MessageLabs '09 Report: Botnets Bounce Back With Sharpened Survival Skills

The bad guys sharpened their skills, rather than just relying on large spam runs and malware attacks

December 12, 2009

6 Min Read


MOUNTAIN VIEW, Calif. " December 8, 2009 " Symantec Corp. (Nasdaq: SYMC) today announced the launch of its MessageLabs Intelligence 2009 Security Report. The annual report details how cyber criminals have sharpened their survival skills and operated a volume and variety approach throughout 2009.

The report highlights turbulent spam activity throughout the year, with average spam levels reaching 87.7 percent, but with highs and lows of 90.4 percent in May and 73.3 percent in February respectively. With compromised computers issuing 83.4 percent of the 107 billion spam messages distributed globally per day on average, the shutdown of botnet hosting ISPs, such as McColo in late 2008 and Real Host in August 2009 appeared to make botnets re-evaluate and enhance their command and control backup strategy to enable recovery to take hours, rather than weeks or months. It is predicted that in 2010 botnets will become autonomous intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival.

Botnets continued to rule the cyber security landscape in 2009 with the ten major heavyweight botnets, including Cutwail, Rustock and Mega-D, now controlling at least five million compromised computers. Cutwail was a dominating force across both spam and malware in 2009, responsible for issuing 29 percent of all spam or 8,500 billion spam messages between April and November 2009. Cutwail also used its strength to spam out emails containing the Bredolab Trojan dropper, disguised in the form of a .ZIP file attachment. One of the major threats of 2009, the Bredolab Trojan was designed to give the sender complete control of the target computer which then could be used to deploy other botnet malware, adware or spyware onto the victim's computer. The percentage of spam distributing the Bredolab Trojan dropper increased steadily in late 2009 and reached its highest levels in October 2009 when it was estimated that approximately 3.6 billion Bredolab malware emails were in circulation.

"2009 was the year that the threat landscape sharpened its skills, rather than just relying on large spam runs and malware attacks. We intercepted more variants with increased sophistication, efficiency as well as improvements in technology," said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. "We stopped more than 21 million different types of spam campaigns in 2009, more than twice the amount seen in 2008, and saw a 23 percent increase in malware variants year-on-year. The significant increases suggest that, thanks to the increased availability of specialized criminal toolkits, it was easier to create, distribute and use spam and malware than ever before."

The most concerning security threat monitored this year was Conficker/Downadup, a worm that allows its creators to remotely install software on infected machines. While the Conficker worm originated at the end of 2008, an update to the malware on 1 April 2009 provided additional functionality in order for it to better evade detection. Conficker is of particular concern as it has not yet been identified how the infected machines will be used, estimated by the Conficker Working Group, who has contributed to minimizing the role this malware potentially played in 2009, to total more than six million computers.

In the first half of 2009, the credit crisis generated many new finance-related attacks as spammers and criminals sought to take advantage of the uncertainty surrounding the global economic downturn. In February, spam containing hyperlinks to a number of major well-known search engines delivered much of the early recession-based spam. In 2009, 90.6 percent of spam contained a URL, driven predominately by an upsurge in the second half of the year of using shortened URLs in spam runs, which helped disguise the true website that the user would be visiting and making it harder for traditional anti-spam filters to identify the messages as spam. URL-shortening was frequently used on social networking and micro-blogging sites and is popular among online criminals because of the inherent trust relationships that exist between users of these sites.

Other than the global credit crisis, world events, festivities and news stories also contributed to many spam themes in 2009 including St. Valentine's Day, the H1N1 flu pandemic and the deaths of celebrities including singer Michael Jackson and actor Patrick Swayze. Malware writers and even 419-type advance fee fraud campaigners also got in on the act and in the example of the death of Michael Jackson, the first examples, including a Brazilian banking Trojan distributed in malicious hyperlinks, appeared in the days following his death.

"Although sophistication and innovation are at the forefront of some of the attacks we see, predictability also plays a large part of the day-to-day threat landscape," Wood said. "The security industry as a whole talks about themed attacks, such as those surrounding Valentine's Day, Christmas, and celebrity deaths, however, the frequency and volume of these attacks suggests that the cyber criminals are still achieving the results desired or their tactics would have changed."

Finally, CAPTCHAs (Completely Automated Public Turing test to tell Computer and Humans Apart), came under increased scrutiny this year as CAPTCHA-breaking tools have been readily traded in the underground economy, allowing cyber criminals to create large numbers of real accounts for webmail, instant messaging and social networking websites. There has been an emergence of businesses that specialize in providing real people to create real accounts on major webmail services on a 24-hour basis. Often advertised as a data processing job, each worker can be expected to receive approximately two to three U.S. dollars per 1,000 accounts created; accounts are then sold on to spammers for around $30 to $40. Some major sites are already investigating alternatives to the swirling letters and numbers, such as large libraries of photographic images, in which the user must be able to analyze or interact with the image in such a way that would be very challenging for a computer program.

Top Trends in 2009

Web Security: For 2009, the average number of new malicious websites blocked each day rose to 2,465 compared to 2,290 for 2008, an increase of 7.6 percent. MessageLabs Intelligence blocked malicious web threats on 30,000 distinct domains. 80 percent of those domains were established legitimate, compromised websites, the remaining 20 percent were new domains set up purely with malicious intent.

Spam: In 2009 the annual average spam rate was 87.7 percent, an increase of 6.5 percent on the 2008 statistic of 81.2 percent. April saw a spike in image spam, accounting for 56.4 percent of all spam on 5 April, compared with annual average of 28.2 percent.

Viruses: The average virus level for 2009 was 1 in 286.4 emails (0.35 percent) reflecting a 0.35 percent decrease on 2008 where levels averaged at 1 in 143.8 emails (0.70 percent). The decline can be attributed to the transition to developing more variants (23 percent increase in 2009 compared with 2008) but fewer malicious emails per strain (approximately 5,827 malicious emails per strain in 2009 compared to 10,436 emails per strain in 2008).

Phishing: The number of phishing attacks was 1 in 325.2 (0.31 percent) emails compared to 1 in 244.9 (0.41) in 2008. More than 161 billion phishing attacks were in circulation in 2009.

The annual MessageLabs Intelligence Report provides greater detail on all the trends and figures noted above, as well as more detailed trends for 2009. The full report is available at

About Symantec

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights