In its September Q3 global MessageLabs spam report, Symantec says that in Australia spam levels remained relatively the same as August, at 90.7% of all email received by businesses and that spam rates are still higher than the global average of 86.4%.
With virus activity in Australia, Symantec reports that activity rates halved in September compared to August with one in 626. 5 emails received containing a virus, compared to one in 308.3 in August.
According to the Symantec report, the botnet Maazben’s growth has accelerated during the past month from 0.5 percent of all spam in August to 1.4 percent of all spam in September.
“Rustock is the largest in terms of number of bots at 1.3 to 1.9 million bots but has kept its output per bot relatively low. In addition, Rustock has settled into a predictable spam pattern beginning everyday at 3 a.m. ET, peaking at 7 a.m. ET and ceasing spamming at 7 p.m. ET. It then rests for eight hours before beginning again.”
Symantec also says that Rustock is the only botnet with a regular spam cycle, and as one of the most dominant botnets, is responsible for 10 percent of all spam, with its spam pattern reflected in overall total daily spam patterns.
CONTINUED page 2
Symantec senior analyst, Paul Wood, says that over the past year, the security firm has seen a number of ISP’s taken offline for “hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power.”
According to Wood, following the closure of these ISP’s over the past three months, two other botnets have had the opportunity to vie for Cutwail’s previous position as the most active botnet.
Grum, half the size of Rustock but responsible for 23.2 percent of spam, and Bobax, responsible for 15.7 percent of spam, have both taken over as the most active botnets for spam distribution. Previously, Cutwail was responsible for 45.8 percent of spam.”
Also in September, Symantec analysis revealed that a decline in ‘domain tasting’, the practice of domain registration cancellation within a five day grace period, reported by ICANN in June this year, may be responsible for a change in the malicious nature of web sites, “suggesting that malicious domains are now likely to be older, compromised websites rather than newly registered domains with a short lifespan as they were about one year ago.”
According to Wood, an analysis of websites that are established with the pure intent to serve malware reveals that “young” domains - those that are registered up to three months before first being blocked for hosting malicious content - are small in number but the “vast majority of them are blocked as malicious and founded with malicious intent,” and “ninety percent of ‘young’ domains are taken down within 38 days of registration.
“It is not surprising that with a small window of opportunity for younger domains, the attackers register domains much faster,” Wood said, “suggesting that attackers are working very hard to set up new domains and compromise new websites. However, in an effort to keep up with the rapid turnover of domains, the bad guys are often serving up the same malware.
CONTINUED page 3
“Furthermore, an analysis of older domains, those that have been registered for more than three months and compromised to serve malware, indicates that the majority, 90 percent, of these websites are taken down after 138 days, much longer than their younger counterparts.
MessageLabs Intelligence found that overall, 80 percent of domains being blocked as malicious for serving up malware are in fact compromised, legitimate websites.”
On spam, Symantec says that in September this year, the global ratio of spam in email traffic from new and previously unknown bad sources was 86.4 percent (1 in 1.2 emails), reflecting a 2.1 percent decrease since August. Spam levels for Q3 2009 averaged 88.1 percent, compared with 81.0 percent for Q3 2008.
And, with viruses, Symantec says the global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 399.2 emails (0.25 percent) in September, a decrease of 0.09 percent since August. Also in September, 39.8 percent of email-borne malware contained links to malicious websites, an increase of 22 percent since August, while in Q3, email-borne malware activity averaged 1 in 330.3 emails compared with 1 in 122.5 for Q3 last year.
Symantec also found that an analysis of web security activity showed that 12.3 percent of all web-based malware intercepted was new in September, an increase of 0.4 percent since August, and it identified an average of 2,337 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 33.4 percent since August.