Security Market Segment LS


JUser: :_load: Unable to load user with ID: 66
Thursday, 01 October 2009 07:24

New botnets hitting the net, Oz spam levels higher than global average

New botnets are reportedly causing more havoc on the Internet, with botnets now responsible for sending 87.9 percent of all spam, including one of the oldest and largest botnets which has doubled in size in just four months.

A new botnet – Maazben – has experienced rapid growth since its infancy in late May this year, mainly sending out casino-related spam, while Rustock, one of the oldest and largest, has doubled in size since June and, according to Symantec, “established a predictable spamming pattern.”

In its September Q3 global MessageLabs spam report, Symantec says that in Australia spam levels remained relatively the same as August, at 90.7% of all email received by businesses and that spam rates are still higher than the global average of 86.4%.

With virus activity in Australia, Symantec reports that activity rates halved in September compared to August with one in 626. 5 emails received containing a virus, compared to one in 308.3 in August.

According to the Symantec report, the botnet Maazben’s growth has accelerated during the past month from 0.5 percent of all spam in August to 1.4 percent of all spam in September.

“Rustock is the largest in terms of number of bots at 1.3 to 1.9 million bots but has kept its output per bot relatively low. In addition, Rustock has settled into a predictable spam pattern beginning everyday at 3 a.m. ET, peaking at 7 a.m. ET and ceasing spamming at 7 p.m. ET. It then rests for eight hours before beginning again.”

Symantec also says that Rustock is the only botnet with a regular spam cycle, and as one of the most dominant botnets, is responsible for 10 percent of all spam, with its spam pattern reflected in overall total daily spam patterns.


Symantec senior analyst, Paul Wood, says that over the past year, the security firm has seen a number of ISP’s taken offline for “hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power.”

“This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

According to Wood, following the closure of these ISP’s over the past three months, two other botnets have had the opportunity to vie for Cutwail’s previous position as the most active botnet.

Grum, half the size of Rustock but responsible for 23.2 percent of spam, and Bobax, responsible for 15.7 percent of spam, have both taken over as the most active botnets for spam distribution. Previously, Cutwail was responsible for 45.8 percent of spam.”

Also in September, Symantec analysis revealed that a decline in ‘domain tasting’, the practice of domain registration cancellation within a five day grace period, reported by ICANN in June this year, may be responsible for a change in the malicious nature of web sites, “suggesting that malicious domains are now likely to be older, compromised websites rather than newly registered domains with a short lifespan as they were about one year ago.”

According to Wood, an analysis of websites that are established with the pure intent to serve malware reveals that “young” domains - those that are registered up to three months before first being blocked for hosting malicious content - are small in number but the “vast majority of them are blocked as malicious and founded with malicious intent,” and “ninety percent of ‘young’ domains are taken down within 38 days of registration.

“It is not surprising that with a small window of opportunity for younger domains, the attackers register domains much faster,” Wood said, “suggesting that attackers are working very hard to set up new domains and compromise new websites. However, in an effort to keep up with the rapid turnover of domains, the bad guys are often serving up the same malware.


“Furthermore, an analysis of older domains, those that have been registered for more than three months and compromised to serve malware, indicates that the majority, 90 percent, of these websites are taken down after 138 days, much longer than their younger counterparts.

MessageLabs Intelligence found that overall, 80 percent of domains being blocked as malicious for serving up malware are in fact compromised, legitimate websites.”

Wood warns that it is of “greater benefit to an attacker to compromise a legitimate website as opposed to setting up a newer, specialized domain to serve up malware,” and, he adds, “fundamentally, using legitimate websites to spread malware reduces the labor for the cybercriminals and extends the lifetime of the malware. Moreover, by taking advantage of the Add Grace Period, a policy that allows scammers to register a domain at no cost and cancel after five days, ‘domain tasting’ and ‘domain kiting’ have become common practice for cybercriminals, allowing them to beat the system without ever paying for malware distribution.”

On spam, Symantec says that in September this year, the global ratio of spam in email traffic from new and previously unknown bad sources was 86.4 percent (1 in 1.2 emails), reflecting a 2.1 percent decrease since August. Spam levels for Q3 2009 averaged 88.1 percent, compared with 81.0 percent for Q3 2008.

And, with viruses, Symantec says the global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 399.2 emails (0.25 percent) in September, a decrease of 0.09 percent since August. Also in September, 39.8 percent of email-borne malware contained links to malicious websites, an increase of 22 percent since August, while in Q3, email-borne malware activity averaged 1 in 330.3 emails compared with 1 in 122.5 for Q3 last year.

Symantec also found that an analysis of web security activity showed that 12.3 percent of all web-based malware intercepted was new in September, an increase of 0.4 percent since August, and it identified an average of 2,337 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 33.4 percent since August.

Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.


WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.



Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News