Spam Distribution Reaches Almost pre-McColo Levels

According to a report (PDF) released by MessageLabs, a leader in electronic communications security, the distribution levels of junk e-mails have reached between 80%-90% of what they were before the takedown of the notorious McColo ISP in November. The Mega-D botnet has picked up the previous “market share” of the almost-dead Srizbi.

MessageLabs, which is now owned by Symantec, has gathered intelligence about the on-line malicious activity for the month of January, and has compared it with the figures from December 2008. Amongst some of the most intriguing conclusions is that the number of junk e-mails related to phishing campaigns or virus distribution have decreased, while spam levels have increased.

One of the greatest wins for the security community in 2008 was the November takedown of McColo, an ISP harboring many botnet control servers and malicious websites. This represented a big blow for the owners of Srizbi and Rustock botnets, who to this day have not been able to recover their army of zombie computers. At the time, Srizbi was the biggest botnet around, and was responsible for more than 50 percent of the world-wide spam distribution.

However, as various security researchers warned at the time, the slack was picked up by other smaller botnets. For example, Mega-D, which is still comprised of about 660,000 unique active IPs, is now sending a whooping 26 million spam e-mails per minute, which means that every IP is spewing one junk e-mail every 0.1 seconds. But, even if it's the major source of spam at the moment, amounting for 38% of the total distribution, Mega-D is not the largest botnet around.

MessageLabs notes that Cutwail (Pandex) remains the largest spam-sending botnet, with over 1,000,000 compromised unique IPs. The new Conficker botnet, which is estimated at a frightening 10 million compromised hosts, is not taken into account, because it has not yet been used for sending spam. In fact it has not yet been employed for anything, the security researchers currently arguing and speculating about its intended purpose.

Other botnets, except Conficker or Cutwail, with serious potential to watch for in 2009 are the relatively new DonBot, with 800,000 compromised IPs, Xarvester, for its impressive throughput rather than size, and Waledac, a fast-flux botnet that exhibits Storm-like behaviour, the MessageLabs analysts explain.

Another interesting trend in January is the resurfacing of Stock market spam, which has been previously extinct since the Alan Ralsky gang was indicted. In addition, some new forms of terrorism-related junk has been observed, as well as the anticipated Inauguration Day spam.

More findings outlined by the report include the decrease of phishing e-mails by 0.14% compared to December, as well as e-mails with malware attachments, which dropped by 0.12%. However, the number of e-mails spreading links that point to malicious applications have increased by a worrying 9.1%. France has been the most spammed country in January, according to the report, with 83.8% of all e-mails being junk. France is seconded by U.S. with 76.9%, followed by Canada with 77.2%.