Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Rustock botnet

Symantec’s May 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their May 2011 Intelligence Report. A summary of the results are below.

Report highlights

  • Spam – 75.8% in May (an increase of 2.9 percentage points since April 2011)
  • Viruses – One in 222.3 emails in May contained malware (a decrease of 0.14 percentage points since April 2011)
  • Phishing – One in 286.7 emails comprised a Phishing attack (a decrease of 0.06 percentage points since April 2011)
  • Malicious web sites – 3,170 web sites blocked per day (an increase of 30.4% since April 2011)
  • 36.8% of all malicious domains blocked were new in May (an increase of 3.8 percentage points since April 2011)
  • 24.6% of all web-based malware blocked was new in May (an increase of 2.1 percentage points since April 2011)
  • For the First Time, Spammers establish their own fake URL-shortening services

Spammers are establishing their own their own fake URL-shortening services to perform URL redirection. This new spamming activity has contributed to this month’s increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years using a variety of different techniques so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ – a link between public URL-shortening services and the spammers’ own sites.”

To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.

“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”

 Symantec MessageLabs Email AntiVirus.cloud

The global ratio of email-borne viruses in email traffic was one in 222.3 emails (0.450%) in May, a decrease of 0.143 percentage points since April 2011.

In May, 30.0% of email-borne malware contained links to malicious Web sites, an increase of 16.9 percentage points since April 2011. A large number of emails containing variants of Bredolab related malware, accounted for 16.3% of all email-borne malware, compared with 55.1% in the previous month. These variants were commonly attached as ZIP files, rather than hyperlinks, and as the volume of these attacks diminishes, the proportion of attacks using hyperlinks increased.

The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May. A large number of variants of Bredolab malware continued to be observed in a number of countries during May, as highlighted in the table below.

In the US, virus levels for email-borne malware were 1 in 540.3 and 1 in 334.5 forCanada. In Germany virus activity reached 1 in 435.9, 1 in 1,197 in Denmarkan d in The Netherlands 1 in 330.1. In Australia, 1 in 513.5 emails were malicious and 1 in 377.2 in Hong Kong; for Japan it was 1 in 1,164, compared with 1 in 706.7 in Singapore. In South Africa, 1 in 178.7 emails and 1 in 378.3 emails in Brazil contained malicious content. With 1 in 28.9 emails being blocked as malicious, the Public Sector remained the most targeted industry in May. Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9 and 1 in 367.9 for the IT Services sector; 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

Phishing Analysis

In May, Phishing activity decreased by 0.06 percentage points since April 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack.

South Africa remained the most targeted geography for Phishing emails in May, with 1 in 80.2 emails identified as Phishing attacks.South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, Phishing accounted for 1 in 100.1 emails. Phishing levels for the US were 1 in 1,227 and 1 in 239.2 forCanada. In Germany Phishing levels were 1 in 1,540, 1 in 2662 in Denmark and 1 in 780.9 in The Netherlands. In Australia, Phishing activity accounted for 1 in 1,022 emails and 1 in 2,235 in Hong Kong; for Japan it was 1 in 10,735 and 1 in 2,111 for Singapore. In Brazil, 1 in 589.5 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by Phishing activity in May, with 1 in 33.2 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 982.8 and 1 in 738.9 for the IT Services sector; 1 in 537.0 for Retail, 1 in 141.4 for Education and 1 in 267.0 for Finance.

Symantec MessageLabs Web Security.cloud

In May, MessageLabs Intelligence identified an average of 3,142 Web sites each day harboring malware and other potentially unwanted programs including Spyware and adware; an increase of 30.4% since April 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 36.8% of all malicious domains blocked were new in May; an increase of 3.8 percentage points compared with April 2011. Additionally, 24.6% of all Web-based malware blocked was new in May; an increase of 2.1 percentage points since the previous month.

Endpoint Protection

The endpoint is often the last line of defense and analysis. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit3, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 14.0% of all malicious software blocked by endpoint protection technology in May.

Geographical Trends:

  • Russia became the most spammed in May with a spam rate of 82.2 percent.
  • In the US 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.
  • In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.
  • Spam levels in Hong Kong reached 75.2 percent and 74.0 percent in Singapore. Spam levels in Japan were 72.3 percent.
  • In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.
  • The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.
  • In the US virus levels were 1 in 540.3 and 1 in 334.5 forCanada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.
  • In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 forHong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 forSingapore.
  • In South Africa 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3

Vertical Trends:

  • In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.
  • Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.
  • In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

.

Advertisements

eCrime Trends Report Q1 2011 – Phishing Up – Rustock Down

Internet Identity (IID) has released their eCrime Trends Report: First Quarter 2011.

The report is a summary of statistics and news items from this year’s first quarter and serves as a useful reminder of how regularly breaches occur and how easy it is to forget about the last big breach.

Every month seems to have another record for the largest breach, Epsilon was usurped by Sony, who will be next? This is why quarterly reviews are so important.

The highlights of the IID report are below:

IT security firms in the cybercrime crosshairs

  • Breach of HBGary Federal reveals vulnerability of the extended enterprise
  • Internal emails exposed information about partners and clients
  • RSA Security breach

Notorious Rustock botnet goes offline

  • Microsoft and law enforcement cooperate in unprecedented action to shut down and confiscate criminal servers
  • Significant reduction in spam noted worldwide

Phishing attacks

  • National banks saw increase of 11% over Q4 2010
  • Banks outside the U.S. increased most dramatically
  • Recent database breaches could lead to increased spear phishing in the coming quarter
  • Compared to Q4 2010, Phish targeting larger, national banks increased 11%. Much of the growth was seen in non-US based banks, which took three of the top five spots among banks
  • Phishing in Q1 2011 grew 12% over Q1 2010.

Parts of the Internet went dark in Q1 for a variety of reasons

  • Egyptian ISPs ordered to shut down following Internet-led protests
  • Mooo.com seizure by DHS temporarily suspended 80,000 subdomains
  • Rabobank blackholed its own DNS records in an attempt to combat DDoS attack

“As we’ve seen with recent attacks against Sony’s PlayStation Network and Epsilon, cyber criminals now have inside information about tens of millions of customers to use in highly targeted phishing campaigns,” said IID President and CTO Rod Rasmussen.

“The worry is that with all of this specific data, cyber criminals have all they need to convince people to share their highly valuable personal information. Organizations must ensure they are taking every measure to stop these attacks, including blocking access to phishing sites and command and control domains for malware that exfiltrates data. This should be done with e-mail filtering, firewalls and secure domain name system resolvers.” 

Read the full report here.

.

Symantec MessageLabs March 2011 Intelligence Report

Image representing MessageLabs as depicted in ...
Image via CrunchBase

Symantec MessageLabs have released their March 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 79.3% in March (a decrease of 2.0 percentage points since February 2011)
  • Viruses – One in 208.9 emails in March contained malware (an increase of 0.13 percentage points since February 2011)
  • Phishing – One in 252.5 emails comprised a phishing attack (a decrease of 0.07 percentage points since February 2011)
  • Malicious websites – 2,973 web sites blocked per day (a decrease of 27.5% since February 2011)
  • 37.0% of all malicious domains blocked were new in March (a decrease of 1.9 percentage points since February 2011)
  • 24.5% of all web-based malware blocked was new in March (an increase of 4.2 percentage points since February 2011)
  • Global spam volumes drop by one third, as Rustock botnet is dismantled
  • First review of spam-sending botnets in 2011 identified Bagle as most active botnet as Rustock fell silent

SPAM. The Russian Federation is now the most frequent source of spam in March; perhaps in large part given that there are a large number of bots for Bagle, Lethic and Maazben located in this geography.

Country % of Spam
Russian Federation 12.4%
India 8.8%
Brazil 5.9%
United States 4.5%
Ukraine 4.4%
Colombia 3.9%
Romania 3.8%
Argentina 2.8%
Vietnam 2.5%
Korea, Republic of 2.5%

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for March, many of which take advantage of malicious hyperlinks. In March, 35.3% of email-borne malware was associated with Bredolab, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011.

Malware % Malware
Trojan.Bredolab!eml 24.0%
Exploit/SuspLink-7d87 17.1%
W32/Bredolab.gen!eml-19251 4.8%
Trojan.Bredolab 1.9%
Exploit/SuspLink.dam 1.8%
Exploit/SuspLink-6c7b 1.6%
W32/Bredolab.gen!eml 1.5%
W32/Bredolab!gen-ad91 1.4%
Exploit/LinkAliasPostcard-b354 0.8%
W32/Delf-Generic-ad9e 0.7%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month.

Malware % Malware
W32.Sality.AE 8.3%
Trojan.Gen* 7.7%
Trojan Horse 7.4%
W32.Ramnit!html 5.8%
Trojan.Gen.2* 4.9%
W32.Ramnit.B!inf 4.3%
Trojan.ADH.2 4.3%
Trojan.Bamital 4.3%
W32.Downadup.B 3.9%
Downloader* 3.5%

See the whole Symantec MessageLab’s Intelligence Report here.

It is also worth reading the earlier posts on Phishing and the impact on the UK Banks and the Fraud Intelligence Report.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: