Symantec Corp’s January 2010 MessageLabs Intelligence Report.

Analysis reveals spammers have launched new campaigns related to 2010 events to sustain the high levels of spam experienced toward the end of 2009.

At the start of 2010, MessageLabs Intelligence saw the typical special New Year offers for pharmaceuticals, fashion accessories and watches, weight loss products, loans and jobs.  At its peak, spam related to the New Year accounted for 7.7 percent of all spam on a single day and more than 50 percent of New Year related spam was sent by the Grum and Cutwail botnets combined.

Spammers are now moving away from the New Year themes and are expected to next latch onto Valentine’s Day-related spam topics.  Spammers and phishers have also been quick to take advantage of the tragedy that struck Haiti to generate advanced-fee fraud scams. As many countries seek to offer humanitarian aid and relief, the scammers are looking for ways to exploit those donation efforts counting on the public’s concern and desire to help to cloud their good judgment.

With 83.4 percent of spam originating from botnets at the end of 2009, MessageLabs Intelligence calculated that the remainder 0.9 percent of spam – the equivalent of 900 million spam emails -originated from free webmail accounts. More than 79 percent of webmail spam came from three well-known free webmail service providers.

 “Despite the best efforts of the webmail providers to prevent this abuse of their services, there is still a viable market in the underground economy for buying and selling legitimate and usable webmail accounts,” says Paul Wood, MessageLabs Intelligence senior analyst, Symantec Hosted Services.

In December 2009, a new zero-day vulnerability in a popular version of a .PDF viewer was disclosed of which MessageLabs Intelligence blocked the first versions in the wild in November 2009 protecting Symantec Hosted Services customers from the attack before it began.

The attack targeted high level individuals in the public sector, education, financial services and large international corporations. Arriving as a .PDF file containing embedded Javascript, the attack also involved a social engineering aspect which varied according to the individual and organization being targeted.

It is interesting and scary to note that the first attacks were being conducted 25 days before the existence of the vulnerability was disclosed; it was a further 28 days before the application vendor made the patches available to the general public. This example perhaps served as a harsh warning of what may be expected over the coming months during 2010, as we expect more sophisticated targeted malware attacks of this nature.

In December 2009, MessageLabs began tracking a new botnet called Lethic, which quickly accounted for 2.5 percent of all spam. Within the first week of January, spam from Lethic increased to less than four percent of all spam and then peaked at 5.25 percent of all spam on 8 January before dropping off to nothing.

“Lethic seems to have disappeared almost as quickly as it arrived,” Wood observes. “The spam it had been sending was roughly an even mix of pharmaceutical and replica watch spam. Interestingly, the Bagle botnet was sending the exact same spam with the same hyperlinks as Lethic and over the same time period leading us to believe that Lethic possibly came from the same creators as Bagle or the people behind the spam may have hired the resources of more than one botnet gang to increase output.”


Other report highlights:

Spam: In January 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 83.9 percent (1 in 1.2 emails), a decrease of 0.3 percent since December 2009.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 326.9 emails (0.31 percent) in January, a decrease of 0.03 percent since December 2009. In January 13.2 percent of email-borne malware contained links to malicious websites, a decrease of 5.9 percent since December.

Phishing: In January, phishing activity was 1 in 562.3 emails (0.18 percent) a decrease of 0.11 percent since December 2009. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had decreased by 14.3 percent to 65.3 percent of all email-borne threats.

Web security: Analysis of web security activity shows that 41.4 percent of all web-based malware intercepted was new in January, an increase of 0.6 percent since December. MessageLabs Intelligence also identified an average of 1,760 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 56.2 percent since December.


Geographical Trends:

Spam levels in Denmark fell by 0.6 percent in January, but Denmark remained the most spammed country with levels of 94.8 percent of all email.

  • In the US, spam decreased to 91.6 percent and to 89.7 percent in Canada. Spam levels fell to 90.0 percent in the UK.
  • In the Netherlands, spam levels reached 92.4 percent, while spam levels in Australia reached 90.6 percent.
  • Spam levels in Hong Kong reached 92.1 percent and spam levels in Japan were at 88.2 percent.
  • Virus activity in China rose by 0.13 percent to 1 in 121.4 emails, placing it at the top of the table for January.
  • Virus levels for the US were 1 in 440.3 and 1 in 383.1 for Canada. In Germany, virus levels were 1 in 271.6, 1 in 496.4 for the Netherlands, 1 in 644.1 for Australia, 1 in 331.9 for Hong Kong and 1 in 396.5 for Japan.
  • The UK was the most active country for phishing attacks with 1 in 253.6 emails.


Vertical Trends:

  • In January, the most spammed industry sector with a spam rate of 95.1 percent was the Engineering sector. 
  • Spam levels for the Education sector were 92.1 percent, 91.0 percent for the Chemical & Pharmaceutical sector, 91.5 percent for IT Services, 92.3 percent for Retail, 89.3 percent for Public Sector and 90.1 percent for Finance.
  • Virus activity in the Public sector fell by 0.33 percent but moved to the top of the table with 1 in 109.7 emails being infected in January. 
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 230.9, 1 in 353.4 for the IT Services sector, 1 in 607.2 for Retail, 1 in 187.7 for Education and 1 in 391.5 for Finance.