Storm's demise gives way to new trends in spam and malware; botnets extend their reach

December 5, 2008

7 Min Read


CUPERTINO, Calif. - December 4, 2008- Symantec Corp. (Nasdaq: SYMC) today announced the launch of its MessageLabs Intelligence 2008 Security Report. The annual report details how 2008 was a pivotal year for the cyber security landscape as revolutionary advances in malware and spam techniques made their mark on the underground "shadow" economy. Total spam levels peaked at 82.7 percent in February 2008 and averaged 81.2 percent for the year, compared with 84.6 percent in 2007. As much as 90 percent of spam was being distributed by botnets, including the notorious Storm (Peacomm) botnet, which appeared on the threat landscape in early 2007 and all but disappeared by the end of the year, giving way to rival botnets like Srizbi and Cutwail (Pandex), until community action in September and November resulted in the takedown of two U.S. ISPs blamed for hosting the command and control channels for some of the largest botnets, including Mega-D (Ozdok) and Srizbi, which had been responsible for about 50 percent of all spam. With the exception of Srizbi, the affected botnets have since found alternative hosting, resulting in a return to spam levels close to those before the takedowns, with rival botnets such as Cutwail and Rustock taking-up the slack left by Srizbi's absence.

In 2008, spammers developed an affinity for spamming from large, reputable web-based email and application services by defeating CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) techniques to generate massive numbers of personal accounts from these services. In January, 6.5 percent of spam originated from these hosted webmail accounts, peaking in September when 25 percent of spam originated from these sources, averaging about 12 percent for the remainder of the year.

"2008 was an important year for the security industry as new threats emerged and old threats evolved while the Internet gained sophistication and its users became more web-savvy than ever before," said Mark Sunner, chief security analyst, MessageLabs. "CAPTCHA breaking became one of the best ways to spam and a wide variety of spam ensued emanating from free web-mail and social networking sites, which require personal accounts for access."

Complex web-based malware targeting social networking sites and vulnerabilities in legitimate websites, became widespread in 2008, resulting in malware being installed onto computers with no user intervention required. The daily number of new websites containing malware rose from 1,068 in January to its peak at 5,424 in November. The average number of new websites blocked daily rose to 2,290 in 2008 from 1,253 in 2007, largely due to increased attacks using SQL injection techniques.

As web-based attacks became more popular during 2008, email-based attacks rose by .15 percent compared with 2007. In 2008, 1 in 143.8 (0.70 percent) emails were malicious, compared with 1 in 117.7 (0.85 percent) for 2007. In addition, two distinct targeted attack patterns emerged during 2008. MessageLabs Intelligence noted the number of targeted Trojan attacks intercepted rose to 53 per day in 2008, peaking at 78 per day in April 2008, compared with one to two per week in 2005, 1 to 2 per day in 2006 and 10 per day in early 2007.

"Web 2.0 offers endless opportunities to scammers for distributing their malware - from creating bogus social networking accounts to spoofed videos - and in 2008 the threats targeting social networking environments became very real," Sunner said. "Web 2.0 thrives on user-generated content, as do the spammers. The ability to adapt to new mediums and upload enticing content as 'snake oil' to persuade an information-hungry user to activate it, is one of the cybercriminals' strongest talents and has made them successful in transforming deception into a fully scalable business model within the underground shadow economy."

Emphasizing how threats of this kind have increased in popularity over the last year, one targeted Trojan spoofed the an organization involved with the Olympic Games in late July disguising malware hidden in a file attachment, using embedded JavaScript to drop a malicious executable program onto the target's computer. The malware was sent to several participating nations' sporting organizations and athletic representatives. Another targeted Trojan, distributed with the intent of corporate espionage, spoofed a well-known business organization purporting to relate to a complaint filed against the recipient, and involved approximately 900 targeted Trojans intended for senior executives worldwide.

Towards the end of 2008, the credit crisis generated many new finance related attacks as spammers and scammers sought to take advantage of the panic and uncertainty surrounding the changes on Wall Street and around the world.

Rogue Bots and Social Networking During 2008, botnets were responsible for 90 percent of all spam, and responsible for a rise in the proportion of email-borne malware contained in links to malicious websites. This proportion peaked at 61.1 percent in February, when an increase of malicious activity from Storm was responsible for 96 percent of these interceptions. Before its demise, one of Storm's last activities involved a new bout of malware that appeared in July 2008 using headlines involving celebrities meeting their death and contained links to sites that when activated resulted in the installation of Antivirus XP 2008, a rogue anti-spyware program which could be installed without the user's involvement. The program runs a fake scan on the computer offering to remove the number of infections found for a fee. Following Storm's demise, links to this rogue application were spammed out by other botnets, including Srizbi, Rustock and Mega-D. One third of malicious links intercepted in July were related to "Antivirus XP 2008" and by August, 64 percent of malicious emails, mostly spoofing fake greeting cards, contained links to Trojan droppers designed to install the rogue anti-spyware program.

Another cybercriminal favorite of 2008 involved the distribution of malware on social networking sites, first seen in small amounts toward the end of 2007. One tactic that became popular this year was to create fake profiles on social networking sites using them to post malicious links and to phish other users. Once a user is phished, spammers can post blog comments on the pages of their friends and send messages from the phished accounts to other contacts. The messages were mostly used to dispense spam, including links to spam sites such as online pharmacies. After gaining access to legitimate user profiles, scammers then harvest the available personal information to further target users, wreaking havoc.

Finally, phishing underwent some notable transformations in 2008 as phishing attacks from specialized botnets became commonplace. While the intensity of phishing attacks hasn't changed significantly over the course of the year, the targets have widened to include recruitment agencies and online retailers in addition to the financial institutions of before. The number of specialized banking Trojans is expected to rise further in 2009.

Top Trends in 2008

Web Security: For 2008, the average number of new malicious websites blocked each day rose to 2,290 compared with 1,253 for 2007, an increase of 82.8 percent owing mostly to an increase in SQL injection attacks.

Spam: In 2008 the annual average spam rate was 81.2 percent, a decline of 3.4 percent on the 2007 statistic of 84.6 percent. In 2008, the majority of spam was made up of text-only or HTML content and an increasing proportion of spam originated from reputable web-based email and application service providers.

Viruses: The average virus level for 2008 was 1 in 143.8 emails (.70 percent) reflecting a .15 percent decrease on 2007 where levels averaged at 1 in 117.7 (.85 percent) emails. The decline can be attributed to the transition to spreading malware using malicious content hosted on websites and drive-by installs rather than favoring email as the primary means of distribution.

Phishing: The number of phishing attacks was 1 in 244.9 (.41 percent) emails across 2008, compared to 1 in 156 emails in 2007. Phishing activity peaked in February at 1 in 99.1, due partly to the increase in plug- and- play style phishing kits and the increased use of specialized botnets for phishing activity.

The annual MessageLabs Intelligence Report provides greater detail on all the trends and figures noted above, as well as more detailed trends for 2008. The full report is available at About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights