Surge in attachment spam a sign of desperation, say experts

Botnet criminals have flooded the Internet with a surge of attachment spam in recent weeks in a desperate attempt to rebuild a spam-distribution industry under pressure, security experts have suggested.

Although this surge has been widely reported as a significant return for spam generally, levels are in fact subdued. It is more likely a sign of stress for a part of the cybercrime economy that has had a bad year.

Figures from M86 Security (see below graph) show a spike in attachment spam (emails with malware files attached) beginning at the beginning of August, which at one point accounted for a quarter of all spam seen by the company. That is more than a blip - attachment spam normally makes up fractions of a percent of all spam.

Fellow security company Commtouch also reported attachment spam as having risen 500 percent between 8 and 12 August on the back of a campaign using the common lure of fake UPS or DHL package notifications. Sophos has posted a useful analysis of one of the current crop of bogus package delivery messages.

Putting the attachment surge in context, figures from the same companies show that overall spam is still at historically low levels after the closure earlier this year of Rustock, one of the most prodigious spam botnets. Overall, then, spam levels appear to be continuing their gradual decline.

So where is the new wave of attachment messages coming from and does the latest campaign have any deeper significance?

Most of the messages appear to originate with an unremarkable botnet called Cutwail, backed up by activity from two other small players, Festi and Asprox. The attachments themselves are designed to hit computers with a range of malware, including fake antivirus campaigns and the SpyEye banking Trojan as well as to recruit them to relay spam.

This looks pretty mundane. The carriers are bog-standard DHL emails backed by attachments that serve the same Trojans that make up most Internet malware campaigns. The innovation level is very low and has echoes of a campaign run by criminals in March and April.

According to M86 product manager, Ed Rowley, the campaign is probably a symptom of the stress the spammers are under at a time when the phenomenon has lost some of its old potency.

"I think it is linked to the low levels of spam. We have seen spam drop and this is an attempt to rebuild the botets, " he said. "The criminals are trying to lay the foundations of future attacks."

This view is echoed by Daniel Axater, CEO of Swedish mail filtering company CronLab, which has also noticed the attachment phenomenon. "Any views on why this sudden surge would be speculation, but to me it looks like they're trying to use this attack to expand the size of the botnets," he said.

Criminals are always trying to increase their empires, but what points to the desperation of criminals is that they are using such hackneyed and generally easy-to-spot methods to carry out this task. Attachment spam is generally a last resort because while dangerous it is also difficult to slip past spam filters. Most users, especially corporate users, will never see the emails at all.

Any botnetter willing to try the high-visibility technique will have to compensate for this filtering by sending large number of messages to have any chance of success. That in turn raises the campaign's visibility further.

That several security companies have noticed the campaign within the same period of days suggests that the returns are likely to be very modest, mainly hitting users on small, poorly-defended ISPs running obsolete and unpatched operating systems such as XP.

After years of effortless success, spammers have had a relatively bad time of it this year, especially after the downing of major spam relays such as Spamit.com in September 2010 and Rustock in March this year. Without some innovation, that decline could be set to continue.