'Grum' Botnet Leads Spam Charge

Despite some recent botnet shutdowns, spam volumes are continuing to rise. According to a report by messaging security specialist MessageLabs, a subsidiary of Symantec Corp., spam now accounts for close to 90 percent of all e-mail traffic. In some locales, that percentage is even higher.

Nearly all indicators were up for the month of February, which saw a 5 percent increase in spam levels. The prevalence of e-mail-borne viruses crept up by 0.02 percent last month, while the prevalence of phishing attacks crept up slightly more (0.04 percent). The number and variety of malicious Web sites, as identified by MessageLabs' blacklisting service, also surged in February, increasing by a staggering 184 percent. Meanwhile, nearly one-sixth (13.3 percent) of last month's malware attacks were the result of new malware competitors, an increase of 1.2 percent over January's tally.

Two things didn't increase, however: the size of the average spam message and the total number of new malicious domains. Spam has been shrinking in size for some time, but this is actually a double-edged sword, according to MessageLabs. "With a reduction in the average file size of a spam e-mail, botnets are able to send a greater volume of spam per minute," the report said.

Botnets are the chief culprits behind the spam surge, MessageLabs found. Two such networks, Grum and Rustock, helped power spikes in spam activity during February. Grum was the most notorious, according to MessageLabs: On a few occasions last month, it operated at about 150 percent of its 2009 capacity. Depending on how and when you measure it, Grum could have accounted for as much as one-quarter of February's spam tally.

Grum's overproduction is a relatively new phenomenon. For the whole of 2009, it produced spam at a constant rate. And during the last three weeks of February, it out-produced all other botnets, according to MessageLabs.

"[We saw] relatively little change in spam volume emanating from the Grum botnet over the last 12 months," wrote researchers in MessageLab's February 2010 "State of Spam" report. However, starting Feb. 5, Grum's output increased by 51 percent. "Typically, spam from Grum accounts for approximately 17 percent of all spam, but during the recent spam surges, spam from Grum was responsible for 26 percent of all spam," the report noted.

What's to account for Grum's surge? One possibility is that spammers hit pay dirt last month and went back to the well. The report pointed to both a general increase in pharmaceutical spam -- which now accounts for two-thirds of all spam -- and to a spike in Canadian pharma-spam, which it said was the product of the Grum botnet.

If the market for spam is in any sense customer-driven, pharma-spam might actually be a hit. "[W]e don't know for sure, the spammers may have been trying to clear this particular spam run more quickly, or had perhaps discovered that this spam run was working very well, and so issued instructions to send more. It's also possible that resources elsewhere in the Grum botnet had been freed from other activities and so Grum was able to allocate more of its resources to spamming," the report indicated.

The sobering upshot, MessageLabs concluded, is that spam levels will likely increase in March.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


comments powered by Disqus

Subscribe on YouTube