SlideShare a Scribd company logo

Raport Symantec Malware 2010

Transmix Romania
Transmix Romania

The document provides an intelligence report from MessageLabs with the following key points: - Spam, viruses, and phishing rates from February to March 2020. Rates of spam increased while viruses and phishing decreased slightly. - An analysis of targeted cyber attacks which found many originate from China, Romania, and Cameroon rather than just locations of mail servers. Common targets were those in roles like directors, officials, and managers in areas like Asian policy and trade. - The most common file types in emails were .xls, .doc, and .zip but encrypted .rar files posed the highest risk of containing malware when attached to emails. - The Rustock botnet was sending

Technology
1 of 12
Download to read offline
MESSAGELABS INTELLIGENCE MESSAGELABS INTELLIGENCE MARCH 2010 The Nature of Cyber Espionage; Most Malicious File Types Identified and Encrypted Spam from Rustock Welcome to the March edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends for March 2010 to keep you informed regarding the ongoing fight against viruses, spam and other unwelcome content. REPORT HIGHLIGHTS  Spam – 90.7% in March (an increase of 1.4 percentage points since February)  Viruses – One in 358.3 emails in March contained malware (a decrease of 0.05 percentage points since February)  Phishing – One in 513.7 emails comprised a phishing attack (a decrease of 0.02 percentage points since February)  Malicious websites – 1,919 websites blocked per day (a decrease of 61.6% since February)  39.9% of all malicious domains blocked were new in March (a decrease of 4.8 percentage points since February)  14.9% of all web-based malware blocked was new in March (an increase of 1.6 percentage points since February)  The nature of industrial espionage and targeted attacks  Understanding the most frequently targeted job roles in targeted attacks  Death by a thousand cuts: Rustock botnet sends more encrypted spam REPORT ANALYSIS The nature of industrial espionage and targeted attacks The ultimate aim of a targeted attack is to gain access to sensitive data or internal systems by targeting specific individuals or companies. They are sent in relatively small volumes compared with spam and phishing emails, for example, but are one of the most damaging email threats. Any organization that possesses sensitive and valuable data can be an attractive target. www.messagelabs.com info@messagelabs.com
MESSAGELABS INTELLIGENCE These messages are frequently business-related, or related to some newsworthy event, from a webmail account or with a spoofed ‘From’ address crafted to appeal to the target, and in some way gives the impression that the attachment contains important information, such as current affairs, meetings, legal documents, agreements or contracts. The danger of targeted attacks is the stealth deployment of malicious code on the recipient’s computer, often hidden within legitimate-looking documents such as .PDF, .DOC, .XLS and .PPT file types. The recipient only has to open the attachment and the computer is compromised. MessageLabs Intelligence conducted an in-depth review of targeted malware in its 2009 Annual Security Report1, which included analysis of the seniority of the recipients often targeted. In March 2010, we took a closer look at the origin of these types of messages to shed some light on the criminal operations behind them. Figure 1 shows the source of targeted attacks based on the source IP address of the sending email server. Note that there are a high proportion of US-based addresses since many of these are webmail services hosted in the United States: Percentage of Percentage of Country of Origin Continent Targeted Attacks Continent Targeted Attacks United States 36.6% N. America 36.8% China 17.8% Asia 32.8% Romania Continent 16.5% Europe Continent 30.3% United Kingdom 10.7% S. America 0.2% Taiwan 10.0% Japan Continent 3.2% Russian Federation 0.8% Cambodia 0.7% France Continent 0.7% OTHER 3.0% Figure 1 – Source of targeted email attacks based on mail server location Figure 2 below, is a visual representation of this same data, where the size of the plot is relative to the percentage of targeted malware sent from that location. Figure 2 – Geographical plot of targeted email attack sources 1 The report may be downloaded freely here: http://www.messagelabs.com/intelligence 2
MESSAGELABS INTELLIGENCE Since many webmail servers are located in the US, we then analyzed the headers of the messages and identified the true IP address of the sender. This provides the IP address of the computer that was used by the sender when the email was composed. A large proportion of targeted attacks are sent from legitimate webmail accounts, and therefore the IP address of the sending mail server is not a useful indicator of the true origin of the attack, as it will only identify the location of the email servers. Most webmail providers include the sender’s IP address in the email headers, as can be seen in figure 3, below. Figure 3 – Example of email headers from legitimate webmail account Different webmail providers include this IP address in a variety of ways that should be understood before extracting that information and identifying the country of origin. Unfortunately, one major webmail provider does not include this information at all, which makes it a favorite to use for some targeted attacks. This is perhaps deliberate so if the cyber criminals know, it will enable them to better cover their tracks. Based on the analysis of the sender’s IP address, rather than just the IP address of the email server, figure 4 shows the true source of many of these targeted attacks: Percentage of Percentage of Country of Origin Continent Targeted Attacks Continent Targeted Attacks China 28.2% Asia 46.6% Romania 21.1% Europe 37.3% United States Continent 13.8% N. America Continent 13.8% Taiwan 12.9% Africa 2.4% United Kingdom 12.0% Japan Continent 4.0% Cameroon 2.2% Korea, Republic of 0.9% Russian Federation Continent 0.9% OTHER 4.2% Figure 4 – Source of targeted email attacks based on sender location Figure 5 below, is a visual representation of this data, where the size of the plot is relative to the percentage of targeted malware sent from that location, based on the location of the sender. 3
MESSAGELABS INTELLIGENCE Figure 5 – Geographical plot of targeted attack sender locations This closer analysis of the data reveals some interesting facts, notably; that more attacks originate from computers located in China, Romania and Cameroon than would first appear when looking solely at the mail server location alone. A comparison of the overall results from the first and second analysis is revealed in figure 6, below. %of Attacks Based on %of Attacks Based on Continent Mail Server Location Continent Sender Location Difference N. America 36.8% 13.8% -23.0% Europe 32.8% 37.3% 4.5% Asia 30.3% Continent 46.6% 16.3% Africa 2.4% S. America 0.2% Figure 6 – Table showing variation between sender location and mail server locations When considering the true location of the sender rather than the location of the email server, fewer attacks are actually sent from North America than it would at first seem. More attacks are sent from addresses based in Europe, but a great deal more is actually sent from addresses in Asia. This shows that most of the attacks that seem to originate from webmail providers based in North America are actually being sent from other locations, including Asia, Europe and Africa. When considering the mail server location, we find 17.8% come from China, but there seem to be a further 10.4% originating from China after further analysis of the sender location in webmail-based attacks (total 28.2% from China). Similarly we find another 4.59% from Romania and 2.22% from Cameroon; these countries become more significant when analyzing the sender location, rather than considering the email server location alone. The city of Shaoxing in China seems to be a major source, accounting for 21.3% of targeted attacks, as is Taipei (16.5%) in Taiwan, and London (14.8%) in the UK. Understanding the most frequently targeted job roles in targeted attacks 4
MESSAGELABS INTELLIGENCE Continuing the theme of targeted malware used in the commission of industrial espionage, bribery or blackmail and reflecting on the research in the MessageLabs Intelligence 2009 Annual Security Report, we reported that 60% of recipients were of a high or medium ranking seniority. It was surprisingly straightforward to identify a great deal of information about the individuals being targeted; the Internet provided plenty of information on around 84% of the individuals in most targeted attacks. The top five most frequently targeted roles can be seen in figure 7. Director Continent 8.7% Senior Official 7.3% Vice President 4.4% Manager Continent 4.3% Executive Director 2.9% Figure 7 – the top five most frequently targeted job roles Furthermore, the most frequently targeted individuals can be described in general terms in figure 8. Expert: A Expert: As ian Defense Policy x Asian Defense f Continent 15.3% Diplomatic Mission 15.2% Expert: International Finance 7.9% A As ian Trade Policy Asian Continent 7.4% Human Rights Activist 7.0% Human Rights Researcher 5.7% A Academic Academic 5.2% Expert: Asian Foreign Policy 5.0% European Musical Events Promoter 4.6% European/As ian /A European/Asian Trade Policy Continent 4.1% Expert: Asian Security 3.4% Expert: Asian Economy 3.0% Expert: A Expert: As ian Policy x Asian Continent 2.9% Expert: International Relations 2.9% Expert: Consumer Policy 2.9% Executive: As ian x v A Conmena Executive: Asian Engineering Companyp Co tin t 2.7% Asian Banker 2.5% Financial Analyst 2.4% Figure 8 – the top five most frequently targeted individuals Identifying the most common malicious file attachments in email-borne malware When emails are passed through Skeptic™2 they are automatically scrutinized and scored according to a variety of different factors. This score is tracked and recorded in the MessageLabs Intelligence data, from which we can analyze the results. Based on the email file attachment data from March 2010, we collected the overall score of the email, including whether or not the file was encrypted. This analysis was focused on files and emails with files attached, and did not include emails that only contained hyperlinks or were without file attachments. Starting with the most commonly seen file types, we ranked each file type by how frequently it was identified in malicious email traffic as a ratio of the total number of emails in which that file type appeared. This provided a measure of how likely a given file extension may be considered as more or less dangerous or malicious, when compared with other file types. 2 For more information about Skeptic: http://www.messagelabs.com/technology/skeptic 5
MESSAGELABS INTELLIGENCE xls 15.4% doc 15.4% zip 11.2% pdf 10.7% exe 6.7% jpg 5.8% ppt 5.2% dll 3.9% xml 3.2% dat 2.4% gif 2.2% html 2.2% swf 1.4% png 1.4% tif 1.3% Other 11.1% Figure 9 - most common file extensions seen in email traffic As can be seen in figure 9, 15.4 % of files attached to emails in March were .XLS and .DOC file types, followed by 11.2% of attachments which were .ZIP files. The top four file types accounted for 50% of files attached to emails, and 17 file extensions accounted for 90% of files attached to emails. It is worth noting that both .ZIP and .RAR file types could be unencrypted, or encrypted. There is more on this to follow, but first we identify the most compromised file attachment types, i.e. which files were blocked as malicious by Skeptic™. As seen in figure 9, the most compromised file extension identified was encrypted .RAR file types (a proprietary compressed archive format), which accounted for approximately 1 in 312 (0.32%) malicious files attached to emails. Although a relatively uncommon file type, it is compromised 96.8% of the time when attached to email. Curiously, unencrypted .RAR files are rarely exploited and occur in 1.1% of mails. Therefore, they are more common than encrypted .RAR, but these are far less likely to be seen in a malicious email. % of files seen that are File type attached to malicious emails % of files attached to emails rar (encrypted) 96.8% 0.3% sys 27.5% 0.3% dll 22C5% 2.5% 22.5%tinent on 3.9% tlb 19.2% 0.3% bin 18.4% 0.9% vbs 17C9% 7.9% 9n 17.9%tinent o 0.2% zip (encrypted) 17.5% 0.1% exe 15.8% 6.7% bat 13C0% 3.0% 0n 13.0%tinent o 0.6% com 12.4% 0.2% Figure 9 - most dangerous email file attachments A variety of other file extensions follow, but they are not compromised as often as encrypted .RAR files. For example, .ZIP files exhibit similar characteristics to .RAR files, where encrypted .ZIP files are much more likely to be attached to a malicious email, than plain .ZIP files. 6
MESSAGELABS INTELLIGENCE The most commonly observed file extensions, including .XLS, .DOC, .ZIP and .PDF are least commonly exploited. Although there are a great number of malicious emails using these file types as attachments, there are far more that are not exploited. Of course, .EXE is the main file extension that is expected to be most alarming when found attached to an email. Executable file types accounted for 6.6% of files attached to email in March, and 15% of the time they were found to be malicious. Death by a thousand cuts - Rustock botnet sending more encrypted spam In March, MessageLabs Intelligence observed that the Rustock botnet had been sending considerably more spam using TLS (Transport Layer Security). Approximately 77% of spam sent from the Rustock botnet used secure TLS connections, during March. TLS is a popular way of sending email through an encrypted channel, rather than sending it in the clear like most emails are sent. MessageLabs Intelligence tracks the use of TLS to determine how much spam is sent over TLS, and which botnets are sending it. Not all mail servers force clients to use TLS, but it is frequently used for securing the communications channel between the client email sender and the email server to which the message is being delivered. It prevents eavesdropping of email traffic that would otherwise be sent in plain sight for anyone else on the network to see if they so wished, perhaps using network analysis tools. However, TLS uses far more server resources and is much slower than a plain-text email; with TLS it takes time and resource to perform the necessary handshake where ciphers are negotiated and encryption keys exchanged and then to encrypt and decrypt the messages. There is a two-way conversation between the sending client computer and receiving email server, requiring both inbound and outbound traffic. In bandwidth terms, this outbound traffic frequently outweighs the size of the spam message itself and can significantly increase the workload being placed on corporate email servers. With corporate email servers coming under more pressure to handle these expensive, but unnecessary TLS connections, it becomes a death by a thousand cuts – on its own the overhead of processing a single spam received with TLS may appear insignificant, but at large volumes, the overall impact can be enormous. The average additional inbound and outbound traffic due to TLS is an overhead of around one kilobyte. Many spam mails are often much lower than one kilobyte in size. Spam using TLS accounted for approximately 20 percent of all spam in March, peaking at approximately 35 percent of spam on March 10. MessageLabs Boundary Encryption service allows clients to provide a secure and authenticated channel over which critical business email communications may be made. Furthermore, as the proportion of spam using TLS increases, the impact to MessageLabs clients will be zero, as the additional encryption overhead will be absorbed by the MessageLabs cloud infrastructure, and not by the client. For more information on this growing trend, please read the full blog post at: www.symantec.com/connect/blogs/death-thousand-cuts-rustock-botnet-sending-more- encrypted-spam. 7 www.messagelabs.com info@messagelabs.com
MESSAGELABS INTELLIGENCE GLOBAL TRENDS & CONTENT ANALYSIS MessageLabs Hosted Email AntiSpam and Hosted Email AntiVirus Services focus on identifying and averting unwanted communications originating from unknown bad sources and which are addressed to valid email recipients. Skeptic™ Anti-Spam Protection: In March 2010, the global ratio of spam in email traffic increased by 1.5 percentage points since February to 90.7% (1 in 1.10 emails). Spam Rate 95.7% Hungary 94.7% Engineering 90.2% 1-250 90.9% 251-500 94.9% Denmark 93.5% Automotive 90.7% 94.7% Italy 94.3% Luxembourg 92.0% Accom/Catering 92.0% Marketing/Media 91.5% 91.0% 1001-1500 501-1000 92.3% 1501-2500 93.2% Austria 91.9% Education 90.6% 2501+ Last Month: 89.4% Six Month Avg.: 86.3% Top 5 Geographies Top 5 Verticals By Horizontal 90.7% 2005 2006 2007 2008 2009 March 2010 The spam level in Hungary rose to 95.7% of email traffic during March, making it the most spammed country. In the US, 91.1% of email was spam and 89.5% in Canada. The spam level in the UK was 90.1%. In The Netherlands, spam accounted for 93.0% of email traffic, 93.1% in Germany and 90.1% in Australia. In Hong Kong, 92.0% of email was blocked as spam and 88.3% in Singapore, compared with 87.5% in Japan and 92.4% in China. In March, the most spammed industry sector with a spam rate of 94.7% was the Engineering sector. Spam levels for the Education sector reached 91.9% and 91.1% for the Chemical & Pharmaceutical sector; 91.6% for IT Services, 91.8% for Retail, 89.1% for Public Sector and 89.5% for Finance. Skeptic™ Anti-Virus and Trojan Protection: The global ratio of email-borne viruses in email traffic was 1 in 358.3 emails (0.28%) in March, a decrease of 0.05 percentage points since February. In March, 16.8% of email-borne malware contained links to malicious websites, a decrease of 13.7 percentage points since February. Virus Rate 1 in 90.9 Taiwan 1 in 77.1 Gov/Public Sec. 1 in 375.0 1-250 1 in 481.0 251-500 1 in 173.9 China 1 in 189.1 Education 1 in 358.3 1 in 213.7 United Kingdom 1 in 260.1 Oman 1 in 301.8 Finance 1 in 321.6 #REF! 1 in 485.6 501-1000 1 in 578.6 1001-1500 1 in 499.6 1501-2500 1 in 287.9 Brazil 1 in 352.5 Non-Profit 1 in 293.5 2501+ Last Month: 1 in 302.8 Six Month Avg.: 1 in 273.8 Top 5 Geographies Top 5 Verticals By Horizontal 1 in 358.3 2005 2006 2007 2008 2009 March 2010 In March, 1 in 90.9 emails destined for Taiwan was blocked as malicious, making the country the most targeted for email-borne malware. The virus levels for malware in email traffic in the US was 1 in 551.4 and 1 in 492.8 for Canada. In Germany virus activity reached 1 in 462.0 8
MESSAGELABS INTELLIGENCE and in The Netherlands was 1 in 834.7. In Australia, 1 in 351.6 emails were malicious and 1 in 505.5 in Hong Kong; for Japan it was 1 in 1,063.3, compared with 1 in 504.1 in Singapore. The Public Sector remained the most targeted industry in March, with 1 in 77.1 emails being blocked as malicious. Virus levels for the Chemical & Pharmaceutical sector were 1 in 642.9 and 1 in 510.9 for the IT Services sector; 1 in 728.6 for Retail, 1 in 189.1 for Education and 1 in 301.8 for Finance. VIRUSNAME Total Trojan.Bredolab!eml 9.0% Exploit/Fraud-AccUpdate 5.5% Exploit/LinkAliasPostcard-2295 4.6% W32/Prolaco-gen-4b33 4.1% Trojan.Bredolab 3.5% W32/NewMalware-Generic-e880-3269 3.4% Exploit/MimeBoundary003 3.2% Packed.Generic.265 3.2% EML/Worm.MS.dam 2.6% Trojan.Bredolab.dam 2.2% Bredolab, a generic malware distribution botnet, accounted for 14.7% of all email-borne malware blocked in March. Bredolab has often been linked with other forms of malware and spyware, including fake security software and other botnet and identity fraud Trojans, such as Zeus, Waledac and Koobface. Bredolab is most frequently found in email-borne malware sent from the Cutwail botnet. Phishing: In March, phishing activity decreased by 0.02 percentage points since February; 1 in 513.7 emails (0.19%) comprised some form of phishing attack. When judged as a proportion of all email-borne threats intercepted in March, including viruses and Trojans, the proportion of phishing emails rose by 8.4 percentage points to 64.6% of all email-borne malware and phishing threats combined. Phishing Rate 1 in 254.8 United Kingdom 1 in 86.4 Gov/Public Sec. 1 in 542.7 1-250 1 in 729.6 251-500 1 in 337.3 Brazil 1 in 250.0 Education 1 in 513.7 1 in 432.2 China 1 in 454.5 Australia 1 in 328.6 Finance 1 in 436.7 Non-Profit 1 in 931.6 1 in 1,018.0 1 in 1,005.2 501-1000 1001-1500 1501-2500 1 in 557.0 Oman 1 in 515.1 Accom/Catering 1 in 388.8 2501+ Last Month: 1 in 456.3 Six Month Avg.: 1 in 418.4 Top 5 Geographies Top 5 Verticals By Horizontal 1 in 513.7 2005 2006 2007 2008 2009 March 2010 The UK received the most phishing emails in March, with 1 in 254.8 emails comprising a phishing attack. Phishing levels for the US were 1 in 981.9 and 1 in 869.3 for Canada. In Germany phishing levels were 1 in 2,506 and 1 in 3,439 in The Netherlands. In Australia, phishing activity accounted for 1 in 454.5 emails and 1 in 3,569 in Hong Kong; for Japan it was 1 in 10,217 and 1 in 4,239 for Singapore. The Public Sector continued at the top of the table with 1 in 86.4 emails comprising a phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 1,403 and 1 in 1,386 for the IT Services sector; 1 in 1,160 for Retail, 1 in 250.0 for Education and 1 in 328.6 for Finance. 9
MESSAGELABS INTELLIGENCE Skeptic™ Web Security Version 2.0: The most common trigger for policy-based filtering applied by the MessageLabs Hosted Web Security Service for its business clients was the “Advertisements & Popups” category, down by 1.6 percentage points since February, to 52.8% in March. The blocking of Unclassified websites increased by 0.82 percentage points, the largest rise in any category. The Unclassified category identifies new and previously uncategorized websites. While these websites can be used for disreputable purposes, such as hosting phishing and spam sites, they may also be new sites and domains set up by legitimate organizations in the process of being categorized. Customers are able to adopt a more flexible approach to how these websites are treated, since all content downloaded is scanned for malware by a unique combination of commercial anti-virus engines and Skeptic technology. This ensures that customers do not need to have a default block on these sites to maintain security, as may otherwise be the case. Web Security Services (Version 2.0) Activity: Policy-Based Filtering Web Viruses and Trojans Potentially Unwanted Programs Advertisements & Popups 52.8% Trojan-Downloader.JS.Gumblar.x 11.1% PUP:NetTool.Win32.Proxy.g 79.8% Streaming Media 9.5% Trojan.Zbot!gen2 8.6% PUP:WebToolbar.Win32.MyWebSea... 6.7% Unclassified 4.4% New Unclassified Trojan 6.4% PUP:ZangoSearch 3.0% Downloads 4.0% Trojan.JS.Agent.bfy 4.7% PUP:AdWare.Win32.Zwangi.ji 1.9% Games 3.7% Trojan-Downloader.JS.Gumblar.a 3.0% PUP:AdWare.Win32.FunWeb.ar 1.4% Search Engines 3.7% Trojan-Clicker.JS.Iframe.ea 2.7% PUP:AdWare.Win32.Zwangi.jo 0.9% Personals & Dating 3.0% Blogs & Forums 2.7% Trojan.JS.Iframe.ik 2.5% PUP:CWSIEFeats 0.5% Computing & Internet 2.4% Trojan-Clicker.JS.Agent.ma 2.3% PUP:NetTool.Win32.ProxySwitcher.d 0.4% Adult/Sexually Explicit 2.1% New Unclassified Worm 2.1% PUP:AdWare.Win32.Zwangi.m 0.3% Chat 1.9% Exploit/Phishing-hmrc-ee11 2.1% PUP:RiskTool.Win32.MBRFix.a 0.2% March 2010 MessageLabs Intelligence identified an average of 1,919 websites each day harboring malware and other potentially unwanted programs including spyware and adware; a decrease of 61.6% since February, when the number of blocked malicious websites surged by 184%, but an increase of 9% since January. Further analysis also reveals that 39.9% of all malicious domains blocked were new in March; a decrease of 4.8 percentage points since February. Additionally, 14.9% of all web-based malware blocked was new in March; an increase of 1.6 percentage points since the previous month. The chart below shows the increase in the number of new spyware and adware websites blocked each day on average during March compared with the equivalent number of web- based malware websites blocked each day. Web Security Services (Version 2.0) Activity: 6,000 New Malware Sites per Day New sites with 5,000 web viruses New sites with spyware 565/day 4,000 New sites with web viruses 1,354/day 3,000 Total 1,919/day 2,000 1,000 New sites with spyware - J F M A M J J A S O N D J F M A M J J A S O N D J F M March 2010 10
MESSAGELABS INTELLIGENCE TRAFFIC MANAGEMENT Traffic Management continues to reduce the overall message volume through techniques operating at the protocol level. Unwanted senders are identified and connections to the mail server are slowed down using features embedded in the TCP protocol. Incoming volumes of known spam are significantly slowed, while ensuring legitimate email is expedited. In March, MessageLabs services processed an average of 12.3 billion SMTP connections per day, of which 61.0% were throttled back as a result of traffic management controls for traffic that was unequivocally malicious or unwanted. The remainder of these connections was subsequently processed by MessageLabs Connection Management controls and Skeptic™. Dropped at stage 61.0% Traffic management Known Bad Messages 56.7% Connection management Dropped 6.6% User management 0.3% Skeptic Anti-virus Malware and Spam 41.4% Skeptic Anti-spam Quarantined Good Mail Delivered Clean mail delivered to clients Connection Management Connection Management is particularly effective in stopping directory harvest, brute force and email denial of service attacks, where unwanted senders send high volumes of messages to force spam into an organization or disrupt business communications. Connection Management works at the SMTP level using techniques that verify legitimate connections to the mail server, using SMTP Validation techniques. It is able to identify unwanted email originating from known spam and virus sending sources, where the source can unequivocally be identified as an open proxy or a botnet, and rejects the connection accordingly. In March, an average of 56.7% of inbound messages was intercepted from botnets and other known malicious sources and rejected as a consequence. User Management User Management uses Registered User Address Validation techniques to reduce the overall volume of emails for registered domains, by discarding connections for which the recipient addresses are identified as invalid or non-existent. In March, an average of 6.6% of inbound messages was identified as invalid; these were attempted directory attacks upon domains that were therefore prevented. 11
MESSAGELABS INTELLIGENCE About MessageLabs Intelligence MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence publishes a range of information on global security threats based on live data feeds from more than 14 data centers around the world scanning billions of messages and web pages each week. MessageLabs Team Skeptic™ comprises many world-renowned malware and spam experts, who have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day on behalf of 30,000 clients in more than 100 countries. More information is available at www.messagelabs.com/intelligence. About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com. Copyright © 2010 Symantec Corporation. All Rights Reserved. Symantec, the Symantec Logo and MessageLabs are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. NO WARRANTY. The information contained in this report is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This report may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043. 12 www.messagelabs.com info@messagelabs.com

Recommended

Avg community powered threat report q2 2011
Avg community powered threat report q2 2011Avg community powered threat report q2 2011
Avg community powered threat report q2 2011
AVG Technologies
 
Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010
Symantec Italia
 
Symantec message labs intelligence final 2010
Symantec message labs intelligence final 2010Symantec message labs intelligence final 2010
Symantec message labs intelligence final 2010
Retelur Marketing
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017
Jermund Ottermo
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threats
mahesh43211
 
Symantec Report On Rogue Security Software
Symantec Report On Rogue Security SoftwareSymantec Report On Rogue Security Software
Symantec Report On Rogue Security Software
Symantec
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
the_ro0t
 
M86 security predictions 2011
M86 security predictions 2011M86 security predictions 2011
M86 security predictions 2011
subramanian K
 

Recommended

Avg community powered threat report q2 2011
Avg community powered threat report q2 2011Avg community powered threat report q2 2011
Avg community powered threat report q2 2011
AVG Technologies
 
Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010
Symantec Italia
 
Symantec message labs intelligence final 2010
Symantec message labs intelligence final 2010Symantec message labs intelligence final 2010
Symantec message labs intelligence final 2010
Retelur Marketing
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017
Jermund Ottermo
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threats
mahesh43211
 
Symantec Report On Rogue Security Software
Symantec Report On Rogue Security SoftwareSymantec Report On Rogue Security Software
Symantec Report On Rogue Security Software
Symantec
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
the_ro0t
 
M86 security predictions 2011
M86 security predictions 2011M86 security predictions 2011
M86 security predictions 2011
subramanian K
 
Cybersecurity awesome mix vol. II
Cybersecurity awesome mix vol. IICybersecurity awesome mix vol. II
Cybersecurity awesome mix vol. II
ITrust - Cybersecurity as a Service
 
FireEye Advanced Threat Report
FireEye Advanced Threat ReportFireEye Advanced Threat Report
FireEye Advanced Threat Report
FireEye, Inc.
 
0926182320 Sophos[1]
0926182320 Sophos[1]0926182320 Sophos[1]
0926182320 Sophos[1]
guest043f27
 
Top Cyber Threats of 2009
Top Cyber Threats of 2009Top Cyber Threats of 2009
Top Cyber Threats of 2009
Symantec
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010
Felipe Prado
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
Avast
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
Stig-Arne Kristoffersen
 
Secure the lamp application stack
Secure the lamp application stackSecure the lamp application stack
Secure the lamp application stack
Johann-Peter Hartmann
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
MAFANTIRI SELLO
 
RSA - Behind the scenes of a fake token mobile app operation
RSA - Behind the scenes of a fake token mobile app operationRSA - Behind the scenes of a fake token mobile app operation
RSA - Behind the scenes of a fake token mobile app operation
juan_h
 
Facebook Attacks - an in-depth analysis
Facebook Attacks - an in-depth analysisFacebook Attacks - an in-depth analysis
Facebook Attacks - an in-depth analysis
Cyren, Inc
 
Mimecast Threat Report
Mimecast Threat ReportMimecast Threat Report
Mimecast Threat Report
Chris Hewitt
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
haneefvf1
 
An Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudAn Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and Fraud
DR.P.S.JAGADEESH KUMAR
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
n|u - The Open Security Community
 
A Probabilistic Approach Using Poisson Process for Detecting the Existence of...
A Probabilistic Approach Using Poisson Process for Detecting the Existence of...A Probabilistic Approach Using Poisson Process for Detecting the Existence of...
A Probabilistic Approach Using Poisson Process for Detecting the Existence of...
theijes
 
2012 February Symantec Intelligence Report
2012 February Symantec Intelligence Report2012 February Symantec Intelligence Report
2012 February Symantec Intelligence Report
Symantec
 
Solomo slides
Solomo slidesSolomo slides
Solomo slides
禹勝 丁
 
Symantec Physhing Report Aprile 2009
Symantec Physhing Report Aprile 2009Symantec Physhing Report Aprile 2009
Symantec Physhing Report Aprile 2009
Freedata Labs
 
Alcoolismul și yoga
Alcoolismul și yogaAlcoolismul și yoga
Alcoolismul și yoga
Transmix Romania
 
Octavio ocampo
Octavio ocampoOctavio ocampo
Octavio ocampo
Transmix Romania
 

More Related Content

What's hot

Facebook Attacks - an in-depth analysis
Facebook Attacks - an in-depth analysisFacebook Attacks - an in-depth analysis
Facebook Attacks - an in-depth analysis
Cyren, Inc
 
Mimecast Threat Report
Mimecast Threat ReportMimecast Threat Report
Mimecast Threat Report
Chris Hewitt
 
Symantec Physhing Report Aprile 2009
Symantec Physhing Report Aprile 2009Symantec Physhing Report Aprile 2009
Symantec Physhing Report Aprile 2009
Freedata Labs
 

What's hot (20)

Cybersecurity awesome mix vol. II
Cybersecurity awesome mix vol. IICybersecurity awesome mix vol. II
Cybersecurity awesome mix vol. II
 
FireEye Advanced Threat Report
FireEye Advanced Threat ReportFireEye Advanced Threat Report
FireEye Advanced Threat Report
 
0926182320 Sophos[1]
0926182320 Sophos[1]0926182320 Sophos[1]
0926182320 Sophos[1]
 
Top Cyber Threats of 2009
Top Cyber Threats of 2009Top Cyber Threats of 2009
Top Cyber Threats of 2009
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
 
Secure the lamp application stack
Secure the lamp application stackSecure the lamp application stack
Secure the lamp application stack
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
RSA - Behind the scenes of a fake token mobile app operation
RSA - Behind the scenes of a fake token mobile app operationRSA - Behind the scenes of a fake token mobile app operation
RSA - Behind the scenes of a fake token mobile app operation
 
Facebook Attacks - an in-depth analysis
Facebook Attacks - an in-depth analysisFacebook Attacks - an in-depth analysis
Facebook Attacks - an in-depth analysis
 
Mimecast Threat Report
Mimecast Threat ReportMimecast Threat Report
Mimecast Threat Report
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
An Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudAn Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and Fraud
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
 
A Probabilistic Approach Using Poisson Process for Detecting the Existence of...
A Probabilistic Approach Using Poisson Process for Detecting the Existence of...A Probabilistic Approach Using Poisson Process for Detecting the Existence of...
A Probabilistic Approach Using Poisson Process for Detecting the Existence of...
 
2012 February Symantec Intelligence Report
2012 February Symantec Intelligence Report2012 February Symantec Intelligence Report
2012 February Symantec Intelligence Report
 
Solomo slides
Solomo slidesSolomo slides
Solomo slides
 
Symantec Physhing Report Aprile 2009
Symantec Physhing Report Aprile 2009Symantec Physhing Report Aprile 2009
Symantec Physhing Report Aprile 2009
 

Viewers also liked

50879305 john-piper-nu-ti-risipi-viata
50879305 john-piper-nu-ti-risipi-viata50879305 john-piper-nu-ti-risipi-viata
50879305 john-piper-nu-ti-risipi-viata
Iulian Dana
 
Contribuabilul român 2010
Contribuabilul român 2010Contribuabilul român 2010
Contribuabilul român 2010
Transmix Romania
 
Medicina traditionala indiana
Medicina traditionala indianaMedicina traditionala indiana
Medicina traditionala indiana
Codrut Tutu
 
Sport si sanatate
Sport si sanatateSport si sanatate
Sport si sanatate
Xbook
 
Coduri partea 1
Coduri partea 1Coduri partea 1
Coduri partea 1
lecca vera
 

Viewers also liked (20)

Alcoolismul și yoga
Alcoolismul și yogaAlcoolismul și yoga
Alcoolismul și yoga
 
Octavio ocampo
Octavio ocampoOctavio ocampo
Octavio ocampo
 
50879305 john-piper-nu-ti-risipi-viata
50879305 john-piper-nu-ti-risipi-viata50879305 john-piper-nu-ti-risipi-viata
50879305 john-piper-nu-ti-risipi-viata
 
Ce bei si ce mananci ant
Ce bei si ce mananci antCe bei si ce mananci ant
Ce bei si ce mananci ant
 
Contribuabilul român 2010
Contribuabilul român 2010Contribuabilul român 2010
Contribuabilul român 2010
 
Medicina traditionala indiana
Medicina traditionala indianaMedicina traditionala indiana
Medicina traditionala indiana
 
afacere superonline
afacere superonlineafacere superonline
afacere superonline
 
Intrebari inainte de adoptie
Intrebari inainte de adoptieIntrebari inainte de adoptie
Intrebari inainte de adoptie
 
Stima de sine
Stima de sineStima de sine
Stima de sine
 
Interviu SuperBebe Cristina Spatar SOS Infertilitatea
Interviu SuperBebe Cristina Spatar SOS InfertilitateaInterviu SuperBebe Cristina Spatar SOS Infertilitatea
Interviu SuperBebe Cristina Spatar SOS Infertilitatea
 
Comunicat presa media briefing adoptie 2016
Comunicat presa media briefing adoptie 2016Comunicat presa media briefing adoptie 2016
Comunicat presa media briefing adoptie 2016
 
Discurs Sandie Blanchet media briefing adoptii
Discurs Sandie Blanchet media briefing adoptiiDiscurs Sandie Blanchet media briefing adoptii
Discurs Sandie Blanchet media briefing adoptii
 
Principalele modificari Legea Adoptiei 2016
Principalele modificari Legea Adoptiei 2016Principalele modificari Legea Adoptiei 2016
Principalele modificari Legea Adoptiei 2016
 
Doar 7 zile
Doar 7 zileDoar 7 zile
Doar 7 zile
 
Yoga din prima zi!
Yoga din prima zi!Yoga din prima zi!
Yoga din prima zi!
 
Stresul (dialoguri)
Stresul (dialoguri)Stresul (dialoguri)
Stresul (dialoguri)
 
Sport si sanatate
Sport si sanatateSport si sanatate
Sport si sanatate
 
Coduri partea 1
Coduri partea 1Coduri partea 1
Coduri partea 1
 
79570780 imperfecti-liberi-si-fericiti
79570780 imperfecti-liberi-si-fericiti79570780 imperfecti-liberi-si-fericiti
79570780 imperfecti-liberi-si-fericiti
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similar to Raport Symantec Malware 2010

H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape Report
Bitdefender
 
Symantec Intelligence Report - June 2014
Symantec Intelligence Report - June 2014Symantec Intelligence Report - June 2014
Symantec Intelligence Report - June 2014
Symantec
 
What are the biggest threats to a network in terms of security and w.pdf
What are the biggest threats to a network in terms of security and w.pdfWhat are the biggest threats to a network in terms of security and w.pdf
What are the biggest threats to a network in terms of security and w.pdf
info309708
 
Computer viruses and criminal internet business
Computer viruses and criminal internet businessComputer viruses and criminal internet business
Computer viruses and criminal internet business
Andrei Kolesnikov
 
Recipient Activated Malware Diffusion
Recipient Activated Malware DiffusionRecipient Activated Malware Diffusion
Recipient Activated Malware Diffusion
Bruce Fowler
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Symantec
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
Kim Jensen
 

Similar to Raport Symantec Malware 2010 (20)

H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape Report
 
Oct 2011 Threats Trend Report
Oct 2011 Threats Trend ReportOct 2011 Threats Trend Report
Oct 2011 Threats Trend Report
 
Network Threats
Network ThreatsNetwork Threats
Network Threats
 
RSA Monthly Online Fraud Report -- August 2013
RSA Monthly Online Fraud Report -- August 2013RSA Monthly Online Fraud Report -- August 2013
RSA Monthly Online Fraud Report -- August 2013
 
100812 internet security2.0
100812 internet security2.0100812 internet security2.0
100812 internet security2.0
 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbot
 
Symantec Intelligence Report - June 2014
Symantec Intelligence Report - June 2014Symantec Intelligence Report - June 2014
Symantec Intelligence Report - June 2014
 
Spam Morphs from a Nuisance to a Threat
Spam Morphs from a Nuisance to a ThreatSpam Morphs from a Nuisance to a Threat
Spam Morphs from a Nuisance to a Threat
 
An Advanced persistent threats
An Advanced persistent threatsAn Advanced persistent threats
An Advanced persistent threats
 
What are the biggest threats to a network in terms of security and w.pdf
What are the biggest threats to a network in terms of security and w.pdfWhat are the biggest threats to a network in terms of security and w.pdf
What are the biggest threats to a network in terms of security and w.pdf
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanism
 
Computer viruses and criminal internet business
Computer viruses and criminal internet businessComputer viruses and criminal internet business
Computer viruses and criminal internet business
 
Recipient Activated Malware Diffusion
Recipient Activated Malware DiffusionRecipient Activated Malware Diffusion
Recipient Activated Malware Diffusion
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Microsoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romaniaMicrosoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romania
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
 

More from Transmix Romania

Vorbe ale unor oameni mari...
Vorbe ale unor oameni mari...Vorbe ale unor oameni mari...
Vorbe ale unor oameni mari...
Transmix Romania
 
Un loc unic pe terra – dealurile multicolore
Un loc unic pe terra – dealurile multicoloreUn loc unic pe terra – dealurile multicolore
Un loc unic pe terra – dealurile multicolore
Transmix Romania
 
Top 10 hoteluri neobisnuite
Top 10 hoteluri neobisnuiteTop 10 hoteluri neobisnuite
Top 10 hoteluri neobisnuite
Transmix Romania
 
Piscina la peste 150 metri inaltime
Piscina la peste 150 metri inaltimePiscina la peste 150 metri inaltime
Piscina la peste 150 metri inaltime
Transmix Romania
 
Peisaje naturale uimitoare
Peisaje naturale uimitoarePeisaje naturale uimitoare
Peisaje naturale uimitoare
Transmix Romania
 
Lucruri care te fac sa spui
Lucruri care te fac sa spuiLucruri care te fac sa spui
Lucruri care te fac sa spui
Transmix Romania
 
Istoria modelelor mercedes benz
Istoria modelelor mercedes benzIstoria modelelor mercedes benz
Istoria modelelor mercedes benz
Transmix Romania
 
Inconjurul lumii... pe la bucatarie
Inconjurul lumii... pe la bucatarieInconjurul lumii... pe la bucatarie
Inconjurul lumii... pe la bucatarie
Transmix Romania
 
Dezavantajele capitalismului
Dezavantajele capitalismuluiDezavantajele capitalismului
Dezavantajele capitalismului
Transmix Romania
 
De ce sunt evreii atat de puternici
De ce sunt evreii atat de puterniciDe ce sunt evreii atat de puternici
De ce sunt evreii atat de puternici
Transmix Romania
 
Cei si cele mai mari vreodata
Cei si cele mai mari vreodataCei si cele mai mari vreodata
Cei si cele mai mari vreodata
Transmix Romania
 

More from Transmix Romania (20)

Lucruri neinventate
Lucruri neinventateLucruri neinventate
Lucruri neinventate
 
Vorbe ale unor oameni mari...
Vorbe ale unor oameni mari...Vorbe ale unor oameni mari...
Vorbe ale unor oameni mari...
 
Un loc unic pe terra – dealurile multicolore
Un loc unic pe terra – dealurile multicoloreUn loc unic pe terra – dealurile multicolore
Un loc unic pe terra – dealurile multicolore
 
Top 10 hoteluri neobisnuite
Top 10 hoteluri neobisnuiteTop 10 hoteluri neobisnuite
Top 10 hoteluri neobisnuite
 
Titanic 1912
Titanic 1912Titanic 1912
Titanic 1912
 
Piscina la peste 150 metri inaltime
Piscina la peste 150 metri inaltimePiscina la peste 150 metri inaltime
Piscina la peste 150 metri inaltime
 
Peisaje naturale uimitoare
Peisaje naturale uimitoarePeisaje naturale uimitoare
Peisaje naturale uimitoare
 
Lucruri care te fac sa spui
Lucruri care te fac sa spuiLucruri care te fac sa spui
Lucruri care te fac sa spui
 
Istoria modelelor mercedes benz
Istoria modelelor mercedes benzIstoria modelelor mercedes benz
Istoria modelelor mercedes benz
 
Inconjurul lumii... pe la bucatarie
Inconjurul lumii... pe la bucatarieInconjurul lumii... pe la bucatarie
Inconjurul lumii... pe la bucatarie
 
Hiroshima dupa 64 de ani
Hiroshima dupa 64 de aniHiroshima dupa 64 de ani
Hiroshima dupa 64 de ani
 
Garaje superbe
Garaje superbeGaraje superbe
Garaje superbe
 
Frumusetea matematicii
Frumusetea matematiciiFrumusetea matematicii
Frumusetea matematicii
 
Diferente vest est
Diferente vest estDiferente vest est
Diferente vest est
 
Dezavantajele capitalismului
Dezavantajele capitalismuluiDezavantajele capitalismului
Dezavantajele capitalismului
 
De ce sunt evreii atat de puternici
De ce sunt evreii atat de puterniciDe ce sunt evreii atat de puternici
De ce sunt evreii atat de puternici
 
Cei si cele mai mari vreodata
Cei si cele mai mari vreodataCei si cele mai mari vreodata
Cei si cele mai mari vreodata
 
Calendarul pentru medici
Calendarul pentru mediciCalendarul pentru medici
Calendarul pentru medici
 
Bugatti galibier ro
Bugatti galibier roBugatti galibier ro
Bugatti galibier ro
 
Bruno catalono ro
Bruno catalono roBruno catalono ro
Bruno catalono ro
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Raport Symantec Malware 2010

  • 1. MESSAGELABS INTELLIGENCE MESSAGELABS INTELLIGENCE MARCH 2010 The Nature of Cyber Espionage; Most Malicious File Types Identified and Encrypted Spam from Rustock Welcome to the March edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends for March 2010 to keep you informed regarding the ongoing fight against viruses, spam and other unwelcome content. REPORT HIGHLIGHTS  Spam – 90.7% in March (an increase of 1.4 percentage points since February)  Viruses – One in 358.3 emails in March contained malware (a decrease of 0.05 percentage points since February)  Phishing – One in 513.7 emails comprised a phishing attack (a decrease of 0.02 percentage points since February)  Malicious websites – 1,919 websites blocked per day (a decrease of 61.6% since February)  39.9% of all malicious domains blocked were new in March (a decrease of 4.8 percentage points since February)  14.9% of all web-based malware blocked was new in March (an increase of 1.6 percentage points since February)  The nature of industrial espionage and targeted attacks  Understanding the most frequently targeted job roles in targeted attacks  Death by a thousand cuts: Rustock botnet sends more encrypted spam REPORT ANALYSIS The nature of industrial espionage and targeted attacks The ultimate aim of a targeted attack is to gain access to sensitive data or internal systems by targeting specific individuals or companies. They are sent in relatively small volumes compared with spam and phishing emails, for example, but are one of the most damaging email threats. Any organization that possesses sensitive and valuable data can be an attractive target. www.messagelabs.com info@messagelabs.com
  • 2. MESSAGELABS INTELLIGENCE These messages are frequently business-related, or related to some newsworthy event, from a webmail account or with a spoofed ‘From’ address crafted to appeal to the target, and in some way gives the impression that the attachment contains important information, such as current affairs, meetings, legal documents, agreements or contracts. The danger of targeted attacks is the stealth deployment of malicious code on the recipient’s computer, often hidden within legitimate-looking documents such as .PDF, .DOC, .XLS and .PPT file types. The recipient only has to open the attachment and the computer is compromised. MessageLabs Intelligence conducted an in-depth review of targeted malware in its 2009 Annual Security Report1, which included analysis of the seniority of the recipients often targeted. In March 2010, we took a closer look at the origin of these types of messages to shed some light on the criminal operations behind them. Figure 1 shows the source of targeted attacks based on the source IP address of the sending email server. Note that there are a high proportion of US-based addresses since many of these are webmail services hosted in the United States: Percentage of Percentage of Country of Origin Continent Targeted Attacks Continent Targeted Attacks United States 36.6% N. America 36.8% China 17.8% Asia 32.8% Romania Continent 16.5% Europe Continent 30.3% United Kingdom 10.7% S. America 0.2% Taiwan 10.0% Japan Continent 3.2% Russian Federation 0.8% Cambodia 0.7% France Continent 0.7% OTHER 3.0% Figure 1 – Source of targeted email attacks based on mail server location Figure 2 below, is a visual representation of this same data, where the size of the plot is relative to the percentage of targeted malware sent from that location. Figure 2 – Geographical plot of targeted email attack sources 1 The report may be downloaded freely here: http://www.messagelabs.com/intelligence 2
  • 3. MESSAGELABS INTELLIGENCE Since many webmail servers are located in the US, we then analyzed the headers of the messages and identified the true IP address of the sender. This provides the IP address of the computer that was used by the sender when the email was composed. A large proportion of targeted attacks are sent from legitimate webmail accounts, and therefore the IP address of the sending mail server is not a useful indicator of the true origin of the attack, as it will only identify the location of the email servers. Most webmail providers include the sender’s IP address in the email headers, as can be seen in figure 3, below. Figure 3 – Example of email headers from legitimate webmail account Different webmail providers include this IP address in a variety of ways that should be understood before extracting that information and identifying the country of origin. Unfortunately, one major webmail provider does not include this information at all, which makes it a favorite to use for some targeted attacks. This is perhaps deliberate so if the cyber criminals know, it will enable them to better cover their tracks. Based on the analysis of the sender’s IP address, rather than just the IP address of the email server, figure 4 shows the true source of many of these targeted attacks: Percentage of Percentage of Country of Origin Continent Targeted Attacks Continent Targeted Attacks China 28.2% Asia 46.6% Romania 21.1% Europe 37.3% United States Continent 13.8% N. America Continent 13.8% Taiwan 12.9% Africa 2.4% United Kingdom 12.0% Japan Continent 4.0% Cameroon 2.2% Korea, Republic of 0.9% Russian Federation Continent 0.9% OTHER 4.2% Figure 4 – Source of targeted email attacks based on sender location Figure 5 below, is a visual representation of this data, where the size of the plot is relative to the percentage of targeted malware sent from that location, based on the location of the sender. 3
  • 4. MESSAGELABS INTELLIGENCE Figure 5 – Geographical plot of targeted attack sender locations This closer analysis of the data reveals some interesting facts, notably; that more attacks originate from computers located in China, Romania and Cameroon than would first appear when looking solely at the mail server location alone. A comparison of the overall results from the first and second analysis is revealed in figure 6, below. %of Attacks Based on %of Attacks Based on Continent Mail Server Location Continent Sender Location Difference N. America 36.8% 13.8% -23.0% Europe 32.8% 37.3% 4.5% Asia 30.3% Continent 46.6% 16.3% Africa 2.4% S. America 0.2% Figure 6 – Table showing variation between sender location and mail server locations When considering the true location of the sender rather than the location of the email server, fewer attacks are actually sent from North America than it would at first seem. More attacks are sent from addresses based in Europe, but a great deal more is actually sent from addresses in Asia. This shows that most of the attacks that seem to originate from webmail providers based in North America are actually being sent from other locations, including Asia, Europe and Africa. When considering the mail server location, we find 17.8% come from China, but there seem to be a further 10.4% originating from China after further analysis of the sender location in webmail-based attacks (total 28.2% from China). Similarly we find another 4.59% from Romania and 2.22% from Cameroon; these countries become more significant when analyzing the sender location, rather than considering the email server location alone. The city of Shaoxing in China seems to be a major source, accounting for 21.3% of targeted attacks, as is Taipei (16.5%) in Taiwan, and London (14.8%) in the UK. Understanding the most frequently targeted job roles in targeted attacks 4
  • 5. MESSAGELABS INTELLIGENCE Continuing the theme of targeted malware used in the commission of industrial espionage, bribery or blackmail and reflecting on the research in the MessageLabs Intelligence 2009 Annual Security Report, we reported that 60% of recipients were of a high or medium ranking seniority. It was surprisingly straightforward to identify a great deal of information about the individuals being targeted; the Internet provided plenty of information on around 84% of the individuals in most targeted attacks. The top five most frequently targeted roles can be seen in figure 7. Director Continent 8.7% Senior Official 7.3% Vice President 4.4% Manager Continent 4.3% Executive Director 2.9% Figure 7 – the top five most frequently targeted job roles Furthermore, the most frequently targeted individuals can be described in general terms in figure 8. Expert: A Expert: As ian Defense Policy x Asian Defense f Continent 15.3% Diplomatic Mission 15.2% Expert: International Finance 7.9% A As ian Trade Policy Asian Continent 7.4% Human Rights Activist 7.0% Human Rights Researcher 5.7% A Academic Academic 5.2% Expert: Asian Foreign Policy 5.0% European Musical Events Promoter 4.6% European/As ian /A European/Asian Trade Policy Continent 4.1% Expert: Asian Security 3.4% Expert: Asian Economy 3.0% Expert: A Expert: As ian Policy x Asian Continent 2.9% Expert: International Relations 2.9% Expert: Consumer Policy 2.9% Executive: As ian x v A Conmena Executive: Asian Engineering Companyp Co tin t 2.7% Asian Banker 2.5% Financial Analyst 2.4% Figure 8 – the top five most frequently targeted individuals Identifying the most common malicious file attachments in email-borne malware When emails are passed through Skeptic™2 they are automatically scrutinized and scored according to a variety of different factors. This score is tracked and recorded in the MessageLabs Intelligence data, from which we can analyze the results. Based on the email file attachment data from March 2010, we collected the overall score of the email, including whether or not the file was encrypted. This analysis was focused on files and emails with files attached, and did not include emails that only contained hyperlinks or were without file attachments. Starting with the most commonly seen file types, we ranked each file type by how frequently it was identified in malicious email traffic as a ratio of the total number of emails in which that file type appeared. This provided a measure of how likely a given file extension may be considered as more or less dangerous or malicious, when compared with other file types. 2 For more information about Skeptic: http://www.messagelabs.com/technology/skeptic 5
  • 6. MESSAGELABS INTELLIGENCE xls 15.4% doc 15.4% zip 11.2% pdf 10.7% exe 6.7% jpg 5.8% ppt 5.2% dll 3.9% xml 3.2% dat 2.4% gif 2.2% html 2.2% swf 1.4% png 1.4% tif 1.3% Other 11.1% Figure 9 - most common file extensions seen in email traffic As can be seen in figure 9, 15.4 % of files attached to emails in March were .XLS and .DOC file types, followed by 11.2% of attachments which were .ZIP files. The top four file types accounted for 50% of files attached to emails, and 17 file extensions accounted for 90% of files attached to emails. It is worth noting that both .ZIP and .RAR file types could be unencrypted, or encrypted. There is more on this to follow, but first we identify the most compromised file attachment types, i.e. which files were blocked as malicious by Skeptic™. As seen in figure 9, the most compromised file extension identified was encrypted .RAR file types (a proprietary compressed archive format), which accounted for approximately 1 in 312 (0.32%) malicious files attached to emails. Although a relatively uncommon file type, it is compromised 96.8% of the time when attached to email. Curiously, unencrypted .RAR files are rarely exploited and occur in 1.1% of mails. Therefore, they are more common than encrypted .RAR, but these are far less likely to be seen in a malicious email. % of files seen that are File type attached to malicious emails % of files attached to emails rar (encrypted) 96.8% 0.3% sys 27.5% 0.3% dll 22C5% 2.5% 22.5%tinent on 3.9% tlb 19.2% 0.3% bin 18.4% 0.9% vbs 17C9% 7.9% 9n 17.9%tinent o 0.2% zip (encrypted) 17.5% 0.1% exe 15.8% 6.7% bat 13C0% 3.0% 0n 13.0%tinent o 0.6% com 12.4% 0.2% Figure 9 - most dangerous email file attachments A variety of other file extensions follow, but they are not compromised as often as encrypted .RAR files. For example, .ZIP files exhibit similar characteristics to .RAR files, where encrypted .ZIP files are much more likely to be attached to a malicious email, than plain .ZIP files. 6
  • 7. MESSAGELABS INTELLIGENCE The most commonly observed file extensions, including .XLS, .DOC, .ZIP and .PDF are least commonly exploited. Although there are a great number of malicious emails using these file types as attachments, there are far more that are not exploited. Of course, .EXE is the main file extension that is expected to be most alarming when found attached to an email. Executable file types accounted for 6.6% of files attached to email in March, and 15% of the time they were found to be malicious. Death by a thousand cuts - Rustock botnet sending more encrypted spam In March, MessageLabs Intelligence observed that the Rustock botnet had been sending considerably more spam using TLS (Transport Layer Security). Approximately 77% of spam sent from the Rustock botnet used secure TLS connections, during March. TLS is a popular way of sending email through an encrypted channel, rather than sending it in the clear like most emails are sent. MessageLabs Intelligence tracks the use of TLS to determine how much spam is sent over TLS, and which botnets are sending it. Not all mail servers force clients to use TLS, but it is frequently used for securing the communications channel between the client email sender and the email server to which the message is being delivered. It prevents eavesdropping of email traffic that would otherwise be sent in plain sight for anyone else on the network to see if they so wished, perhaps using network analysis tools. However, TLS uses far more server resources and is much slower than a plain-text email; with TLS it takes time and resource to perform the necessary handshake where ciphers are negotiated and encryption keys exchanged and then to encrypt and decrypt the messages. There is a two-way conversation between the sending client computer and receiving email server, requiring both inbound and outbound traffic. In bandwidth terms, this outbound traffic frequently outweighs the size of the spam message itself and can significantly increase the workload being placed on corporate email servers. With corporate email servers coming under more pressure to handle these expensive, but unnecessary TLS connections, it becomes a death by a thousand cuts – on its own the overhead of processing a single spam received with TLS may appear insignificant, but at large volumes, the overall impact can be enormous. The average additional inbound and outbound traffic due to TLS is an overhead of around one kilobyte. Many spam mails are often much lower than one kilobyte in size. Spam using TLS accounted for approximately 20 percent of all spam in March, peaking at approximately 35 percent of spam on March 10. MessageLabs Boundary Encryption service allows clients to provide a secure and authenticated channel over which critical business email communications may be made. Furthermore, as the proportion of spam using TLS increases, the impact to MessageLabs clients will be zero, as the additional encryption overhead will be absorbed by the MessageLabs cloud infrastructure, and not by the client. For more information on this growing trend, please read the full blog post at: www.symantec.com/connect/blogs/death-thousand-cuts-rustock-botnet-sending-more- encrypted-spam. 7 www.messagelabs.com info@messagelabs.com
  • 8. MESSAGELABS INTELLIGENCE GLOBAL TRENDS & CONTENT ANALYSIS MessageLabs Hosted Email AntiSpam and Hosted Email AntiVirus Services focus on identifying and averting unwanted communications originating from unknown bad sources and which are addressed to valid email recipients. Skeptic™ Anti-Spam Protection: In March 2010, the global ratio of spam in email traffic increased by 1.5 percentage points since February to 90.7% (1 in 1.10 emails). Spam Rate 95.7% Hungary 94.7% Engineering 90.2% 1-250 90.9% 251-500 94.9% Denmark 93.5% Automotive 90.7% 94.7% Italy 94.3% Luxembourg 92.0% Accom/Catering 92.0% Marketing/Media 91.5% 91.0% 1001-1500 501-1000 92.3% 1501-2500 93.2% Austria 91.9% Education 90.6% 2501+ Last Month: 89.4% Six Month Avg.: 86.3% Top 5 Geographies Top 5 Verticals By Horizontal 90.7% 2005 2006 2007 2008 2009 March 2010 The spam level in Hungary rose to 95.7% of email traffic during March, making it the most spammed country. In the US, 91.1% of email was spam and 89.5% in Canada. The spam level in the UK was 90.1%. In The Netherlands, spam accounted for 93.0% of email traffic, 93.1% in Germany and 90.1% in Australia. In Hong Kong, 92.0% of email was blocked as spam and 88.3% in Singapore, compared with 87.5% in Japan and 92.4% in China. In March, the most spammed industry sector with a spam rate of 94.7% was the Engineering sector. Spam levels for the Education sector reached 91.9% and 91.1% for the Chemical & Pharmaceutical sector; 91.6% for IT Services, 91.8% for Retail, 89.1% for Public Sector and 89.5% for Finance. Skeptic™ Anti-Virus and Trojan Protection: The global ratio of email-borne viruses in email traffic was 1 in 358.3 emails (0.28%) in March, a decrease of 0.05 percentage points since February. In March, 16.8% of email-borne malware contained links to malicious websites, a decrease of 13.7 percentage points since February. Virus Rate 1 in 90.9 Taiwan 1 in 77.1 Gov/Public Sec. 1 in 375.0 1-250 1 in 481.0 251-500 1 in 173.9 China 1 in 189.1 Education 1 in 358.3 1 in 213.7 United Kingdom 1 in 260.1 Oman 1 in 301.8 Finance 1 in 321.6 #REF! 1 in 485.6 501-1000 1 in 578.6 1001-1500 1 in 499.6 1501-2500 1 in 287.9 Brazil 1 in 352.5 Non-Profit 1 in 293.5 2501+ Last Month: 1 in 302.8 Six Month Avg.: 1 in 273.8 Top 5 Geographies Top 5 Verticals By Horizontal 1 in 358.3 2005 2006 2007 2008 2009 March 2010 In March, 1 in 90.9 emails destined for Taiwan was blocked as malicious, making the country the most targeted for email-borne malware. The virus levels for malware in email traffic in the US was 1 in 551.4 and 1 in 492.8 for Canada. In Germany virus activity reached 1 in 462.0 8
  • 9. MESSAGELABS INTELLIGENCE and in The Netherlands was 1 in 834.7. In Australia, 1 in 351.6 emails were malicious and 1 in 505.5 in Hong Kong; for Japan it was 1 in 1,063.3, compared with 1 in 504.1 in Singapore. The Public Sector remained the most targeted industry in March, with 1 in 77.1 emails being blocked as malicious. Virus levels for the Chemical & Pharmaceutical sector were 1 in 642.9 and 1 in 510.9 for the IT Services sector; 1 in 728.6 for Retail, 1 in 189.1 for Education and 1 in 301.8 for Finance. VIRUSNAME Total Trojan.Bredolab!eml 9.0% Exploit/Fraud-AccUpdate 5.5% Exploit/LinkAliasPostcard-2295 4.6% W32/Prolaco-gen-4b33 4.1% Trojan.Bredolab 3.5% W32/NewMalware-Generic-e880-3269 3.4% Exploit/MimeBoundary003 3.2% Packed.Generic.265 3.2% EML/Worm.MS.dam 2.6% Trojan.Bredolab.dam 2.2% Bredolab, a generic malware distribution botnet, accounted for 14.7% of all email-borne malware blocked in March. Bredolab has often been linked with other forms of malware and spyware, including fake security software and other botnet and identity fraud Trojans, such as Zeus, Waledac and Koobface. Bredolab is most frequently found in email-borne malware sent from the Cutwail botnet. Phishing: In March, phishing activity decreased by 0.02 percentage points since February; 1 in 513.7 emails (0.19%) comprised some form of phishing attack. When judged as a proportion of all email-borne threats intercepted in March, including viruses and Trojans, the proportion of phishing emails rose by 8.4 percentage points to 64.6% of all email-borne malware and phishing threats combined. Phishing Rate 1 in 254.8 United Kingdom 1 in 86.4 Gov/Public Sec. 1 in 542.7 1-250 1 in 729.6 251-500 1 in 337.3 Brazil 1 in 250.0 Education 1 in 513.7 1 in 432.2 China 1 in 454.5 Australia 1 in 328.6 Finance 1 in 436.7 Non-Profit 1 in 931.6 1 in 1,018.0 1 in 1,005.2 501-1000 1001-1500 1501-2500 1 in 557.0 Oman 1 in 515.1 Accom/Catering 1 in 388.8 2501+ Last Month: 1 in 456.3 Six Month Avg.: 1 in 418.4 Top 5 Geographies Top 5 Verticals By Horizontal 1 in 513.7 2005 2006 2007 2008 2009 March 2010 The UK received the most phishing emails in March, with 1 in 254.8 emails comprising a phishing attack. Phishing levels for the US were 1 in 981.9 and 1 in 869.3 for Canada. In Germany phishing levels were 1 in 2,506 and 1 in 3,439 in The Netherlands. In Australia, phishing activity accounted for 1 in 454.5 emails and 1 in 3,569 in Hong Kong; for Japan it was 1 in 10,217 and 1 in 4,239 for Singapore. The Public Sector continued at the top of the table with 1 in 86.4 emails comprising a phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 1,403 and 1 in 1,386 for the IT Services sector; 1 in 1,160 for Retail, 1 in 250.0 for Education and 1 in 328.6 for Finance. 9
  • 10. MESSAGELABS INTELLIGENCE Skeptic™ Web Security Version 2.0: The most common trigger for policy-based filtering applied by the MessageLabs Hosted Web Security Service for its business clients was the “Advertisements & Popups” category, down by 1.6 percentage points since February, to 52.8% in March. The blocking of Unclassified websites increased by 0.82 percentage points, the largest rise in any category. The Unclassified category identifies new and previously uncategorized websites. While these websites can be used for disreputable purposes, such as hosting phishing and spam sites, they may also be new sites and domains set up by legitimate organizations in the process of being categorized. Customers are able to adopt a more flexible approach to how these websites are treated, since all content downloaded is scanned for malware by a unique combination of commercial anti-virus engines and Skeptic technology. This ensures that customers do not need to have a default block on these sites to maintain security, as may otherwise be the case. Web Security Services (Version 2.0) Activity: Policy-Based Filtering Web Viruses and Trojans Potentially Unwanted Programs Advertisements & Popups 52.8% Trojan-Downloader.JS.Gumblar.x 11.1% PUP:NetTool.Win32.Proxy.g 79.8% Streaming Media 9.5% Trojan.Zbot!gen2 8.6% PUP:WebToolbar.Win32.MyWebSea... 6.7% Unclassified 4.4% New Unclassified Trojan 6.4% PUP:ZangoSearch 3.0% Downloads 4.0% Trojan.JS.Agent.bfy 4.7% PUP:AdWare.Win32.Zwangi.ji 1.9% Games 3.7% Trojan-Downloader.JS.Gumblar.a 3.0% PUP:AdWare.Win32.FunWeb.ar 1.4% Search Engines 3.7% Trojan-Clicker.JS.Iframe.ea 2.7% PUP:AdWare.Win32.Zwangi.jo 0.9% Personals & Dating 3.0% Blogs & Forums 2.7% Trojan.JS.Iframe.ik 2.5% PUP:CWSIEFeats 0.5% Computing & Internet 2.4% Trojan-Clicker.JS.Agent.ma 2.3% PUP:NetTool.Win32.ProxySwitcher.d 0.4% Adult/Sexually Explicit 2.1% New Unclassified Worm 2.1% PUP:AdWare.Win32.Zwangi.m 0.3% Chat 1.9% Exploit/Phishing-hmrc-ee11 2.1% PUP:RiskTool.Win32.MBRFix.a 0.2% March 2010 MessageLabs Intelligence identified an average of 1,919 websites each day harboring malware and other potentially unwanted programs including spyware and adware; a decrease of 61.6% since February, when the number of blocked malicious websites surged by 184%, but an increase of 9% since January. Further analysis also reveals that 39.9% of all malicious domains blocked were new in March; a decrease of 4.8 percentage points since February. Additionally, 14.9% of all web-based malware blocked was new in March; an increase of 1.6 percentage points since the previous month. The chart below shows the increase in the number of new spyware and adware websites blocked each day on average during March compared with the equivalent number of web- based malware websites blocked each day. Web Security Services (Version 2.0) Activity: 6,000 New Malware Sites per Day New sites with 5,000 web viruses New sites with spyware 565/day 4,000 New sites with web viruses 1,354/day 3,000 Total 1,919/day 2,000 1,000 New sites with spyware - J F M A M J J A S O N D J F M A M J J A S O N D J F M March 2010 10
  • 11. MESSAGELABS INTELLIGENCE TRAFFIC MANAGEMENT Traffic Management continues to reduce the overall message volume through techniques operating at the protocol level. Unwanted senders are identified and connections to the mail server are slowed down using features embedded in the TCP protocol. Incoming volumes of known spam are significantly slowed, while ensuring legitimate email is expedited. In March, MessageLabs services processed an average of 12.3 billion SMTP connections per day, of which 61.0% were throttled back as a result of traffic management controls for traffic that was unequivocally malicious or unwanted. The remainder of these connections was subsequently processed by MessageLabs Connection Management controls and Skeptic™. Dropped at stage 61.0% Traffic management Known Bad Messages 56.7% Connection management Dropped 6.6% User management 0.3% Skeptic Anti-virus Malware and Spam 41.4% Skeptic Anti-spam Quarantined Good Mail Delivered Clean mail delivered to clients Connection Management Connection Management is particularly effective in stopping directory harvest, brute force and email denial of service attacks, where unwanted senders send high volumes of messages to force spam into an organization or disrupt business communications. Connection Management works at the SMTP level using techniques that verify legitimate connections to the mail server, using SMTP Validation techniques. It is able to identify unwanted email originating from known spam and virus sending sources, where the source can unequivocally be identified as an open proxy or a botnet, and rejects the connection accordingly. In March, an average of 56.7% of inbound messages was intercepted from botnets and other known malicious sources and rejected as a consequence. User Management User Management uses Registered User Address Validation techniques to reduce the overall volume of emails for registered domains, by discarding connections for which the recipient addresses are identified as invalid or non-existent. In March, an average of 6.6% of inbound messages was identified as invalid; these were attempted directory attacks upon domains that were therefore prevented. 11
  • 12. MESSAGELABS INTELLIGENCE About MessageLabs Intelligence MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence publishes a range of information on global security threats based on live data feeds from more than 14 data centers around the world scanning billions of messages and web pages each week. MessageLabs Team Skeptic™ comprises many world-renowned malware and spam experts, who have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day on behalf of 30,000 clients in more than 100 countries. More information is available at www.messagelabs.com/intelligence. About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com. Copyright © 2010 Symantec Corporation. All Rights Reserved. Symantec, the Symantec Logo and MessageLabs are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. NO WARRANTY. The information contained in this report is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This report may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043. 12 www.messagelabs.com info@messagelabs.com