Symantec Links Storm Botnet to Spam Campaign

Symantec's MessageLabs has linked the Storm botnet to a spam campaign relying on shortened URLs. According to Symantec, Storm returned to the security threat landscape in May and now accounts for nearly 12 percent of all spam containing shortened URLs.

Spammers are increasingly turning to shortened URLs to beat spam filters, and an old foe is at the center of it.

According to Symantec's July 2010 MessageLabs Intelligence Report, spam with shortened hyperlinks reached a peak of 18 percent on April 30, translating to 23.4 billion spam e-mails. An analysis of the spam campaign has linked some of it to the notorious Storm botnet, which first appeared in 2006 before declining in 2008. The botnet reemerged in May, and now accounts for 11.8 percent of all the spam containing shortened hyperlinks circulating the Web.

"While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet such as unidentified spam-sending botnets or non-botnet sources such as Webmail accounts created using CAPTCHA-breaking tools," Paul Wood, MessageLabs Intelligence senior analyst for Symantec Hosted Services, said in a statement.

The peak of 18 percent in 2010 is more than double last year's high point of 9.3 percent recorded July 28, 2009. In the second quarter of 2009, there was only a single day when shortened hyperlinks appeared in more than 1 in 200 spam messages, Symantec reported. In the second quarter of 2010, however, there were 43 days when that happened.

Security pros have repeatedly warned users to be wary about shortened URLs in e-mails and on social networks because they are sometimes used to trick people into visiting malicious sites. That wariness should not necessarily transform into panic, as an analysis by Zscaler of shortened URLs in Twitter's public timeline revealed they were far less likely to lead to malicious sites than search results on Google.

Still, for spammers pushing pharmaceuticals and other goods, using shortened e-mails can be relatively effective. According to the report, researchers found an average of one Website visit for every 74,000 spam e-mails with the shortened URLs. The most frequently visited shortened links from spam received more than 63,000 Website visits.

When it comes to spam, the name of the game is dodging filters, and any tactic that can make it harder to block e-mail messages is going to be adopted by the spammers out there, Wood said.

"When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam e-mails," he said.