Symantec announces August 2009 MessageLabs Intelligence Report

Analysis highlights how activity levels for Cutwail, one of the largest botnets globally, fell by as much as 90% following the shutdown of an ISP in Latvia. Also in August, another prolific botnet called Donbot continued to use shortened URLs in its spam runs, peaking at distributing ten billion emails in just one day.

The Latvian ISP Real Host was disconnected on 1 August after it was alleged to be linked to command-and-control servers for infected botnet computers, particularly the Cutwail botnet which is responsible for approximately 15 to 20% of all spam today. Following the disconnection, global spam volumes immediately fell by as much as 38% in the subsequent 48-hour period.

Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec, said:

"Cutwail's activity levels fell by as much as 90% following the disconnection of Real Host, but in a matter of days it was back to its former self, demonstrating just how powerful the Cutwail botnet really is in recovering and reinventing itself. ISPs have been blamed for helping botnet activity in the past, and taking these services down when unusual behavior is monitored is an important part of the battle against cybercrime."

Despite this brief variation in spam levels, the overall figures for August remain fairly steady at 88.5%, due to the activity levels of other major botnets such as Rustock, Mega-D and Donbot. Taking advantage of the heightened interest in health related issues due to the current swine flu pandemic, Donbot recently distributed its largest shortened-URL spam run to date, distributing an estimated 10 billion pharmaceutical-focused spam messages in one day. Subjects include 'Health care - get meds now', 'Save 89% on Meds', 'Purchase Meds Online'. The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.

In addition, MessageLabs Intelligence analysis highlights how cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics. In August, of 3,510 websites being blocked daily, 36.1% of domains were new. Similar analysis of malware being blocked each day highlights that only 11.9% was newly developed malware.

Other report highlights:

Spam: In August 2009, the global ratio of spam in email traffic from new and previously unknown bad sources was 88.5% (1 in 1.13 emails), reflecting a 0.9% decrease since July.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 296.6 emails (0.34%), almost unchanged since July. In August, 14.8% of email-borne malware contained links to malicious websites, a decrease of 0.4% since July.

Phishing: One in 341.2 emails (0.29%) comprised some form of phishing attack, a decrease of 0.01% since July. When judged as a proportion of all email-borne threats such as viruses and Trojans, the number of phishing emails had decreased by 6.0% to 86.9% of all email-borne malware threats intercepted in August.

Web security: Analysis of web security activity shows that 45.4% of all web-based malware intercepted was new in August, an increase of 44.7% since July. MessageLabs Intelligence also identified an average of 3,510 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 0.01% since July.

Geographical Trends:

• Hong Kong was the most spammed country in August although levels fell by 0.8% to 93.4%.
• Spam levels in the US and Canada rose to 89.5% and 88.7% respectively. The majority of other countries saw a decline in August with levels in the UK falling to 91.6%, Germany to 90.4%, France to 90.7%, and The Netherlands to 86.3%.
• Levels in Australia and Japan declined to 90.6% and 89.2% respectively.
• Although virus activity in China declined to 1 in 196.9 emails, it was placed at the top of the virus table for August. Singapore and Switzerland maintained their position in the top 5 countries with virus levels of 1 in 196.9 and 1 in 214.0 emails respectively. The UK, with levels of 1 in 219.3 and UAE with levels of 1 in 228.66 emails completed the top 5 virus affected countries for August.
• Virus activity increased in Germany and The Netherlands with levels of 1 in 275.5 emails and 1 in 612.18 emails respectively. In the US levels decreased slightly to 1 in 387.1 and increased in Canada with levels reaching 1 in 309.9. July's most affected country, Australia, became the twelfth most affected country in August with virus levels of 1 in 308.3 emails. In Hong Kong virus activity was 1 in 297.7 emails and in Japan it increased to 1 in 400.76 emails.

Vertical Trends:

• In August, the most spammed industry sector with a spam rate of 93.4% was the Engineering sector.
• Spam levels for the Education sector were 93.2%, 92.5% for the Automotive sector, 90.7% for Retail, 89.8% for Public Sector and 88.7% for Finance.
• Virus activity in the Education sector increased with 1 in 120.0 emails being infected in August, keeping it top of the virus table.
• Virus levels for the IT Services sector were 1 in 262.5, 1 in 490.3 for Retail, 1 in 171.9 for Public Sector and 1 in 288.4 for the Chemical and Pharmaceutical sector.


The August 2009 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends.

Symantec's MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.