The amount of spam in email traffic increased by 0.3 percentage points compared to November and averaged 77.1%.
Phishing emails accounted for 0.14% of all mail traffic, a decrease of 0.26 percentage points compared to the previous month.
Malicious files were found in 1.75% of all emails, an increase of 0.15 percentage points compared to November’s figure.
Spam in the spotlight
Russian spammer on trial
The legal war on botnets was once again thrust into the public
limelight in December with criminal proceedings being instigated in
Wisconsin (USA) in the case of Russian citizen Oleg Nikolaenko who is
suspected of creating and utilizing the Mega-D zombie network, also
known as Ozdok.
The Mega-D/Ozdok botnet, which is believed to have been created by
Oleg Nikolaenko, was until recently among the biggest botnets
distributing spam. According to some estimates, at its peak the network
numbered half a million infected computers. Experts claim that at
certain times the network’s zombies could distribute up to 30-35% of all
spam. The fight against this monster started in 2008, but it was only a
year later in November 2009 that any results were achieved when
numerous command centers were closed down. This only led to a temporary
drop in the network’s capacity – by the beginning of December 2009 the
botnet was back up and running at full capacity.
The botnet’s infected machines were used to distribute partner spam containing adverts for medications and fake designer goods.
When the Mega-D/Ozdok command centers were shut down in November
2009, Muscovite Oleg Nikolaenko was already the FBI’s prime suspect.
They received information about him from one of his “associates” Jody
Smith who in the summer of 2009 was himself under investigation. In
August of the same year he began assisting law enforcement agencies.
Nikolaenko, however, was only arrested a year later in November 2010 during a visit to an auto show in Las Vegas.
Nikolaenko is charged with violating US anti-spam laws (CAN-SPAM Act
of 2003) and if found guilty, could face up to three years in prison or a
fine of $25 000.
Nikolaenko denies any wrongdoing. His attorney tried to free him on
bail, but the request was denied because the court had reason to believe
the defendant would attempt to leave the country. The court’s decision
is still pending. The next hearing is scheduled for February 2011.
Meanwhile, as Nikolaenko sits in prison, the volume of spam
distributed via Mega-D, according to some experts, constitutes no more
than 5% of all spam traffic.
In particular, the case of Oleg Nikolaenko demonstrates the
shortcomings of Russia’s spam laws: it took a trip to the USA for an
alleged major player in the spam business to finally face the prospect
Making sure the leaks spread
Recently, the WikiLeaks portal specializing in the publication of
data leaks from government organizations of different countries has
unsurprisingly become engulfed in a major international scandal. The
portal has published thousands of confidential documents of a very
sensitive nature for the world’s politicians. Naturally, WikiLeaks has
its supporters and opponents. The former started actively spreading some
major leaks in December.
They tried to publish links and extracts from WikiLeaks wherever they
could. Spam was also utilized. In December, users received emails
containing links and requests to pass them on in the name of democracy:
In addition to these messages we also came across snippets of
compromising texts. However, there is no way of knowing how reliable
these sources are: this could be spam distributed by supporters of
WikiLeaks or false information from opponents.
WikiLeaks – the month’s hot topic
Surprisingly, the WikiLeaks issue was so popular in December that
even the Christmas and New Year holiday season failed to live up to its
usual popularity among spammers.
It is usual for spammers to exploit the current hot topic to grab the
attention of their recipients. The types of issues or events can vary –
the antics of celebrities to wars, elections or various holidays. In
December the most popular topic is usually the holiday season. In
December 2010 WikiLeaks kept Christmas and New Year company in the
spammer popularity stakes.
Spammers mentioned the WikiLeaks name in background noise texts used
to bypass spam filters. They were mostly quotes from material published
on the site, or news about the portal itself. Interestingly, the word
WikiLeaks was often inserted in links in another bid to evade the
It remains to be seen whether the people distributing pharmaceutical
spam are supporters or opponents of WikiLeaks; we only know that they
have exploited the attention given to the leaks for their own purposes.
Spam in mail traffic
The amount of spam detected in mail traffic increased by 0.3
percentage points and averaged 77.1% in December 2010. A low of 72% was
recorded on 6 December with a peak of 85.2% on 12 December.
Spam in mail traffic in December 2010
Sources of spam
In December, India remained the single-most popular source for spam, accounting for 9.89% of the total volume of spam (-0.55%).
Sources of spam in December 2010
The most noticeable shift in the Top 20 most popular spam
distributors affected Russia and Vietnam, which came second and fourth
respectively in November. In December, they swapped the places: the
amount of spam distributed from the territory of Russia increased by 2.9
percentage points while Vietnam’s contribution dropped by 4.11
Tellingly, three out of December’s Top 5 spam distributors – India,
Russia and Vietnam – were among the Top 10 countries where mail
antivirus detected malware most frequently in November, suggesting the
cybercriminals who sent malware to those countries in November made use
of infected computers for distributing spam in December.
There was also a drop in the volume of spam originating from the UK, France and Germany.
Malware in mail traffic
In December, malicious files were found in 1.75% of all emails, an
increase of 0.15 percentage points compared with the previous month.
Countries where mail antivirus detected malware most frequently in December 2010
Like the previous month, most malware was detected in mail traffic
received by users in India, Russia and Vietnam. European countries and
the USA, which had been among the leaders of this rating for the last
few months, fell to the lower end of December’s Top 10. The UK, which
until October had been among the top three, fell to tenth place,
accounting for less than 3% of all malware detected in email traffic. At
the same time, cybercriminals sent quite a lot of malicious messages to
It is possible that such a shift is part of the initiative to
transfer botnets from the West – where anti-botnet activity is
threatening business – to the East where the legal pressure is not as
The Top 10 malicious programs distributed via mail traffic in December 2010
In December, Trojan-Spy.HTMLFraud.gen maintained its leading position
in the list of Top 10 malicious programs distributed via mail traffic.
This malicious program has been a long term Top 10 resident. It is
designed to trick users into giving away confidential or financial data.
This particular Trojan uses spoofing technology and appears in the form
of an HTML page resembling the site of a well-known bank or e-pay
system where the user is asked to enter a login and a password. This
malicious program was particularly popular in December as the end of the
year is always a time of increased spending in the run-up to the
holiday season. At that time of year the average user has money in his
online accounts and is busy Christmas shopping, making him an easy
target for fraudsters of every type.
The majority of the other entries also make regular appearances in this Top 10 throughout the year.
Email-Worm.Win32.Mydoom.m was a permanent fixture in this Top 10
throughout 2010. This is a typical mail worm which scans the system
searching for email addresses that can be used to send a copy of itself
in the form of a message containing a fake email system notification
about a delivery failure. In this case the main function of the program
is the harvesting of email addresses. This worm’s signature was added to
Kaspersky Lab’s antivirus databases in 2004. To read more about this
malicious program click here.
Email-Worm.Win32.NetSky.q is also a regular in the Top 10. In all,
five out of the ten most popular malicious programs distributed via mail
traffic are mail worms. As the names suggest,
Email-Worm.Win32.Agent.gnd and Email-Worm.Win32.Agent.gne also belong to
this family. However, their functionality is more sophisticated
compared to the aforementioned worms. They not only collect email
addresses and distribute themselves via mail traffic but install other
malicious programs once they penetrate a victim computer. These
malicious programs are mostly Trojan downloaders which immediately try
to gain access to Internet resources in order to download other malware.
Spam by category
In December, the popularity of spam categories followed the trends set in autumn.
Viagra’s banishment continued: the share of pharmaceutical spam
decreased by 0.8 percentage points compared with the previous month and
averaged 28.6%. The amount of spam distributed in the other categories
was affected by spammers abandoning pharmaceutical spam and by the law
enforcement activity surrounding botnets sending this type of spam.
Spam by category in November–December 2010
The peak in the graph above reflects the popularity of a partner
program offering fake designer goods. The spammers obviously decided
that replicas of expensive watches and bags were a good idea for
The festive season theme was actively exploited by the spammers. In
the first week of December the share of emails that mentioned Christmas
and New Year exceeded 6% and continued to grow. Holiday season spam
averaged 20-25% of the total quantity of spam in December.
In conclusion, we would like once again to mention the results of the
successful anti-botnet campaign in the West. The volume of spam
distributed from the territory of the USA has not returned to former
levels in spite of concerns by experts that it would be a temporary dip.
The amount of spam originating from the UK, France and Germany has also
started to drop. Meanwhile, the processes taking place in Eastern
Europe and Asia are worthy of special mention. The countries of these
regions are increasingly being targeted by malicious spam. It appears
the cybercriminals are trying to transfer their zombie networks to those
regions where law enforcement is either less successful or
The interest in counterfeit medications on the part of Western law enforcement agencies as well as the Igor Gusev’s
case initiated in Russia clearly affected the various spam categories:
spammers are still searching for a partner program that is as profitable
as pharmaceutical spam used to be. The fact that spammers are actively
advertising their own services demonstrates that those who have decided
to start advertising for small and medium-sized businesses are still
looking for clients.
The situation is unlikely to stabilize in January. Spam will continue
to be redistributed among the various spam categories. The first month
of the year is usually marked by a downturn in consumer spending and no
single partner program will be capable of meeting the financial demands
of the spammers following the demise of pharmaceutical spam. They will
now have to search for a more effective area of activity and modify