The closure of the Rustock botnet command centres on 16 March 2011 did not impact spam traffic as dramatically as last year’s Pushdo, Cutwail and Bredolab closures, whereby the quantity of spam fell by two to three percentage points for a day or two before bouncing back again.

“This could be due to the closure of SpamIt, a large pharmaceutical partner program, and the fact that Rustock, which specialised in pharmaceutical spam, may well have ceased sending out mass mailings at the end of last year,” explains Darya Gudkova, head of content analysis & research at Kaspersky Lab. “It could be that the botnet was just used for different purposes. It is also possible that the cybercriminals themselves preferred to lie low for a while given the interest in botnets shown by law enforcement agencies in the latter stages of 2010.”
As a result, the amount of spam detected in mail traffic in the first quarter of 2011 averaged 78,6% – an increase of 1.4 percentage points compared with the previous quarter, though still 6,5 percentage points less than the corresponding figure for last year.
In Q1 2011, the Asian and Latin American share of the total volume of spam worldwide grew (+2,93 and +3,85 percentage points respectively) while the amount of spam originating from Eastern and Western Europe fell by 5,64 and 2,36 percentage points respectively. Africa joined the list of the most active spam senders: the volume of unsolicited messages coming from African countries accounted for 3,66% of the worldwide spam total, exceeding that of the US and Canada.
These figures are in line with Kaspersky Lab’s forecasts that botnets would start shifting to regions with less effective or non-existent anti-spam legislation. However, cybercriminal activity suggests that in future botnets will also be developed in better protected regions meaning they will be spread relatively evenly across the globe, much as they are now.
In Q1 of 2011, spammers made use of some tried and tested tricks and techniques to bypass filtering. Sending out spam e-mails containing a link to a video clip advertising spammer services was one of them. Another trick saw e-mails that read “Stop sending me spam” allegedly written by an angry recipient of spam. The e-mail was in fact itself spam with a link leading to a spammer’s site. Unfortunately, Q1 saw some tragic events including earthquakes and a major tsunami in Japan. Needless to say, spammers tried to capitalise on these events by tricking users into parting with their money by pretending to be part of the humanitarian relief effort.
Trojan-Spy.HTML.Fraud.gen maintained its leading position in the Top 10 rating of malicious programs distributed via mail traffic in the first quarter of 2011. This Trojan uses spoofing technology and appears in the form of an HTML page. It comes with a phishing email containing a link to a fake site resembling that of a well-known bank or e-pay system where the user is asked to enter a login and a password that will be used by fraudsters to access his/her confidential data.
The most notable entries in the Top 10 malicious program to spread via e-mail belonged to a mail worm family and accounted for four of the rating’s 10 entries. The main purpose of malware such as this is to harvest e-mail addresses and spread them via mail traffic.
In the first quarter of 2011 the volume of phishing e-mails was very small and accounted for only 0,03% of all mail traffic. PayPal and eBay remained in the unenviable position of being the organisations most frequently targeted by phishers. They were followed by Habbo, Facebook and former leader HSBC.
“Notably, in the first quarter of 2011 Google services such as Google AdWords and Google Checkout were attacked less often,” says Maria Namestnikova, senior spam analyst at Kaspersky Lab. “The phishers switched their attention to the highly popular Brazilian social network Orkut which is owned by Google. The attacks on this social network reached 1.96% of the total, putting it in 12th place in the list of organisations most often targeted by phishers.
“It is worth mentioning that user accounts belonging to Google’s services, including Orkut, are interconnected. Thus, having acquired credentials for one of these accounts, a cybercriminal can access any Google service registered to the same user,” concludes Namestnikova.