SOURCE: MessageLabs, now part of Symantec

MessageLabs, now part of Symantec

August 25, 2009 08:00 ET

Symantec Announces August 2009 MessageLabs Intelligence Report:

Cutwail Botnet Damaged by ISP Shutdown Whilst Donbot Offers Medical Assistance to Billions

CUPERTINO, CA--(Marketwire - August 25, 2009) - Symantec Corp. (NASDAQ: SYMC) today announced the publication of its August 2009 MessageLabs Intelligence Report. Analysis highlights how activity levels for Cutwail, one of the largest botnets globally, fell by as much as 90 percent following the shutdown of an ISP in Latvia. Also in August, another prolific botnet called Donbot continued to use shortened URLs in its spam runs, peaking at distributing ten billion emails in just one day.

The Latvian ISP Real Host was disconnected on 1 August after it was alleged to be linked to command-and-control servers for infected botnet computers, particularly the Cutwail botnet which is responsible for approximately 15 to 20 percent of all spam today. Following the disconnection, global spam volumes immediately fell by as much as 38 percent in the subsequent 48-hour period.

"Cutwail's activity levels fell by as much as 90 percent following the disconnection of Real Host, but in a matter of days it was back to its former self, demonstrating just how powerful the Cutwail botnet really is in recovering and reinventing itself. ISPs have been blamed for helping botnet activity in the past, and taking these services down when unusual behavior is monitored is an important part of the battle against cybercrime," said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec.

Despite this brief variation in spam levels, the overall figures for August remain fairly steady at 88.5 percent, due to the activity levels of other major botnets such as Rustock, Mega-D and Donbot. Taking advantage of the heightened interest in health related issues due to the current swine flu pandemic, Donbot recently distributed its largest shortened-URL spam run to date, distributing an estimated 10 billion pharmaceutical-focused spam messages in one day. Subjects include 'Health care - get meds now,' 'Save 89% on Meds,' 'Purchase Meds Online.' The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.

In addition, MessageLabs Intelligence analysis highlights how cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics. In August, of 3,510 websites being blocked daily, 36.1 percent of domains were new. Similar analysis of malware being blocked each day highlights that only 11.9 percent was newly developed malware.

Other report highlights:

Spam: In August 2009, the global ratio of spam in email traffic from new and previously unknown bad sources was 88.5 percent (1 in 1.13 emails), reflecting a 0.9 percent decrease since July.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 296.6 emails (0.34 percent), almost unchanged since July. In August, 14.8 percent of email-borne malware contained links to malicious websites, a decrease of 0.4 percent since July.

Phishing: One in 341.2 emails (0.29 percent) comprised some form of phishing attack, a decrease of 0.01 percent since July. When judged as a proportion of all email-borne threats such as viruses and Trojans, the number of phishing emails had decreased by 6.0 percent to 86.9 percent of all email-borne malware threats intercepted in August.

Web security: Analysis of web security activity shows that 45.4 percent of all web-based malware intercepted was new in August, an increase of 44.7 percent since July. MessageLabs Intelligence also identified an average of 3,510 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 0.01 percent since July.

Geographical Trends:

--  Hong Kong was the most spammed country in August although levels fell
    by 0.8 percent to 93.4 percent.
--  Spam levels in the U.S. and Canada rose to 89.5 percent and 88.7
    percent respectively. The majority of other countries saw a decline in
    August with levels in the UK falling to 91.6 percent, Germany to 90.4
    percent, France to 90.7 percent, and The Netherlands to 86.3 percent.
--  Levels in Australia and Japan declined to 90.6 percent and 89.2
    percent respectively.
--  Although virus activity in China declined to 1 in 196.9 emails, it was
    placed at the top of the virus table for August.  Singapore and Switzerland
    maintained their position in the top 5 countries with virus levels of 1 in
    196.9 and 1 in 214.0 emails respectively. The UK, with levels of 1 in 219.3
    and UAE with levels of 1 in 228.66 emails completed the top 5 virus
    affected countries for August.
--  Virus activity increased in Germany and The Netherlands with levels of
    1 in 275.5 emails and 1 in 612.18 emails respectively. In the U.S. levels
    decreased slightly to 1 in 387.1 and increased in Canada with levels
    reaching 1 in 309.9. July's most affected country, Australia, became the
    twelfth most affected country in August with virus levels of 1 in 308.3
    emails. In Hong Kong virus activity was 1 in 297.7 emails and in Japan it
    increased to 1 in 400.76 emails.
    

Vertical Trends:

--  In August, the most spammed industry sector with a spam rate of 93.4
    percent was the Engineering sector.
--  Spam levels for the Education sector were 93.2 percent, 92.5 percent
    for the Automotive sector, 90.7 percent for Retail, 89.8 percent for Public
    Sector and 88.7 percent for Finance.
--  Virus activity in the Education sector increased with 1 in 120.0
    emails being infected in August, keeping it top of the virus table.
--  Virus levels for the IT Services sector were 1 in 262.5, 1 in 490.3
    for Retail, 1 in 171.9 for Public Sector and 1 in 288.4 for the Chemical
    and Pharmaceutical sector.
    

The August 2009 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at http://www.messagelabs.com/intelligence.aspx.

Symantec's MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Contact Information