Has the Spam Storm Passed?

LONDON, 31 January 2008 – The infamous Storm botnet, which has deluged mailboxes with spam for a full year, seems to be passing according to security experts at Marshal’s TRACE Team. However, the forecast is not good, with multiple new botnets emerging to replace the Storm, Marshal’s TRACE team expects spam volumes to continue to rise.

The Storm botnet first appeared in January 2007. TRACE experts believe that Storm reached its peak around September 2007 when it could be linked to approximately 20 per cent of all spam in circulation. Marshal believes that contribution has slowly dwindled to around 2 per cent as of January 20, 2008.

“It is hard to say with any degree of certainty why the Storm botnet has been declining. Just last week we saw a renewed campaign to distribute the Storm malware under the guise of a love letter. It could be surmised that Storm is a victim of its own success. Microsoft has been targeting Storm with its Malicious Software Removal Tool since September last year. They claim that they have cleaned around 200,000 computers per week of the Storm bot since then. If that is accurate, it must be a key reason for the decline of Storm,” explained Bradley Anstis, Marshal Vice-President of Products.

“Unfortunately, the news is not positive. We have been tracking a number of other botnets that have stepped up to replace Storm. Storm is one of five botnets that we have been monitoring that we believe are responsible for approximately 75 per cent of all spam in circulation. One particular botnet which heavily promotes a certain brand of male enhancement pills accounts for nearly 30 per cent. This one bot has already exceeded Storm’s records and it has done it quietly without attracting too much attention. This might signal a new strategy by some of the spam crews to try and draw less attention to themselves through high profile email campaigns,” said Anstis.

“It is also possible that the individuals behind the Storm botnet are responsible for one or more of these new botnets. These people are smart and one lesson they may have learnt from Storm is to stay under the radar if they want to remain successful. There is a lot of crossover with the products being promoted by all five of these botnets. This could indicate some sort of connection between them,” mentioned Anstis.   

More information on the Storm love theme spam campaign and Marshal’s TRACE Team can be found at http://www.marshal.com/trace/traceitem.asp?article=494

About Marshal
Marshal is a global leader in Content Security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs.  Marshal provides customers with a complete portfolio of policy-driven Email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and web against internal abuse and external threats such as viruses, spam and malicious code. More than seven million users in 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal is headquartered in Atlanta (USA) and London (UK) with further offices in Paris (France), Munich (Germany), Johannesburg (South Africa), Houston (USA), Sydney (Australia) and Auckland (New Zealand). More information is available at www.marshal.com.

About TRACE
TRACE (Threat Research and Content Engineering) is a specialized team of Marshal security experts who monitor and respond to Internet security threats. The TRACE Team is tasked with analyzing the performance of Marshal solutions against Internet-borne threats. TRACE focus on a wide range of threats including spam, phishing, viruses and spyware.

The TRACE Team also engineers Marshal's response to threats, including maintaining security updates and detection technologies. TRACE is responsible for testing and issuing SpamCensor and Zero Day updates.

The TRACE Center is a sample of the data-gathering and technical analysis methods that Marshal employs. We will be adding additional statistics and new threat monitors over time so please check back regularly for news, information and new content.