It was announced in mid-March that the joint efforts of Microsoft and US law enforcement agencies had resulted in the closure of the Rustock spam botnet.
Rustock first appeared on the Internet back in 2006 and according to some estimates, was responsible for 30-40% of all spam. The closure of the botnet was announced on 17 March, though the operation itself took place a day earlier.
Kaspersky Lab’s experts registered a decrease in the volume of spam between 17 and 20 March. During this period the amount of spam in mail traffic fell by 3 percentage points compared with the average figure for the first half of March. The overall number of spam emails fell by approximately 15 percentage points.
However, on 22 March there was an upturn in the volume of spam traffic. It appears that spammers and botmasters learnt a few lessons from similar closures at the end of 2010 and despite the size and output of the closed Rustock botnet they managed to quickly redistribute their capacities. Nevertheless, the anti-botnet activities by law enforcement agencies continue to bear fruit and please anti-spam fighters.
Spammers exploit tragedy in Japan
A series of destructive earthquakes, a tsunami and the unfolding disaster at a nuclear power station have gripped the world in recent weeks. People in many countries have looked to help the people of Japan with food, medications and other essentials by donating funds to various humanitarian organizations. A number of sites have appeared on the Internet with information on how and where to transfer money to help the victims.
Spammers immediately started exploiting these charitable initiatives by distributing fraudulent emails that claimed to transfer money to the Red Cross and other humanitarian organizations.
Of course, the users who sent money to the accounts specified in these emails only ended up donating money to the spammers.
The tragic events in Japan were was also used to distribute a malicious code. As is often the case, human curiosity played into the hands of the fraudsters: users were invited to find out some of the more shocking details or to view footage from the disaster area.
Libya warzone becomes hot topic
The conflict in Libya has also hit headlines around the world, so spammers have also started exploiting it in their fraudulent messages. A number of ‘Nigerian’ letters have circulated, allegedly sent on behalf of members of the government who are trying to transfer their millions out of Libyan banks as well as messages asking recipients to donate money to help the victims.
The dramatic events in Libya also brought out the malware: spammers used the tried and tested method of sending messages with links to the ‘latest’ news from Libya.
In our opinion, the most interesting development was the appearance in March of politically motivated messages about events in Libya.
Such messages usually quote blog posts or newspaper articles. They are written in English which means their target audience is not Libyan. This type of spam attempts to grab the attention of users in the USA and Europe and is sent by supporters of the ruling regime as well as its opponents.
The amount of spam detected in mail traffic increased by 0.9 percentage points and averaged 79.6% in March 2011.
Spam in mail traffic in March 2011
A low of 74.5% was recorded on 25 March with a peak of 86.9% on 13 March.
In March, India remained the most popular source of spam, accounting for 11.42% of the total volume of spam (an increase of 2.59 percentage points).
Brazil took over from Russia in second place having distributed 6.6% of all spam, an increase of 2 percentage points compared to February’s figure. Russia came third having distributed the same amount of spam as in February – 4.8%. Indonesia (4.3%) and Italy’s (4%) figures also remained practically unchanged, leaving these two countries in fourth and fifth places respectively.
The volume of spam originating from South Korea decreased by 0.8 percentage points and accounted for 3.3%. As a result it dropped from fifth to eighth position, making way for the UK (3.9%) and the USA (3.4%) which moved up to sixth and seventh places respectively. The change in the amount of spam distributed from these two countries did not change considerably from the previous month however.
In March, malicious files were found in 3.23% of all emails, an increase of 0.05 percentage points compared with the previous month.
Major shifts occurred in the list of countries where mail antivirus detected malware most frequently.
Russia maintained its leadership as the country where malware was detected most frequently in mail traffic (12.7% of all malicious attachments). The USA came a close second with 12.5%, an increase of 1.9 percentage points compared with the previous month.
The UK occupied third place with 6.2% of all blocked emails with malicious attachments, an increase of 1.1 percentage points compared to February’s figure. The share of malware emanating from India (4.35%) and Vietnam (5.61%) has fallen steadily over recent months. In March, India dropped two places to sixth while Vietnam fell from third to fourth.
Germany moved up one place (5.4%), while Australia (4.21%) was a non-mover in March. Italy (4.05%) which was not among the Top 10 in February re-entered the rating at eighth place. Spain (3.27%) climbed from eleventh to ninth place.
The Top 10 rating of malicious programs distributed via mail traffic in March 2011 looks like this:
More than half of March’s Top 10 malicious programs distributed via mail traffic belonged to the Trojan-Downloader.Win32.Deliver family. This type of program is classified as a Trojan downloader that installs new versions of malicious programs on the victim computer without the user’s knowledge.
Two Top 10 entries are representatives of the Trojan-Spy.Win32.SpyEyes family, programs designed to steal confidential data from users. February’s rating contained another modification of Trojan-Spy.Win32.SpyEyes.
First place is occupied by Trojan-Spy.HTML.Fraud.gen, the long-standing leader of the rating. You can find out more about this malicious program here.
We have already mentioned above that in March spammers actively exploited events in Japan and Libya when sending emails with malicious links or attachments. Some spammers even included both themes in a single bulk mailing: messages with “hot news” about the earthquake in Japan and the conflict in Libya contained the same links and were sent simultaneously.
It is quite noticeable that the emails were created using a single template. Each malicious link is followed by a copyright disclaimer which varies from message to message. A number of major IT companies and Internet resources were specified as the copyright owners. It is possible that the fraudsters made use of this awkward approach to trick the spam filters.
If a user clicked the link, a malicious program was installed on their computer with the help of Java exploits. Kaspersky Lab expert Nicolas Brulez described these malicious links in more detail in his blog.
In March, phishing emails accounted for 0.02% of all mail traffic, a decrease of 0.01 percentage points compared with the previous month.
PayPal was the undisputed leader of March’s Top 10 organizations most often attacked by phishers. Facebook, Habbo and World of Warcraft, a popular online game, were also among the favorite phishing targets.
Online services make up half of all the targets in this rating, but the phishers were obviously less interested in banks as the online banking systems are mostly located at the lower end of our rating.
In March, US law enforcement agencies struck another blow against botnets which led to a short-term decrease in the amount of spam. Despite this the average percentage of spam in mail traffic increased in March compared to February. As we forecast in January’s spam report, the average monthly volume of spam continues to grow and looks likely to return to the same levels we saw in the summer of 2010.
Contrary to our expectations, the USA did not enter the Top 5 most popular sources of spam in March. The percentage of spam distributed from the territory of this country remained practically unchanged compared to February. However, it is interesting to note the increase in malicious attacks targeting the USA. This could signify that there is a concerted effort by cybercriminals to resurrect their botnets in the USA.