Botnet security alert: Malicious spam surge marks bot reconstruction

The percentage of spam messages containing a malicious payload has spiked sharply recently, likely due to a resurgence of spam bots.

A sharp rise in malicious spam has been detected during the last two weeks, marking what some experts believe is an attempt by hackers to rebuild their depleted botnet armies.

We think [spammers] are mounting a big summer campaign, where they’ll ... get back to having their big botnet armies ready for their autumn offensive.

Ed Rowley, Senior Product Manager, M86 Security

The sudden spike in malicious spam traffic that prompted the botnet security alert was picked up by M86 Security, a vendor specialising in email and Web security, at the beginning of August when it accounted for 13% of all detected spam. “Since then it has reached 24% and it has increased as the month has progressed,” said Ed Rowley, senior product manager at M86 Security.

Rodel Medrez, a researcher with M86, wrote on his blog that “we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the Spamit takedown last October.” He added that the majority of the malicious spam comes from the Cutwail botnet, with some also contributed by Festi and Asprox, two other botnets.

Total spam is still well below the levels seen two years ago, following the disbandment of several large botnets. For instance, according to the Symantec MessageLabs Intelligence report in April 2011, global spam fell to 72.9% of total Internet traffic in the aftermath of the Rustock botnet takedown in March.

But Rowley said this month’s rise in malware-based spam shows the spammers, eager to rebuild their businesses, are starting to fight back.

“With all the high-profile arrests and closing down of spam networks, we have seen spam decline over the last two years,” he said. “Now we think this is a resurgence where the malware is aimed at infecting as many machines as possible, and to rebuild those botnets.”

He said the new campaign is probably timed deliberately to reach people when they are on holiday and away from the protection of their corporate networks.  “People are more likely to be checking email from home, where they have less protection than they do from their corporate gateways,” he said. 

Rowley said that most of the malicious attachments, which may purport to be an invoice or a note from a delivery company, come in the form of a compressed ZIP archive containing a Trojan that downloads additional malware including fake AV, SpyEye and the spambot itself.

“We think they are mounting a big summer campaign, where they’ll maybe make some money selling fake AV, but also get back to having their big botnet armies ready for their autumn offensive,” he said. “Spam is still cheap and requires very little effort. They play the percentage game.”

Read more on Application security and coding requirements