The Spam-Malware Tandem Strengthens in Q3 2010

Kaspersky Lab announces the publication of its spam report for the third quarter of 2010

According to the report, the share of spam messages with malicious attachments more than doubled in the third quarter of the year, and averaged 4.6% compared to 1.9% in the second quarter. At the beginning of Q3 2010, the percentage of malicious attachments in email traffic exceeded 6.3% - an unprecedented figure. Kaspersky Lab analysts suggest this may be down to spammers simply switching their focus from individual clients to working with partner programs, including those linked to the spread of malware.

The type of mass mailing with the most variations was fake notifications from resources such as Twitter, Facebook, WindowsLive, MySpace, and a number of popular online stores. The links contained in these notifications redirected users to a spammer service that downloaded the Bredolab backdoor to users' computers which was then used to download various other Trojans.

“The increase in the volume and quality of mass malicious mailings confirms that spammers and cybercriminals have started acting in unison to create complex infection strategies, which include connecting a victim computer to a botnet, sending out spam, stealing personal information and so on,” says Darya Gudkova, Head of Content Analysis & Research at Kaspersky Lab.

Overall, the amount of spam in the third quarter fell compared to the previous quarter and averaged 82.3%. Users saw considerably less spam in their inboxes in September, with a drop of 1.5 percentage points compared to August. This was due to the closure of over 20 control centers used by the Pushdo/Cutwail botnet which was responsible for approximately 10% of all spam worldwide. The threat posed by this botnet was not just the sheer volume of spam that it distributed, but also its connection to the spread of particularly malicious programs such as Zbot (ZeuS) and TDSS. When the botnet's command centers were closed down, an enormous number of bots ceased distributing spam as they were no longer under the spammers' control.

Another closure in the third quarter was initiated by the spammers themselves when the partner program SpamIt announced it was shutting down its operations. This particular partner program was responsible for an enormous amount of pharmaceutical spam. The program's websites (Spamit.biz and Spamit.com) posted the reasons for the closure as “a long list of negative events over the past year and intensified attention being paid to the partner program's operations”.

“The closure of one partner program — even a major one — will only result in a temporary decrease in the amount of advertisements for Viagra in our inboxes; the spammers aren't about to abandon such a lucrative business,” states Darya Gudkova. “More likely than not, the organizers of the partner program will simply open a new program that will, for a while, remain under the radar of the anti-spam vendors and law enforcement agencies.”

The main trend in the third quarter was a closer alignment between the spam industry and virus writers. Spam is no longer just an annoyance, it is now a component used in illegal schemes to steal confidential data that can then be used to make money. However, the situation is drawing the attention of legislators and law enforcement agencies.

View the full version of Spam in the Third Quarter of 2010 at www.securelist.com