Symantec Announces April 2010 MessageLabs Intelligence
-Rustock Surpasses Cutwail as the Biggest and Most Active
Botnet; LoveBug Virus Turns 10 -
The full report is here
MOUNTAIN VIEW, Calif. – April 27, 2010– Symantec
Corp. (Nasdaq: SYMC) today announced the publication of its April
2010 MessageLabs Intelligence Report. Analysis reveals that Rustock
has surpassed Cutwail as the biggest botnet both in terms of the
amount of spam it sends and the amount of active bots under its
control. While Rustock has reduced the output of individual bots by
65 percent, it has increased the number of active bots by 300
percent, making up for the decreased output. Meanwhile, Cutwail has
reduced in size to 600,000 bots down from 2 million bots in May
2009 and is now responsible for only 4 percent of all spam. Rustock
remains the largest spam-sending botnet responsible for 32.8
percent of all spam.
"Affected by the closure of ISP Real Host in August 2009,
Cutwail likely lost the ability to update some of its bots causing
its numbers to diminish greatly without the ability to recover,"
said MessageLabs Intelligence Senior Analyst, Paul Wood. "As a
result, Rustock has taken over significant volumes from spammers by
undercutting the market with greater capacity and lower operational
Grum and Mega-D are the second and third largest botnets behind
Rustock responsible for 23.9 percent and 17.7 percent of spam
respectively. Having survived a couple of attempted ISP takedowns,
Mega-D has fewer bots than both Rustock and Grum, but it is the
hardest-working botnet, pushing its 240,000 active bots to output
around 430 spam emails per minute. Grum has remained consistent
over the last five months with each bot sending between 145 and 150
spam emails per minute, but Grum recently increased the number of
bots it controls from 700,000 to 1 million, making it the second
Also in April, MessageLabs Intelligence analyzed passive
fingerprinting (PF) signatures of spam email traffic to learn the
types of operating systems that were running on the infected
spam-sending computers. Many of the infected machines were running
Windows and the percentage of spam with a PF signature was similar
to the Windows share of the operating system market."
"Spam is more commonly sent from computers running Windows than
from those running other operating systems," Wood said. "However,
spam not identified as coming from botnets was seen in lower
proportions coming from Windows machines than from known
A spam index, the likelihood that a particular computer is
sending spam, can be calculated by comparing the ratio of spam from
a given operating system to its market share. In the current spam
climate, this index shows that relative to its market share, any
given Linux machine is five times more likely to be sending spam
than any given Windows machine. However, Linux machines are only
responsible for 5.1 percent of all spam. By virtue of its lower
market share there are fewer examples of malware in circulation
that specifically target the Linux operating system. More ISPs are
now forcing their clients to route email traffic through the ISPs
own "smarthost", a mail server provided for their customers, rather
than permit the client to send email directly using TCP port 25.
Many such ISPs employ a hosted environment where the operational
costs can be lowered through the use of open source technology,
such as Linux.
Finally, MacOS is least likely to be sending spam, based both on
its global contribution to spam and on an individual machine basis.
The spam index suggests that there is almost no spam being sent
from MacOS machines. However, 0.001% of the spam examined did
originate from machines running MacOS
May 4 marks ten years since Symantec Hosted Services, then
MessageLabs, stopped and named the LoveBug virus, a virulent
mass-mailing worm that wreaked havoc on an estimated 45 million
email users and caused billions of dollars in damage in just one
day. First to intercept and name the virus, Symantec Hosted
Services intercepted what was then a colossal 13,000 copies of the
virus over the course of the day.
Today, it is commonplace for MessageLabs Intelligence to stop
1.5 million copies of emails each day as malicious. Although mass
mailing viruses like LoveBug are rare today, cyber criminals have
evolved their techniques to more malicious, highly targeted attacks
and are motivated less by achievement and credibility than by
financial gain and identity theft. On May 4, 2000 1 in 28 emails
contained the LoveBug virus. By comparison, 1 in 287.2 emails
contained a virus on April 9, 2010, the peak for April. In April
2010 overall, MessageLabs Intelligence intercepted 36,208 unique
strains of malware.
When copycat viruses turned up in the days and months that
followed May 4, 2000, MessageLabs AntiVirus predictive analysis
cloud-based detection engine, Skeptic™, had learned from the
virus code and was able to scrutinize new malware code to
quarantine anything suspicious.
"LoveBug was operating in the wake of the Melissa virus, a
similarly destructive worm from the previous year," Wood said.
"Back then users were less savvy regarding the dangers posed by
suspicious email attachments and emails from unknown senders. The
general public was also less aware of issues such as spam and
denial of service attacks."
Other report highlights:
Spam: In April 2010, the global ratio of spam in email traffic
from new and previously unknown bad sources was 89.9 percent (1 in
1.11 emails), a decrease of 0.8 percentage points since March.
Viruses: The global ratio of email-borne viruses in email
traffic from new and previously unknown bad sources was one in
340.7 emails (0.294 percent) in April, an increase of 0.01
percentage points since March. In April 28.9 percent of email-borne
malware contained links to malicious websites, an increase of 12.1
percentage points since March.
Phishing: In April, phishing activity was 1 in 455.2 emails
(0.219 percent) an increase of 0.03 percentage points since March.
When judged as a proportion of all email-borne threats such as
viruses and Trojans, the proportion of phishing emails had
increased by 5.7 percentage points to 70.3 percent of all
Web security: Analysis of web security activity shows that 10.9
percent of all web-based malware intercepted was new in April, a
decrease of 4.0 percentage points since March. MessageLabs
Intelligence also identified an average of 1,675 new websites per
day harboring malware and other potentially unwanted programs such
as spyware and adware, a decrease of 12.7 percent since March.
• Spam levels in Italy rose to 95.5 percent in April
positioning it as the most spammed country.
• In the US, 90.2 percent of email was spam and 88.9 percent
in Canada. Spam levels in the UK rose to 89.4 percent.
• In the Netherlands, spam accounted for 91.5 percent of
email traffic, while spam levels reached 89.4 percent in Australia
and 92.3 percent in Germany.
• Spam levels in Hong Kong reached 91.0 percent and spam
levels in Japan were at 86.9 percent.
• Virus activity in Taiwan was 1 in 76.3 emails, keeping it
as the most targeted country for email-borne malware in April.
• Virus levels for the US were 1 in 646.3 and 1 in 416.2 for
Canada. In Germany, virus levels were 1 in 471.0, 1 in 1,120.0 for
the Netherlands, 1 in 416.5 for Australia, 1 in 501.0 for Hong
Kong, 1 in 1,161.0for Japan and 1 in 613.0 for Singapore.
• UK remained the most active country for phishing attacks in
April with 1 in 199.7 emails.
• In April, the most spammed industry sector with a spam rate
of 94.9 percent remained the Engineering sector.
• Spam levels for the Education sector were 91.1 percent,
90.2 percent for the Chemical & Pharmaceutical sector, 90.7
percent for IT Services, 90.9 percent for Retail, 88.4 percent for
Public Sector and 88.4 percent for Finance.
• In April, the Public Sector remained the most targeted
industry for malware with 1 in 99.1 emails being blocked as
• Virus levels for the Chemical & Pharmaceutical sector
were 1 in 438.2, 1 in 487.5 for the IT Services sector, 1 in 600.2
for Retail, 1 in 109.6 for Education and 1 in 365.9 for
The April 2010 MessageLabs Intelligence Report provides greater
detail on all of the trends and figures noted above, as well as
more detailed geographical and vertical trends. The full report is
available at http://www.messagelabs.com/intelligence.aspx.
Symantec's MessageLabs Intelligence is a respected source of data
and analysis for messaging security issues, trends and statistics.
MessageLabs Intelligence provides a range of information on global
security threats based on live data feeds from our control towers
around the world scanning billions of messages each week.
Symantec is a global leader in providing security, storage and
systems management solutions to help consumers and organizations
secure and manage their information-driven world. Our software and
services protect against more risks at more points, more completely
and efficiently, enabling confidence wherever information is used
or stored. More information is available at www.symantec.com.
It appears that Symantec and other security software vendors
are not doing a very good job --ed.