During the previous two State of Spam Reports, Symantec noted an increase in the amount of spam messages containing URL links to malicious code. Now, with the October 2008 report, Symantec highlight just how significant this trend is becoming. The increase began in May 2008 and continues to the present. During this period, there has also been an increase in email messages carrying malware payloads – not just links to malicious code. Spammers began to take a special interest in the economy beginning in October 2007, and this interest continues today as the economy dominates the news headlines. Evidence supports that overall spam levels have increased considerably since October 2007, and now averages 78 percent of all email.
Here’s a highlight of a spam trend from the report:
Spam Watch: Monitoring the Increasing Link between Spam and Malware
The previous two State of Spam Reports for August and September 2008 have shown us a recent increase in the number of spam messages containing URL links to malicious code. Rather than simply promoting a spam product, these emails contain links to malware designed to infect other computers with viruses and Trojans. Following is an example of this type of attack. The message contained the subject line, “The beginning of the Third World War”. The URL in the message body included a spammy related domain cnnworld.org, an obvious play on the well-known U.S. television network. The URL directs individuals to a Web site where a legitimate looking style for CNN content is presented and the user is encouraged to download a video of the U.S. President.
Since June 2008, there has been an increase in the number of detected email messages carrying malicious payloads. The majority of this malware appeared in zip and RAR file payloads and were detected by antivirus filters. After zip and RAR files, the next most common payload vector for malware was those that were imbedded in the source code of email messages.
From June to mid September 2008, the percentage of malware detected in email messages had a dramatic increase from a tenth of a percent (0.1 percent) average in June 2008 to 1.2 percent in the middle of September 2008.
This is based on data that is retrieved from customers running antivirus software and have consented to return data. The total messages scanned includes legitimate and spam messages.
The top ten definitions detected by antivirus rules for this period were led by generic Trojan horse, Downloader and Infostealer definitions making up more than 30 percent of the malicious code detected. The generic Trojan horse definition, which identifies multiple Trojans that have similar qualities, led the detected programs with 13.4 percent of the messages identified. This was followed by Downloaders, malicious programs that can be used to download other malware, with 11.8 percent, and Infostealer with 11.1 percent. Infostealer is another generic definition which blocks programs that attempt to steal sensitive information from a user’s computer. This following data is also based on data returned from the field, with definitions identified by antivirus software.
The correlation to zip and RAR files can be seen when viewing a spam stream in a lab environment for the period of June to mid September 2008. With data broken down for zip and RAR files detected, the patterns show that there is also an increase in these two file types.
The source of the email messages carrying the zip and malicious files appears to be varied. These were being sent out from compromised servers around the world, led by China, The Republic of Korea and the United States.
Reviewing one of the email messages carrying generic Infostealer malware a user will see an innocuous but potentially interesting subject:
“Play iPhone on your PC today”
The body of the email simply says:
“Can your get more than 8000 p?”
Attached to the message is a zip file, “Penguin.Panic.zip,” which the user would need to open to release the malware.
Other trends in the October 2008 State of Spam report include:
– Zombie Activity Continues with the Help of their Voodoo Sorcerers (Spammers)
– Spammers Feed Off Economic Worries
– Spammers ‘Rock the Vote’ in the U.S. Presidential Election
– Spammers’ Hall of Shame