Virus Activity Drop: Calm Before a Stormy Summer?

What accounts for the near-disappearance of virus activity last month? One explanation: even spammers need to invest time in research and development.

Something surprising, if not unprecedented, happened last month: virus activity plummeted.

Messaging security specialist AppRiver, for example, cites a 95 percent decline in virus activity relative to February's activity.

What accounts for the huge drop? Did spammers suffer a McColo-like setback? Have security pros turned the corner in the battle against spam? Are users getting smarter?

No one knows for sure, but if history is any indication, says AppRiver senior security analyst Fred Touchette, March might turn out to be an anomaly.

Call it the eye of an ever-raging hurricane: even spammers need to invest some time in research and development (R&D), Touchette argues.

"No major shutdowns have occurred recently that would have caused a McColo-like reaction of this kind. It is possible that the malware authors are in a period of R&D where new variants of their malware are being written, and new plans of attack are being formulated," he comments.

"We have not seen virus levels this low since March 2008 where we saw a meager two million pieces." That quietus, Touchette continued, turned out to be a proverbial calm before the story: by August, AppRiver's monthly tally of viruses again topped the 500 mark. "Judging by the patterns of recent years, this activity is not uncommon for the first few months of the year before spiking in the mid to latter months."

In a kind of counterintuitive twist, the number of viruses declined even as the volume of spam increased: Touchette says AppRiver collected 3.5 billion virus messages last month. That was up slightly from February's tally.

Other messaging security specialists, such as Symantec Corp. subsidiary MessageLabs, have remarked on a decrease in the size of the average spam message.

AppRiver, on the other hand, says spam campaigns increasingly feature image collateral: the prevalence of such spam has been on the rise for three months running, Touchette confirms. While the use of embedded image spam could account for both the shrinking size of the average spam message and the increasing prevalence of image spam, AppRiver also pointed out an uptick in the use of ZIP file attachments, chiefly in the form of compressed ("ZIPped") image spam advertisements for Viagra, Cialis, and similar drugs.

MIME attachments likewise inflate the size of a message.

Touchette says ZIP file spam -- although highly prevalent -- is rarely effective. Most security software simply strips ZIP attachments from incoming files, or (in other cases) employs custom rules to separate attachment wheat from attachment chaff. "These campaigns normally run rather tenaciously in the background, but thanks to … filtering, no customer has to see them. By placing them in ZIP files, these campaigns were briefly brought to the foreground before a quick set of custom rules put them back in their place," he writes.

"Every once in a while a spam campaign will attempt to alter their delivery technique in an attempt to trick filters and at least get their spam into inboxes where they have a chance at someone actually opening their bogus emails."

March gives virus writers plenty of fodder, which makes last month's downturn so inexplicable. There's St. Patrick's Day, for starters, followed by the NCAA basketball tournament. AppRiver recorded spam and virus activity focusing on both events. Of special interest to spam and virus perpetrators, however, was a celebrity: Sandra Bullock. In late March, Touchette reports, AppRiver monitored a Sandra Bullock-themed malware campaign that managed to generate more than 1,200 messages a minute. It's par for the course, Touchette notes, whenever anything salacious is associated with a celebrity. The danger isn't just confined to e-mail, he cautions.

"Much like after the death of Actor Corey Haim earlier this month, events like this often trigger accompanying … attacks," he writes. "It has also become very popular for the malware writers to poison search engine results when something like this happens in order get their bad sites to appear at the top of the results."

Must Read Articles