Cutwail Botnet Damaged by ISP Shutdown Whilst Donbot Offers Medical Assistance to Billions

CUPERTINO, CA -- (Marketwire) -- 08/25/09 -- Symantec Corp. (NASDAQ: SYMC) today announced the publication of its August 2009 MessageLabs Intelligence Report. Analysis highlights how activity levels for Cutwail, one of the largest botnets globally, fell by as much as 90 percent following the shutdown of an ISP in Latvia. Also in August, another prolific botnet called Donbot continued to use shortened URLs in its spam runs, peaking at distributing ten billion emails in just one day.

The Latvian ISP Real Host was disconnected on 1 August after it was alleged to be linked to command-and-control servers for infected botnet computers, particularly the Cutwail botnet which is responsible for approximately 15 to 20 percent of all spam today. Following the disconnection, global spam volumes immediately fell by as much as 38 percent in the subsequent 48-hour period.

"Cutwail's activity levels fell by as much as 90 percent following the disconnection of Real Host, but in a matter of days it was back to its former self, demonstrating just how powerful the Cutwail botnet really is in recovering and reinventing itself. ISPs have been blamed for helping botnet activity in the past, and taking these services down when unusual behavior is monitored is an important part of the battle against cybercrime," said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec.

Despite this brief variation in spam levels, the overall figures for August remain fairly steady at 88.5 percent, due to the activity levels of other major botnets such as Rustock, Mega-D and Donbot. Taking advantage of the heightened interest in health related issues due to the current swine flu pandemic, Donbot recently distributed its largest shortened-URL spam run to date, distributing an estimated 10 billion pharmaceutical-focused spam messages in one day. Subjects include 'Health care - get meds now,' 'Save 89% on Meds,' 'Purchase Meds Online.' The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.

In addition, MessageLabs Intelligence analysis highlights how cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics.