Internet Security Systems - AlertCon(TM)

Spam Volume – How the story continues during summer 2011

Posted by Ralf Iffert on September 23, 2011 at 11:50 AM EDT.

In our upcoming IBM X-Force 2011 Mid-year Trend and Risk Report, we discuss in detail the different phases of the changes in spam volume and the surrounding circumstances for the first term of 2011; shown in the graph below as phase 1 to 4. In the summer, the story has continued.

During phase 4 in the graph below, which covers the mid-May to mid-August timeframe, we observed a slight recovery of the overall spam levels, but particularly at the end of this phase a strong increase in ZIP attachments in spam emails. Nevertheless, at the end of June and also in July the overall spam levels were still 50 percent below the levels of the fourth quarter of 2010. But spammers continued to work. They used the summertime to increase the overall spam levels significantly since the middle of August (beginning of phase 5). By the middle of September, observed spam volume reached 80 percent of the levels nine months ago. However, by this time, ZIP Spam had decreased.

Weekly Spam Volume versus Percentage of ZIP Spam, December 2010 to September 2011

When looking at the end of phase 3 and 4 there is a significant increase of the percentage of ZIP attachment spam in each case. However, one will notice that there is not a strong correlation between overall spam percentages and percentage of ZIP attachments.

• At the end of phase 3 (beginning of May) between 5 and 8 percent of all spams contained a ZIP attachment.
• At the end of phase 4 (mid of August) up to 13 percent ZIP attachments were seen in spam.

The attached malware used in May was already discussed in a previous blog post. The malware in August has been very similar. One of the most frequently seen malware attachments has been TrojanDownloader:Win32/Chepvil.N (in May it was TrojanDownloader:Win32/Chepvil.K) and TrojanDownloader:Win32/Cbeplay.M. From the explanations in the linked articles we see that spammers have used again their “distribution channel spam” to distribute multifunctional malware. And it suggests that some of these malware pieces make their victims to spam botnet drones. Hence, the model could be:


1. Send out multifunctional malware via spam for 2-4 weeks to acquire new botnet participants (beside maybe some other purposes).
2. Increase the spam volume by using the newly acquired botnet drones.

It will be interesting to see whether the recovery will continue and reach the old spam levels later this year. It will also be interesting to see whether there will be an emerging pattern with respect to ZIP attachments in spam with future time periods.

 

 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.