Email Threat Trend Report Second Quarter 2007, Ltd. 2550 SW Grapevine Parkway, Suite 150 Grapevine, Texas 76051 Phone: (817) 601-3222 Fax: (817) 601-3223 http://www.altn.com/ 2007
Contents Emerging Email Threats Combine Spam, Malware from Botnets................................3 PDF Spam Eludes Traditional Security Tools................................................3 Botnets Expand in Size and Activity.......................................................4 Spam Originates from Botnets Worldwide..................................................6 Spam Rates Remain Stable.............................................................6 Medicines Top Most Popular Spam Topics..................................................7 Image Spam Rates Drop by 50%.........................................................7 SecurityPlus Provides Layered Security for Email............................................8 About...............................................................9 MDaemon is a registered trademark of, Ltd. Recurrent Pattern Detection Technology (RPD ) and Zero Hour Virus Outbreak Protection are trademarks of Commtouch. Source for data reported in this document is Commtouch. 2007 2 http://www.altn.com/
Emerging Email Threats Combine Spam, Malware from Botnets One of the most notable events of the second quarter occurred at the very end of the quarter the emergence of PDF spam and it demonstrates several key characteristics of today s email threats. These characteristics which will be discussed throughout this report include: evolving spam techniques, extensive use of botnets and blended threats. PDF Spam Eludes Traditional Security Tools With image-based spam now waning, PDF spam is designed to bypass traditional antispam engines and is succeeding in many cases. During one particularly heavy outbreak, PDF spam comprised 10-15% of all global spam during a 24-hour period. Because PDF spam messages are nearly four times larger than other types of spam, total spam traffic increased by 30-40%. Using PDF files to deliver spam exploits the popularity of PDF documents as attachments to legitimate email. The widespread use of PDFs in business email prevents the adoption of general blocking policies, such as those often enacted against.exe,.vbs and.bat files, for example. PDF spam comp rised 10-15% of all global spam during a 24 hour period total spam traffic increased by 30-40%. There have been several distinct types of PDF spam observed: Randomized content similar to image-based spam where letters and backgrounds are randomly altered to limit the effective use of optical character recognition (OCR) technology to detect spam. Professional look-and-feel, which appears similar to legitimate email correspondence, but includes sexual-enhancer, stock-promotion or other questionable content. Figure 1 shows an email and its legitimatelooking PDF spam attachment. Combined spam and malicious software in a single message. Figure 2 shows a message with an attachment promoting a stock, plus a link to a web site containing malware. Figure 1 PDF file attached to spam message appears to be legitimate until you read the content 2007 3 http://www.altn.com/
Figure 2 PDF Spam with promotional PDF and malware URL Botnets Expand in Size and Activity At the midpoint of 2007, massive botnets have become the focus for the convergence of nearly every type of Internet email threat. Because the so-called botmasters spent last year building up their infrastructures, botnets have emerged as powerful and pervasive tools. Botmasters have begun using their networks of zombie PCs to launch blended-threat emails containing both spam and malicious software. Research from Commtouch Reputation Services shows nearly 60% of spam-sending bots also send malware, while more than 65% of all spam sources also send malicious emails. (See Graph 1.) Graph 1 Spam / Malware Source Correlation Snapshot Spam/Malware Source Correlation Snapshot 34% Identified bots sending spam & malware 58% Other sources sending spam & malware 8% Sources sending malware only Source: Commtouch Reputation Services 2007 4 http://www.altn.com/
The growing botnets are now considered Internet enemy number one and the Internet security community is searching for effective means to combat them. This has proven to be difficult because of the dynamic nature of zombie IP addresses. For example, Realtime Black Lists (RBLs) attempt to list offensive IPs so security software can detect email SMTP sessions originating from these blacklisted addresses. Real Time Black Lists are minimally effective against botnets because static lists do not reflect the dynamically changing addresses of zombie PCs. This is evidenced when research tools dynamically detected an average of 343,000 new zombies per day during Q2 2007, as shown in Graph 2. Graph 2 New Zombie Trends Newly Active Zombies new zombie IPs detected 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 April - June 2007 Source: Commtouch Reputation Services The email-borne malware sent by botnets carries out a variety of malicious activity such as stealing passwords and personal information, harvesting email addresses and launching distributed denial of service (DDoS) attacks. While traditional defense technologies are falling behind the rapidly advancing malicious tactics, a new blended-security approach is emerging. The email-borne malware sent by botnets carries out a variety of malicious activity such as stealing passwords and personal information, harvesting email addresses and launching distributed denial of service (DDoS) attacks. 2007 5 http://www.altn.com/
Spam Originates from Botnets Worldwide Botnets send from every part of the world. In a 24-hour sample from a recent PDF spam outbreak, messages were sent from no less than 185 countries. The number of messages sent from each IP address ranged from a single message to several thousand. Graph 3 shows the global distribution of active zombie IPs for a randomly sampled 24-hour period during the quarter. Graph 3 Global Distribution of Zombie IPs Global Distribution of Zombie IPs 31% Other 14% Germany 11% US 3% Thailand 10% Poland 3% Italy 3% France 3% Korea 4% Turkey 4% Israel 4% Brazil 5% India 4% China Source: Commtouch Detection Center While botnets are found in every country with Internet access, the amount of spam actually sent from any particular country is closely related to the size of its PC-using population and the availability of broadband Internet access. Of course, the botnet rate of growth is also influenced by the level of computer security. The use of SecurityPlus for MDaemon can minimize the chance of computers in a business being infected and taken over as part of a botnet. Spam Rates Remain Stable Global spam levels remained at 85-90% during Q2 of 2007. Spam levels dipped slightly in April and May then returned to Q1 levels by the end of the second quarter. (See Graph 4.) Although the average level over time is stable, considerable fluctuation is seen from day to day. These fluctuations often result from the rapid-burst distribution method used to evade human-based filters that are subject to delays in classifying new spam outbreaks. By the time honeypots or human reporting systems, such as those based on signature files, recognize a new spam message or blended threat, the outbreak is likely to be over. SecurityPlus for MDaemon uses Recurrent Pattern Detection Technology (RPD ) and Zero Hour Virus Outbreak Protection to detect new threats as they occur. This proactive layer of security minimizes the potential exposure to emerging threats that occurs when a business relies only on a signature-based security application. 2007 6 http://www.altn.com/
Graph 4 Global spam levels Q2 2007 Global Spam Levels spam as a percentage of all global email 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% April May June Medicines Top Most Popular Spam Topics Source: Commtouch Detection Center Pharmaceutical spam increased during the second quarter, with 45% of all spam touting Viagra, Cialis and other medications, up from 12% the previous quarter. Table 1 shows the most popular spam topics by percentage. Table 1 Topics of Email Spam Pharmaceuticals 45% Replicas 7% Stock Pump and Dump 18% Gambling 6 % Sexual Enhancers 10% Software 3% Finance 8% Other 3% Source: Commtouch Reputation Services Image Spam Rates Drop by 50% Image spam, or the technique of sending spam messages as attached GIF or BMP images, now accounts for less than 15% of global spam, a drop from 30% in the first quarter. Detection advancements have likely caused the use of this method to recede. The antispam industry has had ample time to improve its ability to defend against this tactic, so spammers have moved on to newer, more effective PDF spam, for example. 2007 7 http://www.altn.com/
SecurityPlus Provides Layered Security for Email Huge botnets are being used to flood the Internet with spam and distribute email-borne malware. Research shows more than 60% of sources sending spam also launch malware attacks. The current situation requires an affordable, proactive and layered approach to email defense in order to protect against spam, email-borne malware and email connections from malicious IP addresses. SecurityPlus for MDaemon provides a proactive layer of security to protect email users against viruses, spam, phishing attacks, spyware and other types of email-borne threats. It complements and extends the built-in security features of MDaemon. By combining powerful and proactive security safeguards such as Recurrent Pattern Detection Technology (RPD ), Zero Hour Virus Outbreak Protection and email antivirus protection SecurityPlus detects and blocks virtually all known email-borne dangers, plus prevents infestation by newly released threats. Relying on reactive, signature-based security alone can make your email network more susceptible to these new forms of attack. The current situation requires an affordable, layered and complete email defense to protect against spam, email-borne malware and email connections from malicious IP addresses. As a proven security solution for email, SecurityPlus relieves pressure on network resources including bandwidth, computer resources and time by refusing entry to malicious email. It provides extremely high detection rates and protects email without blocking the delivery of legitimate messages. This enables the MDaemon email server to deliver improved communications among employees, partners, vendors and customers by stopping trouble before it starts. 2007 8 http://www.altn.com/
About delivers innovative, affordable, easy-to-use and secure messaging and collaboration solutions used by businesses in over 90 countries and 20 languages worldwide. Headquartered in Grapevine, Texas, flagship solution, the MDaemon email server, is a Windows-based, feature-rich platform that installs in minutes, includes a strong arsenal of security tools and requires minimal administration and maintenance. For more information, visit the Alt-N web site at www.altn.com. 2007 9 http://www.altn.com/