Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their May 2011 Intelligence Report. A summary of the results are below.

Report highlights

  • Spam – 75.8% in May (an increase of 2.9 percentage points since April 2011)
  • Viruses – One in 222.3 emails in May contained malware (a decrease of 0.14 percentage points since April 2011)
  • Phishing – One in 286.7 emails comprised a Phishing attack (a decrease of 0.06 percentage points since April 2011)
  • Malicious web sites – 3,170 web sites blocked per day (an increase of 30.4% since April 2011)
  • 36.8% of all malicious domains blocked were new in May (an increase of 3.8 percentage points since April 2011)
  • 24.6% of all web-based malware blocked was new in May (an increase of 2.1 percentage points since April 2011)
  • For the First Time, Spammers establish their own fake URL-shortening services

Spammers are establishing their own their own fake URL-shortening services to perform URL redirection. This new spamming activity has contributed to this month’s increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years using a variety of different techniques so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ – a link between public URL-shortening services and the spammers’ own sites.”

To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.

“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”

 Symantec MessageLabs Email AntiVirus.cloud

The global ratio of email-borne viruses in email traffic was one in 222.3 emails (0.450%) in May, a decrease of 0.143 percentage points since April 2011.

In May, 30.0% of email-borne malware contained links to malicious Web sites, an increase of 16.9 percentage points since April 2011. A large number of emails containing variants of Bredolab related malware, accounted for 16.3% of all email-borne malware, compared with 55.1% in the previous month. These variants were commonly attached as ZIP files, rather than hyperlinks, and as the volume of these attacks diminishes, the proportion of attacks using hyperlinks increased.

The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May. A large number of variants of Bredolab malware continued to be observed in a number of countries during May, as highlighted in the table below.

In the US, virus levels for email-borne malware were 1 in 540.3 and 1 in 334.5 forCanada. In Germany virus activity reached 1 in 435.9, 1 in 1,197 in Denmarkan d in The Netherlands 1 in 330.1. In Australia, 1 in 513.5 emails were malicious and 1 in 377.2 in Hong Kong; for Japan it was 1 in 1,164, compared with 1 in 706.7 in Singapore. In South Africa, 1 in 178.7 emails and 1 in 378.3 emails in Brazil contained malicious content. With 1 in 28.9 emails being blocked as malicious, the Public Sector remained the most targeted industry in May. Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9 and 1 in 367.9 for the IT Services sector; 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

Phishing Analysis

In May, Phishing activity decreased by 0.06 percentage points since April 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack.

South Africa remained the most targeted geography for Phishing emails in May, with 1 in 80.2 emails identified as Phishing attacks.South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, Phishing accounted for 1 in 100.1 emails. Phishing levels for the US were 1 in 1,227 and 1 in 239.2 forCanada. In Germany Phishing levels were 1 in 1,540, 1 in 2662 in Denmark and 1 in 780.9 in The Netherlands. In Australia, Phishing activity accounted for 1 in 1,022 emails and 1 in 2,235 in Hong Kong; for Japan it was 1 in 10,735 and 1 in 2,111 for Singapore. In Brazil, 1 in 589.5 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by Phishing activity in May, with 1 in 33.2 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 982.8 and 1 in 738.9 for the IT Services sector; 1 in 537.0 for Retail, 1 in 141.4 for Education and 1 in 267.0 for Finance.

Symantec MessageLabs Web Security.cloud

In May, MessageLabs Intelligence identified an average of 3,142 Web sites each day harboring malware and other potentially unwanted programs including Spyware and adware; an increase of 30.4% since April 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 36.8% of all malicious domains blocked were new in May; an increase of 3.8 percentage points compared with April 2011. Additionally, 24.6% of all Web-based malware blocked was new in May; an increase of 2.1 percentage points since the previous month.

Endpoint Protection

The endpoint is often the last line of defense and analysis. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit3, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 14.0% of all malicious software blocked by endpoint protection technology in May.

Geographical Trends:

  • Russia became the most spammed in May with a spam rate of 82.2 percent.
  • In the US 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.
  • In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.
  • Spam levels in Hong Kong reached 75.2 percent and 74.0 percent in Singapore. Spam levels in Japan were 72.3 percent.
  • In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.
  • The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.
  • In the US virus levels were 1 in 540.3 and 1 in 334.5 forCanada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.
  • In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 forHong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 forSingapore.
  • In South Africa 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3

Vertical Trends:

  • In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.
  • Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.
  • In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

.

Advertisements