Research

New spam sources in the making

After the Pushdo/Cutwail, Bredolab and Rustock botnets were taken offline, the geography of spam sources underwent some major changes. In particular, from September 2010 the US, for a long time the leading spam distributor, began to lose ground. For several months now it hasn’t even made it into the Top 10 leading sources of spam and only occasionally appears at the bottom of the Top 20.

The US and some European countries have been replaced by Asian and Latin American countries. The cybercriminals have clearly established new bases for distributing spam with eight of July’s top 10 spam sources located in Asia and Latin America.

Sources of spam in July 2011

Another interesting characteristic of the July rating is that the top five countries account for almost half (48.65%) of all spam messages. For this reason we decided to take a closer look at spammer activity in India, Indonesia, Brazil, Peru and Ukraine.

An analysis of the spam mailings originating from these countries in June and July shows that in July less spam messages were sent from India and Brazil than in June – down by 2.03 and 1.83 percentage points respectively. The changes for both countries are very similar. Indonesia and Peru also saw increases of very similar levels in the same period – 4.82 and 4.59 percentage points respectively.

These figures were of particular interest to us: such similar fluctuations may well reflect the geographic distribution of spam botnets and could be due to botnets in various countries being managed by the same individuals.

In order to gain a fuller picture, we analyzed information on 11 countries (the top 10 and Russia, which ranked 11th in July and was, until recently, one of the top distributors of spam) for the period of April to July. Based on the results of analyzing the dynamics of distribution, we believe that spam is distributed simultaneously from several groups of countries:

  • India and Brazil;
  • Ukraine, Taiwan and Thailand;
  • Indonesia and Peru;
  • Korea, Italy, Vietnam and Russia.

India and Brazil

Analysis of the weekly spam traffic confirmed that the rates of spam distribution from India and Brazil have very similar dynamics:

Share of spam originating from India and Brazil for the period 13 June to 31 July

The subtle differences in the curves are primarily due to the fact that, apart from zombie machines presumably managed from the same center, each country has its own ‘local’ botnets which receive commands to distribute spam at other times. In addition, botnets are constantly changing in size with new machines being added and older ones disappearing (e.g. when users install antivirus software and the computer is disinfected).

Ukraine, Taiwan and Thailand

Analysis of Ukraine, Thailand and Taiwan quickly identified an odd one out:

Share of spam originating from Ukraine, Thailand and
Taiwan for the period 13 June to 31 July

As the graph shows, the spam mailings from Ukraine and Thailand intensify or fall off almost identically. The differences between the two are accounted for by the same reasons mentioned above for Brazil and India. Taiwan, however, is out of synch with the overall picture.

Indonesia, Peru, Ukraine and Thailand

A detailed analysis reveals that the spam distributed from Ukraine, Thailand, Indonesia and Peru is synchronous:

Share of spam originating from Indonesia, Peru, Ukraine and
Thailand for the period 30 May to 31 July

Thus, the second grouping of spammer botnet activity currently consists of Indonesia, Peru, Ukraine and Thailand.

Notably, synchronous distribution of spam from countries located on different continents does not mean that computers in these countries are united in one big botnet. Several small zombie networks can also operate synchronously, receiving commands for distributions from the same individuals.

As a result, we get a rather worrying picture: over 60% of all spam globally originates from 10 countries, where cybercriminals have been building up new botnets over the last year to replace those put out of action in the US and western Europe.

The major groups of countries from which spam is being distributed synchronously are: India-Brazil (nearly a quarter of the world’s spam was sent from these countries in July), and Indonesia-Peru-Ukraine-Thailand. Furthermore, the last three weeks of July revealed noticeable parallels between spam distributions from Russia, Italy, South Korea and Vietnam. It’s still too early to reach conclusions about this grouping of countries, but we will continue to monitor them.

The correlations above suggest that following a series of successful anti-botnet campaigns, the cybercriminals are spreading their resources across different countries (and even continents) so that they can continue to function if they lose their bots in one country. The countries in question have not yet developed effective legislation to regulate Internet activities, which allows the cybercriminals to act with impunity. What is more, the cybercriminals behind this spam traffic can manage it from any country in the world.

New spam sources in the making

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox