Linux Today: Linux News On Internet Time.

Linux Takes a Share of Spam from Windows

Apr 27, 2010, 19:03 (15 Talkback[s])

Symantec Announces April 2010 MessageLabs Intelligence Report:

-Rustock Surpasses Cutwail as the Biggest and Most Active Botnet; LoveBug Virus Turns 10 -

The full report is here

MOUNTAIN VIEW, Calif. – April 27, 2010– Symantec Corp. (Nasdaq: SYMC) today announced the publication of its April 2010 MessageLabs Intelligence Report. Analysis reveals that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control. While Rustock has reduced the output of individual bots by 65 percent, it has increased the number of active bots by 300 percent, making up for the decreased output. Meanwhile, Cutwail has reduced in size to 600,000 bots down from 2 million bots in May 2009 and is now responsible for only 4 percent of all spam. Rustock remains the largest spam-sending botnet responsible for 32.8 percent of all spam.

"Affected by the closure of ISP Real Host in August 2009, Cutwail likely lost the ability to update some of its bots causing its numbers to diminish greatly without the ability to recover," said MessageLabs Intelligence Senior Analyst, Paul Wood. "As a result, Rustock has taken over significant volumes from spammers by undercutting the market with greater capacity and lower operational costs."

Grum and Mega-D are the second and third largest botnets behind Rustock responsible for 23.9 percent and 17.7 percent of spam respectively. Having survived a couple of attempted ISP takedowns, Mega-D has fewer bots than both Rustock and Grum, but it is the hardest-working botnet, pushing its 240,000 active bots to output around 430 spam emails per minute. Grum has remained consistent over the last five months with each bot sending between 145 and 150 spam emails per minute, but Grum recently increased the number of bots it controls from 700,000 to 1 million, making it the second largest botnet.

Also in April, MessageLabs Intelligence analyzed passive fingerprinting (PF) signatures of spam email traffic to learn the types of operating systems that were running on the infected spam-sending computers. Many of the infected machines were running Windows and the percentage of spam with a PF signature was similar to the Windows share of the operating system market."

"Spam is more commonly sent from computers running Windows than from those running other operating systems," Wood said. "However, spam not identified as coming from botnets was seen in lower proportions coming from Windows machines than from known botnets."

A spam index, the likelihood that a particular computer is sending spam, can be calculated by comparing the ratio of spam from a given operating system to its market share. In the current spam climate, this index shows that relative to its market share, any given Linux machine is five times more likely to be sending spam than any given Windows machine. However, Linux machines are only responsible for 5.1 percent of all spam. By virtue of its lower market share there are fewer examples of malware in circulation that specifically target the Linux operating system. More ISPs are now forcing their clients to route email traffic through the ISPs own "smarthost", a mail server provided for their customers, rather than permit the client to send email directly using TCP port 25. Many such ISPs employ a hosted environment where the operational costs can be lowered through the use of open source technology, such as Linux.

Finally, MacOS is least likely to be sending spam, based both on its global contribution to spam and on an individual machine basis. The spam index suggests that there is almost no spam being sent from MacOS machines. However, 0.001% of the spam examined did originate from machines running MacOS

May 4 marks ten years since Symantec Hosted Services, then MessageLabs, stopped and named the LoveBug virus, a virulent mass-mailing worm that wreaked havoc on an estimated 45 million email users and caused billions of dollars in damage in just one day. First to intercept and name the virus, Symantec Hosted Services intercepted what was then a colossal 13,000 copies of the virus over the course of the day.

Today, it is commonplace for MessageLabs Intelligence to stop 1.5 million copies of emails each day as malicious. Although mass mailing viruses like LoveBug are rare today, cyber criminals have evolved their techniques to more malicious, highly targeted attacks and are motivated less by achievement and credibility than by financial gain and identity theft. On May 4, 2000 1 in 28 emails contained the LoveBug virus. By comparison, 1 in 287.2 emails contained a virus on April 9, 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware.

When copycat viruses turned up in the days and months that followed May 4, 2000, MessageLabs AntiVirus predictive analysis cloud-based detection engine, Skeptic™, had learned from the virus code and was able to scrutinize new malware code to quarantine anything suspicious.

"LoveBug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year," Wood said. "Back then users were less savvy regarding the dangers posed by suspicious email attachments and emails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks."

Other report highlights:

Spam: In April 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 89.9 percent (1 in 1.11 emails), a decrease of 0.8 percentage points since March.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 340.7 emails (0.294 percent) in April, an increase of 0.01 percentage points since March. In April 28.9 percent of email-borne malware contained links to malicious websites, an increase of 12.1 percentage points since March.

Phishing: In April, phishing activity was 1 in 455.2 emails (0.219 percent) an increase of 0.03 percentage points since March. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had increased by 5.7 percentage points to 70.3 percent of all email-borne threats.

Web security: Analysis of web security activity shows that 10.9 percent of all web-based malware intercepted was new in April, a decrease of 4.0 percentage points since March. MessageLabs Intelligence also identified an average of 1,675 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 12.7 percent since March.

Geographical Trends:
• Spam levels in Italy rose to 95.5 percent in April positioning it as the most spammed country.
• In the US, 90.2 percent of email was spam and 88.9 percent in Canada. Spam levels in the UK rose to 89.4 percent.
• In the Netherlands, spam accounted for 91.5 percent of email traffic, while spam levels reached 89.4 percent in Australia and 92.3 percent in Germany.
• Spam levels in Hong Kong reached 91.0 percent and spam levels in Japan were at 86.9 percent.
• Virus activity in Taiwan was 1 in 76.3 emails, keeping it as the most targeted country for email-borne malware in April.
• Virus levels for the US were 1 in 646.3 and 1 in 416.2 for Canada. In Germany, virus levels were 1 in 471.0, 1 in 1,120.0 for the Netherlands, 1 in 416.5 for Australia, 1 in 501.0 for Hong Kong, 1 in 1,161.0for Japan and 1 in 613.0 for Singapore.
• UK remained the most active country for phishing attacks in April with 1 in 199.7 emails.

Vertical Trends:
• In April, the most spammed industry sector with a spam rate of 94.9 percent remained the Engineering sector.
• Spam levels for the Education sector were 91.1 percent, 90.2 percent for the Chemical & Pharmaceutical sector, 90.7 percent for IT Services, 90.9 percent for Retail, 88.4 percent for Public Sector and 88.4 percent for Finance.
• In April, the Public Sector remained the most targeted industry for malware with 1 in 99.1 emails being blocked as malicious.
• Virus levels for the Chemical & Pharmaceutical sector were 1 in 438.2, 1 in 487.5 for the IT Services sector, 1 in 600.2 for Retail, 1 in 109.6 for Education and 1 in 365.9 for Finance.

The April 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at http://www.messagelabs.com/intelligence.aspx.

Symantec's MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

It appears that Symantec and other security software vendors are not doing a very good job --ed.

Complete Story

Related Stories: