After the Pushdo/Cutwail, Bredolab and Rustock botnets were taken offline, the geography of spam sources underwent some major changes. In particular, from September 2010 the US, for a long time the leading spam distributor, began to lose ground. For several months now it hasn’t even made it into the Top 10 leading sources of spam and only occasionally appears at the bottom of the Top 20.
The US and some European countries have been replaced by Asian and Latin American countries. The cybercriminals have clearly established new bases for distributing spam with eight of July’s top 10 spam sources located in Asia and Latin America.
Another interesting characteristic of the July rating is that the top five countries account for almost half (48.65%) of all spam messages. For this reason we decided to take a closer look at spammer activity in India, Indonesia, Brazil, Peru and Ukraine.
An analysis of the spam mailings originating from these countries in June and July shows that in July less spam messages were sent from India and Brazil than in June – down by 2.03 and 1.83 percentage points respectively. The changes for both countries are very similar. Indonesia and Peru also saw increases of very similar levels in the same period – 4.82 and 4.59 percentage points respectively.
These figures were of particular interest to us: such similar fluctuations may well reflect the geographic distribution of spam botnets and could be due to botnets in various countries being managed by the same individuals.
In order to gain a fuller picture, we analyzed information on 11 countries (the top 10 and Russia, which ranked 11th in July and was, until recently, one of the top distributors of spam) for the period of April to July. Based on the results of analyzing the dynamics of distribution, we believe that spam is distributed simultaneously from several groups of countries:
Analysis of the weekly spam traffic confirmed that the rates of spam distribution from India and Brazil have very similar dynamics:
The subtle differences in the curves are primarily due to the fact that, apart from zombie machines presumably managed from the same center, each country has its own ‘local’ botnets which receive commands to distribute spam at other times. In addition, botnets are constantly changing in size with new machines being added and older ones disappearing (e.g. when users install antivirus software and the computer is disinfected).
Analysis of Ukraine, Thailand and Taiwan quickly identified an odd one out:
As the graph shows, the spam mailings from Ukraine and Thailand intensify or fall off almost identically. The differences between the two are accounted for by the same reasons mentioned above for Brazil and India. Taiwan, however, is out of synch with the overall picture.
A detailed analysis reveals that the spam distributed from Ukraine, Thailand, Indonesia and Peru is synchronous:
Thus, the second grouping of spammer botnet activity currently consists of Indonesia, Peru, Ukraine and Thailand.
Notably, synchronous distribution of spam from countries located on different continents does not mean that computers in these countries are united in one big botnet. Several small zombie networks can also operate synchronously, receiving commands for distributions from the same individuals.
As a result, we get a rather worrying picture: over 60% of all spam globally originates from 10 countries, where cybercriminals have been building up new botnets over the last year to replace those put out of action in the US and western Europe.
The major groups of countries from which spam is being distributed synchronously are: India-Brazil (nearly a quarter of the world's spam was sent from these countries in July), and Indonesia-Peru-Ukraine-Thailand. Furthermore, the last three weeks of July revealed noticeable parallels between spam distributions from Russia, Italy, South Korea and Vietnam. It’s still too early to reach conclusions about this grouping of countries, but we will continue to monitor them.
The correlations above suggest that following a series of successful anti-botnet campaigns, the cybercriminals are spreading their resources across different countries (and even continents) so that they can continue to function if they lose their bots in one country. The countries in question have not yet developed effective legislation to regulate Internet activities, which allows the cybercriminals to act with impunity. What is more, the cybercriminals behind this spam traffic can manage it from any country in the world.