Cutwail botnet raising spam levels once more

 By Paul Wood

There has been a recent increase in the amount of malicious email traffic detected by MessageLabs Intelligence despite a continuous decrease in the actual number of spam mail distributed. 

The decrease in spam is due in large part to the takedown of Rustock, the largest spamming botnet, in March. So what accounts for this increase in malware traffic?

MessageLabs Intelligence Senior Analyst, Symantec Hosted Services
Paul Wood


An investigation by MessageLabs Intelligence revealed that this increase is at least due in part to the Cutwail botnet.


Cutwail, which has been active for some time, recently increased its activity and is now sending more spam with large attachments. 

This is no surprise as email attachments are one of the easiest and most powerful tools cyber criminals use to attack PCs and this month MessageLabs Intelligence saw an increase in this type of spam technique using zip file and portable document formats (PDF). 

 Zip files prey with packages

 Spammers using zip files lure their prey with variations on the same familiar email subject line in which a postal package is undeliverable. In order to retrieve their package, victims are asked to open the zip file attachment, print the invoice and bring it to the post office to collect their package. 

Malicious zip file attachments are dangerous because they include executable files, which if run, will infect your machine. These files are variants of the Bredolab malware. Once on your system, this malware allows the attacker to take control of your machine. An infected machine often becomes part of the larger botnet and is used to spread the infection to others.

Example of spam mail containing a malicious zip file attachment 

You should always be suspicious of any attachments that you were not expecting. If the email you receive is convincing and you are unsure of its legitimacy take note of the language used. Notice in the example above that the grammar is lacking in several places. Also the recipient’s parcel number is different each time it is used. 

An increase in PDF attacks 

MessageLabs Intelligence has also seen a rise in PDF attacks. As one of the most commonly used file formats with which to exchange electronic documents, PDF attachments are used heavily in both targeted and non-targeted attacks. In fact, MessageLabs Intelligence has found that PDFs now account for a larger proportion of document-based targeted attacks. In 2010, 65 per cent of targeted attacks used PDF exploits compared with 52.6 per cent in 2009. There is no sign of this trend slowing down with attacks widening to include sophisticated non-targeted malware. These spammers are using a variety of social engineering techniques, as demonstrated in the example below, to trick recipients into opening the attached PDF files.

 It is important for email users to be aware of the variety of techniques cyber criminals are using and to understand the dangers of opening and/or running any suspicious attachments to in order to protect their PCs.’s advanced monitoring systems were able to detect and identify these scams before recipients became victims. 

Paul Wood, is a MessageLabs Intelligence senior analyst at

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.