The volume of malicious spam in circulation has more than tripled in one week, according to new research from Marshal's TRACE team. This sharp increase can be largely attributed to the Srizbi botnet, which is currently responsible for 46% of all spam sent.
Malicious spam jumped from 3% of total spam traffic at the start of June to 9.9% the following week.
'Malicious spam' is spam that isn't designed to sell a product or service, but is intended specifically to infect recipients' computers with malware. It typically involves a social engineering ploy to lure recipients into thinking it is harmless or related to something of interest, such as free pornography or an invitation to view a greeting card from a friend. It usually includes a URL link to a Web site hosting malware. Often the malware is falsely presented as a video or game that the recipient is tricked into activating.
According to Phil Hay, Lead Threat Analyst with Marshal's TRACE team: "The Srizbi botnet is behind much of this increase in malicious spam. Srizbi's criminal controllers are currently on a major expansion drive. The more computers infected by Srizbi bots the more money they can make."
The most common campaign Srizbi is using at present is a 'stupid' theme that tries to hook users by including the first part of their e-mail address in the subject line along with the suggestion that they look stupid in a video. Users are often quick to investigate the potentially embarrassing footage before they consider the true malicious nature of the message.
Another recent campaign from Srizbi is based on the social networking phenomenon of connecting to old acquaintances online. It targets the Classmate.com service by using its name in malicious spam with subject lines such as "You have one new message. Classmates" and "Friends waiting for you Tomorrow! Classmates". Once the recipient clicks on the link, they are taken to a fake page that resembles the actual Classmates.com Web site where they are directed to run a supposed Flash video player. When users click on the link, they are prompted to download an executable file that infects their computer.
"This kind of social engineering tactic is nothing new," said Hay. "What is significant is the rapid increase in the volume. It once again demonstrates the incredible power and dominance that the major spamming botnets have over e-mail traffic. Very few legitimate businesses could triple their e-mail capacity at the push of a button. But this is the advantage that the illegal control of thousands of computers gives the spammers.
"We see Srizbi as one of the biggest threats to Internet users today. We are trying to work with other security researchers to raise the profile of Srizbi and the threat it represents. In contrast, the Storm botnet receives more research and media attention, yet its impact is now bordering on insignificant. When Storm became a high-profile target, Microsoft had great success in removing it from thousands of infected PCs with their Malicious Software Removal Tool. Now Srizbi needs to become a similar priority for security researchers," commented Hay.
"In the meantime, users should be wary of e-mails that make personal offers such as online friend connections or include inflammatory personalised subjects such as 'you look stupid in this video', particularly if they don't recognise the sender."
Marshal's charts and statistics depicting botnet activity over time can be found on the TRACE Centre: http://www.marshal.com/trace/spam_statistics.asp.
Share