Top 10
Security
Companies
HERRING
The Messaging ExpertsTM
2008
A YEAR IN
REVIEW
Spam Report
2008 - State of Security
Table of
1. Overview 3
2. Phishing in 2008 4
a. Introduction 4
b. Governmental Phishing and Scare Tactics
5
c. Google Phishing 6
d. Oh, and the Banks Too 6
3. World Events That Drove Spam and Malware Campaigns 7
4. The Battle of the Botnets
8
5. McColo and Other Botnet Shutdowns 9
6. Other Notable Events from 2008 10 
a. Ransomware Returns 10
b. Coca-Cola and McDonalds' Fake Holiday Promotions
10 
c. The .Pdf Format Was a Popular Target 11 
d. Directory Harvest Attacks
11 
e. Spam and Scams Surrounding the 2008 Beijing Summer Olympics
12 
f. Malware Was the Top Story for MSNBC and CNN in September
12 
7. Total Email Traffic 2008 13 
8. Regions of Origin
14 
9. Top Ten Countries of Origin 15 
10. Twelve Month Virus Activity 16 
11. Attachment Spam
17 
12. Spam Back on the Rise 18 
1. Overview
From increased levels of spam and malware to the botnets delivering them, 2008 was another busy
year for AppRiver!  This report will summarize 2008's most intriguing Internet security threats, as 
well as describe the year biggest trends.
2. Phishing
Long gone are the days when the Internet was simply filled with coders and hackers of varied talent
levels trying to prove to one another how 733t they were by means of non-life-ruining computer
mischief.  Now, the Internet is a place of uncertainty with harsh consequences for even the most tech-
savvy users.
Picture this, old black and white movies portraying the mafia with Tommy guns, fencing operations, and
other related crimes. The same architectural framework may be applied to the Internet, but on a much
grander scale with less of an ability to find, identify, and prosecute the criminal.  In fact, many
cybercriminals have moved away from the one man basement spam operation to a more complex ring
of organized crime. Each aspect of an attack is outsourced to someone who provides a specialty service, 
including individuals who will collect valid e-mail addresses, author malware used, set up fake websites, 
or purchase stolen account information. Though there are varying methods, all malware out there
today has one underlying goal: to take your money. To follow are just a few of the larger more
interesting attacks we saw at AppRiver.
2b. Governmental Phishing and Scare Tactics
Several official-looking campaigns came through this year posing as governmental organizations. One
such campaign used spear phishing methods to lure readers to open a subpoena from the US Tax Court.
These e-mails came with an official Tax Court Seal and were personalized for the targeted victim.
were addressed specifically to the individual whose name appeared again in the body of the petition as 
the respondent.  The e-mail contained a link to a supposed U.S. Tax Court or sometimes an IRS website
where the reader could view details of his or her case.
using any browser other than Internet
Explorer (IE) were told that the site could only be viewed with IE and were given a real link to Microsoft
in order to download IE, and then of course, encouraged to come back and try again later. Once the
viewer reached the site with Explorer, it attempted to install "security certificates". Everyone wants to
be safe, right?!
certs actually turned out to be keylogging software which efficiently began
stealing critical information, or in cybercriminals' hopeful eyes, the user's crucial business banking
information.
The same subpoena trick was used a month earlier in April. These e-mails were directed towards
corporate executives with identity theft in mind.  Each e-mail was addressed to the recipient by name.
2b. Governmental Phishing and Scare Tactics continued
including business name and telephone number. It purported to be a subpoena ordering the recipient
to appear in court based upon allegations filed against the reader.
e-mail included a link to view the
subpoena. Once clicked, the link directed the reader's web browser to a page requiring additional
downloads to view the document. Those who agreed were shown a PDF document resembling a lawsuit 
filed in a California district court. that time, malware designed to log all banking activity was 
downloaded.  Once the victim accessed his or her personal bank account, or corporate bank account,
cybercrooks were free to withdraw as much money as possible.
The code used in this attack was nothing more than a cut and paste job of several different exploits that
could be found around the InterWeb.
the attackers were not master programmers. Instead,
these Romanian-based cybercriminals were more like savvy business professionals who were very smart
about handling their stolen goods. The money was quickly routed (usually within one day) through
many different accounts to avoid account cancellation.   
Another phishing technique which has become commonplace is posing as the IRS, pretending to have a
good-sized rebate check waiting for those who follow the strategically placed links. Rather than waiting
for a check to show up in the actual physical mailbox at home, victims can simply type in personal bank
account information for a direct deposit. Unfortunately, the friendly cybercriminals will transfer it out of
your bank account and not in as promised.
With the current economic recession, and all sorts of financial turmoil, the phishermen of the Internet
began using economic stimulus checks as bait to get what little money may be left.  Back in May of 2008,
e-mails began to arrive in Inboxes claiming to be from the Internal Revenue Service with "your money".
All one needed to do was claim the money and, yep, you guessed it, click on a link.  Once the viewer 
landed on the site, the amount being given  (which was always $1500) was displayed. After clicking a
few radio buttons  (i.e. "What is your filing status?"), the viewer was taken to a page requesting all 
banking information, even an ATM PIN number.   
2c. Google Phishing
With Google's availability and free access, it was just a matter of time before applications like Google 
Docs would be exploited.
directed their focus to Google AdWords on Wednesday, April 23,
2008. the early morning hours, customers of Google AdWords became the target of a phishing scam
that continued throughout the rest of April with fervor.
this tactic was reserved for banking 
sites, but the authors of these phishing scams began to find other indirect routes to drain victims'
savings.
The scam e-mails arrived in Inboxes with the following subject lines:  
"Please re-submit your payment information"
"Account Reactivation"
"Please Update Your Billing Information"
"Your Account with Google AdWords" 
"Your AdWords Google Account is stoped"
"Your ads in this account are not running"
Each e-mail was similar and did not have the misspellings the subject lines had.  The e-mail stated that 
the user's GoogleAds account would cease to run unless billing information was updated soon. A link in
the e-mail directed the user to http://adwords.google.com/select/login, however if the user hovered
the mouse pointer over the link, he or she would notice that they actually send you to various domains
hosted on a fast flux network in China that look more like this:
http://www.adwords.google.com. serga01.cn /select/Login, adding the "adwords.google. com." as a sub
domain in order to make the actual destination appear to be Google.
2d. Oh, and the Banks Too
Let us not forget the classics, the phishing e-mails that pretend to be from a bank and either infect the
user with account-stealing malware by monitoring keystrokes, screen scrape monitors to defeat on-
screen keyboards, or direct readers to a fake site with the intention of gathering critical, personal
information.
though cyberthieves continue to be more and more creative, these techniques
certainly have not gone anywhere. fact, there were several bank phishing campaigns that came 
through during 2008, most notably targeting customers of BanCorp, Flagstar Bank, Digital Insight and
Wells Fargo Bank.
3. Worlds Events That Drove Spam and Malware Campaigns
It's an unfortunate fact that with tragedy comes opportunity, and that is especially true when it comes
to trying to entice victims to open malware.
a large, and often tragic, world event occurs, you
can bet that the next day you will see a lot of malicious e-mail in the spam traps where the bad guys
have jumped on the bandwagon in an attempt to pique your interest just enough to get you to fall for
their trickery.
• 2008 had several big events that fueled many a spam and virus campaign, and even some 
worldwide hacktivism. Hacktivism is when a person or a group defaces another, often rival's 
website with some sort of political message. This occurs from time to time, and happened again
as Syria was poised to host its first ever Arab Summit back in March.
• Too numerous to name were the campaigns sparked from skyrocketing oil prices.
sorts of
strange, and sometimes clever, techniques were used. Unfortunately, those who worry about
finances were often times the victim of such campaigns. One campaign of notable interest was
that of the world gas bank card.
an individual could purchase fuel and lock it in at
the same price gas was going for that day of purchase and not worry about prices climbing
further. can't remember seeing any gas station that claimed to accept these bogus cards, so
I'm not sure purchasing one would have been a very good idea.
• The Russia Georgia Conflict in August 2008 sparked a wave of malware-laden spam claiming to
have photos of journalists who were shot while attempting to cover the story.
one was
actually delivered by one of the heavy hitters of botnets in 2008, Pushdo.
• Some of the more unfortunate campaigns were those that posed as information regarding the
hurricanes Gustav, Hanna and Ike. Not only did they attempt to send malware in the usual
fashion  (which would be through links or attachments in e-mail), but some of these
cybercriminals went as far as to set up fake Web sites where donations were taken in the name 
of storm victims.
• Several other campaigns were event-driven, including many playing off of the United States'
presidential election and the tragic terrorist killings in Mumbai.
4. The Battle
In the past year botnets have become the leading spam and malware delivery vehicle by far. Their sizes
and capabilities have all grown greatly, and a few really seem to rule the roost.
fluctuations have
certainly occurred that have caused ripples, but it seems difficult to get rid of one for good.
• At the beginning of the year, Storm was still in charge coming off of the most active botnet list
of 2007; however its reign into 2008 was quickly put into check by the other big 6, Pushdo,
Srizbi, Rustock, Mega-D, Warezov, and Asprox.
• At times the Srizbi botnet
was solely responsible for
up to 50 percent of the
world's spam. Rustock
challenged, and at times
pushed ahead of Sriz
terms of percentag
bi in
e sent.
• Pushdo sent tons of
malware through inboxes
under the guise of fake UPS and FedEX delivery receipts.
• Before Srizbi and Rustock came in to take the lead, Mega-D was the first botnet to surpass the
Storm Worm in overall output at the beginning of the year. Mega-D pushed out an enormous
amount of herbal supplements aimed at male enhancement.
• Asprox focused on phishing a lot of the time, spending its time infecting vulnerable websites, 
and even included a little back-up counter measure to make sure people knew it was a phishing
site to be infected. The Asprox has some additional code embedded in the form that would
treat you accordingly. If they determine that you had filled out the online phishing form
completely and accurately then they would direct you to the main site of the appropriate bank.
If the determination was made that you were not being a good victim, for example if you had
filled out the form incompletely or if you had used foul language or even entered the word
"phish", your browser would have been exploited instead of your bank account. Assuming that
you were running Windows and not properly patched,
would have found your machine
infected with Asprox and sending out the same phishing emails that got you so annoyed to
begin with.
5. McColo
It's a rare occasion when authorities are able to gather enough information by working together to
successfully shut down botnets. But, this proved true when a botnet was shut down by Canadian
authorities in Quebec earlier this year.
suspects were apprehended for running one of Canada's
largest botnets in years. These cybercriminals ranged in age from 17-26 years old. The size of their
botnet was estimated to be upwards of 1 million computers across more than 100 countries. It was 
used for many activities including identity theft, data theft of other kinds, spamming and denial-of-
service attacks. the end, the botnet caused an estimated $45 million in damages.
Another botnet was shut down when the FTC and the New Zealand Department of Internal Affairs
worked together to take down an organized cybercrime ring. The gang was responsible for using 
botnet-delivered spam to sell weight loss pills, replica watches and several herbal male enhancement
products.
receiving more than 3 million individual complaints about the group, the FTC grabbed 
them on charges that one of their products "VPXL", touted as "100% herbal and safe", was neither 100%
herbal nor safe. This product actually contained the ingredient Sildenafil which is the active ingredient
in the prescription drug Viagra. Even though the group was ordered to halt all operations, the botnet
continues to function at only a slightly lower level.
McColo's takedown was certainly the biggest news of the year. After three months of intense traffic (up
over 1,700%!), McColo had its plug pulled. The "bulletproof hosting" company held command servers
for five of the biggest botnets out there, and when operations were shut down, the world's spam
dropped 75%. The term "bulletproof hosting" refers to a company that allows individuals to stay online
no matter what types of complaints (or how many) the company receives about that individual's actions.
This held true for McColo as it was found to be responsible for hosting approximately 40 different child
pornography sites, phishing sites, male enhancement drugs sites, other "prescription" drugs sites, and
several online payment providers that were set-up to exclusively process payments for the above-
mentioned products.
out that when provided with evidence of McColo's operations, Global
Crossing and Hurricane Electric (the two internet providers for McColo) actually stepped up to the plate
and pulled the plug on all McColo operations.
that being said, no one expected them to be gone
for long since authorities were not involved.  Sure enough traffic from these botnets has continued to
rise as command servers are moved and new bots are recruited.
6. Other
6a. Ransomware Returns
During the second week of June we saw the reemergence of Ransomware. Ransomware is a directed
attack, usually targeting business owners and their private data. Often times, private data has no backup,
and so business owners who are hijacked by malware that encrypts their data will pay attackers for
decryption software. Recently, a new Ransomware hit the streets known as the GPCode Ransonware.
In the past, Ransomware has utilized fairly easy encryption tactics. For that reason, it was relatively
simple to decrypt.  However, this one is a little different since it's nearly impossible to decrypt without
the software attackers provide.  The encryption used for the majority of the work is RC4 the same code
used to encrypt SSL, and WEP connections. No big deal there. Well, not as big of a deal if the author
didn't go ahead and encrypt the RC4 key with 1024 bit RSA Key. This leads to challenges as the largest
RSA key ever to be publicly broken was only 663 bits.
estimated that it would take a million 
computers working in tandem year round to break a 1024 bit key.
inefficient considering the
malware author can simply change the key regularly, and it's likely that it could never be cracked.
The datanappers were charging $100 $200 for the decryption software.
6b. Coca-Cola and McDonald's Fake Holiday Promotions
In an attempt to hook new victims, spammers utilized a pair of well crafted malware campaigns posing
as a McDonald's restaurant in one and the Coca-
Cola Company in another. Each of these
"promotions" came with a .Zip attachment that
was supposed to contain a coupon for a free
product. Once the executable inside the .Zip
attachment was run, a pop-up window with a
printable coupon was shown. Unfortunately that's
not all it gave users. It also gave a computer worm
that stole e-mail addresses from the system and
mailed a copy of itself to all of your friends, clients
and family via its own onboa
rd SMTP engine.
6c. The .Pdf Format Was a Popular One for Exploiting
Adobe's .Pdf file was targeted several times during 2008. A
couple of attacks are worthy of note. One attack appeared in
February and exploited Adobe's "mailto:" functionality.
call, which was hidden in the binary of the file, made a
specially crafted call to its malicious host to download a
Trojan from the Zonebac family of malware. Once the Trojan
was in place it would attempt to disable any anti-virus 
software detected, and download other malicious software.
Adobe was targeted again in June, prompting the company to
push out a patch for both Adobe Reader and Adobe Acrobat
Professional due to a flaw that "could potentially allow an
attacker to take control of an affected system".
6d. Directory Harvest Attacks
Two very large Directory Harvest Attacks made their way through cyberspace during March. Both lasted
for days, end pushing through the end of the month. The Directory Harvest Attack appears to be
nothing more than garbage. It's addressed to a specific individual and sometimes many others- and
sent via random, often forged e-mail addresses.
body of the e-mail doesn't try to sell you anything
or attempt to infect your computer by tricking you into downloading a file or clicking on a link. Instead it
contains a few random words, sometimes intelligible, sometimes not. Such was the case in one
campaign that left entire e-mails blank.
added to the degree of difficulty in blocking them. Even
though they all appeared to be junk, they were in actuality a spammer's tool to collect, or "harvest",
valid e-mail addresses to use in future spam or malware campaigns.
6e. Spam and Scams Surrounding the 2008 Beijing Olympics
The Olympics were a very popular topic for many people during the month of
August, even the scammers were getting into it. was easily predicted that
this would be the case, as all major events are utilized by spammers and
scammers in attempts to sway readers into clicking links or opening
attachments.
scammers and malware authors tried several different
angles. One of the major scams began weeks prior to the Olympics' Opening
Ceremony. Several fake sites popped up offering tickets to the Olympics for
sale, buyers would pay for their tickets, but would never receive them. Other
Olympic-themed scams included viruses that pretended to be images of the
opening ceremonies, 419s, and a lottery style scam that offered recipients "all expense paid" trips to the
event and an additional $500,000.
6f. Malware was the Top Story for MSNBC and CNN in September
Those with mal-intent on the Internet often try
to pretend to be someone reputable. Some do a
better job at this than others.
was the case
of a particular malware campaign that ran its
course during the latter part of 2008. The
campaign posed as breaking news from CNN, 
and another wave pretended to be MSNBC.
headlines would arrive by e-mail with plenty of
flashy, official-looking graphics and with 10 
randomized headlines which were links to read
the full stories.
same e-mail would also contain 10 other links to news videos.
the
links simply infected the target machine, and readers would never find out if a Florida man truly dialed 
911 to, "complain his sub had no sauce".
7. Total Email Traffic Volume
This chart represents both valid and spam traffic throughout 2008. Note the dramatic drop in overall
volume that correlates with the McColo shutdown.
8. Regions
This graph represents spam traffic by region. The spam origins remained similar throughout the year
with only minor fluctuations. Europe won top spot of the year with 35.6% of total spam delivered with
Asia close behind with just over 30%.
9. Top Ten
igin
This chart represents the top countries from which spam originated throughout the year of 2008. The
U.S. led the pack with 5 billion spam messages served. Turkey easily took second place, and the Russian
Federation maintained third place where it hovered for most of the year.
10.
rus Activity 
This chart represents email-borne virus and malware activity during 2008. During the month of August,
AppRiver was seeing brand new zero-day virus variants at the rate of up to 5 a day, an increase of
around 1700% of the months prior. Luckily, those numbers waned towards the end of the year.
11.
The following charts represent attachment spam that is broken apart by file type and frequency. Images 
used as a means to attempt to fool Bayesian filtering lost popularity during the middle of the year, but
came back with a record number spike in October.
12.
Back on
The shutdown of McColo, and in turn the world's top 5 botnets led to spam decreasing by 75%. This
chart shows a slice of the past 60 days, and spam's slow by sure rise back to levels pre-McColo.