attempted connections per user per month being blocked compared with 1.1 for larger businesses.

Spam: In August, the global ratio of spam in email traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 74 percent, an increase of 3 percent on the previous month.

Viruses: This month, the global ratio of viruses in email traffic from new and previously unknown bad sources destined for valid recipients was 1 in 80.4 (1.24 percent), a decrease of 0.14 percent since last month.

Phishing: With a decrease of 0.32 percent, one in 173.8 emails is comprised of some form of phishing attack in August. As a proportion of all email-borne threats, the number of phishing attacks decreased by 18.5 percent and now accounts for 46.3 percent of all malicious malware threats intercepted by MessageLabs in August.

Geographical Trends:

--  Israel continued to have the highest spam rate this month with 70.7
--  The most significant increase in spam levels occurred in France with a
    9.5 percent increase followed by Spain at 9.2 percent.
--  India is now the least effected by spam attacks, with only 29.5
    percent of email, conversely, India remains the region most affected by
    viruses with 1 in 27.8 emails comprising a virus. The greatest increase in
    August occurred in Spain where activity rose by 0.09%.

Vertical Trends:

--  The Agriculture sector now ranks the most spammed sector with 66.9
    percent, whilst the Finance sector is the least spammed sector with 30.5
--  The greatest increase in spam activity across all sectors during
    August was observed in the Telecoms sector where spam rose by 22.3% since
    July and repositioned this vertical as the second most spammed sector. The
    largest drop was in the Business Support Services sector which fell by 6.2%
--  Education moves to the top of the virus chart in August despite a fall
    in virus activity of 0.18%

The August 2007 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at

MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About MessageLabs

MessageLabs is a leading provider of integrated messaging and web security services, with over 16,000 clients ranging from small business to the Fortune 500 located in more than 86 countries. MessageLabs provides a range of managed security services to protect, control, encrypt and archive communications across Email, Web and Instant Messaging.

These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts. This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. For more information, please visit

Contact Information