Google: Virus-Packing Spam Rose Despite Botnet Takedowns

Botnet operators responded to takedown and other pressures last year by packing high-volume payloads of viruses in their spam runs, according to new data from Google's Postini team.

Spam volume dropped 12 percent in the first quarter of this year from Q4 2009, accounting for 86 percent of all email in Q1. But the size of spam messages increased by 30 percent in March, according to the Postini team.

Virus-laden spam rose dramatically late last year, ballooning from 0.3 percent of all spam in the first half of 2009 to 3.7 percent in the second half of the year; Postini reports blocking more than 100 million of these messages per day at the height of this trend. These malicious messages were back down to about 1.1 percent of all spam in Q1, according to Adam Swidler, product marketing manager for Google's Postini team, which gathers its data from 80,000 business customers.

Much of that activity was in response to the takedown of the Mega-D botnet last year. So far this year the Waledac and Mariposa botnets also have been dismantled by the security community.

"In response to actions the security community was taking [in 2009], the [attackers] started seeding botnets with a high volume of payload viruses in the second half [of the year]," Swidler says. "We've seen that activity drop off as they've shifted back to traditional spamming type activities."

But Swidler says even with the subsequent botnet takedowns since Mega-D, spam volumes have not really decreased significantly this year so far. "Spam is still over 6 percent more compared with a year ago," he says.

Starting with the McColo service takedown in 2008, each time a criminal infrastructure has been dismantled, the bad guys get quicker at rebounding back, he says. "We're expecting to see these targeted attacks on botnets in 2010and we're waiting to see if any have as much of an impact as we would hope," he says.

Meanwhile, Google Postini has seen an increase in image spam. "From a spam size perspective, we've seen a measurable jump," Swidler says. "Its [resurgence] indicates that easily reusable components make it a low barrier to entry to get in...and not spend time creating new materials for spam campaigns."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.