MessageLabs: Storm Botnet Spews 20 Percent of All Spam

Download our in-depth report: The Ultimate Guide to IT Security Vendors

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

A new report from email and Web security provider MessageLabs paints a picture of an old botnet (in Internet time) that still packs a mean punch.

Storm has taken its share of jabs from rival botnets lately, but it is still a force to be reckoned with according to data compiled by the company for its Q1/March 2008 Intelligence Report. During the first quarter, the botnet was found to have been responsible for 20 percent of all spam detected by MessageLabs.

And while Storm has appeared on the verge of defeat in recent months, the firm's research paints a picture of a botnet that bides its time and hits hard when the opportunity presents itself. A key contributor is the classic divide and conquer strategy.

"The recent segmentation of the botnet into smaller, more discreet networks allows the controllers to hire-out each segment to different groups of criminals for different purposes. This also allows the controllers to preserve some portions of the botnet for specific purposes, including the distribution of the Storm malware itself," explains Paul Wood, a Senior Security Analyst for MessageLabs.

This ability, and others that contribute to its caginess, are rooted in a botnet operator that has taken adaptability to heart.

"The way in which the Storm botnet has evolved from its dawn in January 2007 has placed it head-and-shoulders above many other operators in this market. i.e. the market of creating and hiring-out botnet airtime to spammers and other online criminals," he says.

Essentially, Storm's keepers rely on several tricks to stay ahead and reinforce its numbers. Wood states, "There are many factors contributing to this, from inventive peer-to-peer command and control mechanism, to its flexibility in being able to be used to distribute spam and malware to launching distributed denial of service attacks and its ability to host websites or act as proxies for other services. The latter is often used to host spammer sites, phishing sites and also sites to serve-up the latest strains of the Storm botnet trojan itself to new unsuspecting victims."

The report also offers updated spam and email security statistics. Highlights include:

In March 2008, the global ratio of spam in email traffic from new and previously unknown bad sources, was 73.8 percent (1 in 1.36 emails), an increase of 1.1 percent on the previous month. Spam levels for Q1 2008 are 1.1 percent lower than Q4 2007 and 3 percent lower than Q1 2007, but 14.1 percent higher than the same period in 2006.

The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources, was 1 in 169.2 emails (0.59 percent) in March, a decrease of 0.36 percent since the previous month.

March saw a decrease of 0.57 percent in the proportion of phishing attacks compared with the previous month. One in 228.7 (0.44 percent) emails comprised some form of phishing attack. When judged as a proportion of all email-borne threats such as viruses and Trojans, the number of phishing emails had fallen by 13.5 percent to 74 percent of all email-borne malware threats intercepted in March.

Ultimately, IT shops can benefit by keeping their ears to the ground, says Wood. He recommends that they investigate technologies that have their finger on the pulse of the Internet.

"Businesses such as MessageLabs can utilize much greater leverage from the intelligence gathered at the internet level itself, applying the knowledge learned of IP addresses across the global client base, rather than just those targeting an individual business."

MessageLabs' Q1/March 2008 Intelligence Report is available here (PDF).

This article was first published on EnterpriseITPlanet.com.

Submit a Comment

Loading Comments...