January 2011 Intelligence Report

Symantec.cloud MessageLabs Intelligence
January 2011 Intelligence Report
Rustock‟s Respite and Diminishing Spam; Balance of Power Shifts in Pharmaceutical Spam Brands
Welcome to the January edition of the MessageLabs Intelligence monthly report. This report provides the latest threat
trends for January 2011 to keep you informed regarding the ongoing fight against viruses, spam, spyware and other
unwelcome content.
Report highlights

Spam – 78.6% in January (a decrease of 3.1 percentage points since December 2010)

Viruses – One in 364.8 emails in January contained malware (a decrease of 0.03 percentage points since
December 2010)

Phishing – One in 409.7 emails comprised a phishing attack (an increase of 0.004 percentage points since
December 2010)

Malicious websites – 2,751 websites blocked per day (a decrease of 21.5% since December 2010)

41.1% of all malicious domains blocked were new in January (an increase of 7.9 percentage points since
December 2010). An increase in malicious domains may be related to the high proportion of email malware that
also contained malicious hyperlinks; 65.1% of email malware in January contained malicious links.

21.8% of all web-based malware blocked was new in January (a decrease of 3.1 percentage points since
December 2010)

Spam volumes fall to lowest level in two years

Why did global spam volumes decline in December 2010?

The balance of power shifts between pharmaceutical spam gangs

Blog: Targeted attack reveals new social engineering twist
Report analysis
Spam volumes fall to lowest level in two years
Following a dramatic two week decline in spam levels, spam now accounts for 78.6% of email traffic, the lowest rate
since March 2009, when the global spam rate was 75.7% of all email traffic. The volume of spam in circulation in
January 2011 was 65.9% lower than for the same period one year ago in January 2010, when the spam rate was
83.9% of all email traffic.
In March 2009, the dramatically low spam levels were the result of the aftermath of major disruption to botnet activities
following the November 2008 closure of the California-based ISP, McColo. But the cause of the most recent decline in
spam levels is much different. At the heart of the recent decline is a simultaneous drop in pharmaceutical spam.
In May 2010, pharmaceutical spam experienced peak levels when up to 85% of spam was related to pharmaceutical
products. However, in January 2011, MessageLabs Intelligence found that pharmaceutical spam accounted for about
59.1% of all spam.
The closure of Spamit, the well-known Canadian Pharmacy affiliate website, in October 2010 may have caught many
by surprise, but the reality is that it had likely been winding down its operation for several weeks prior, with affiliates
switching to sending spam for other brands, such as Pharmacy Express (not to be confused with the legitimate
Pharmacy Express based in New Zealand), one of the most dominant brands found in spam today.
Page 1 of 15
For now, it‟s clear that spam remains a profitable activity for spammers and there is no evidence to suggest that
pharmaceutical spam is suffering any loss in profitability. However, the closure of Spamit re-shaped the activities of
many of the major pharmaceutical spam gangs as pharmaceutical spam operations underwent restructuring and
consolidation.
These recent changes, which occurred throughout the second-half of 2010, created instability and turbulence in the
pharmaceutical spam market which is likely to be exploited as a business opportunity by other criminal spam gangs
going forward. We expect this may lead to the development of new pharmaceutical spam brands in 2011.
And with the emergence of new pharmaceutical spam brands will come more pharmaceutical spam and botnets
competing for their business. As with most pharmaceutical spam, the web sites will be insecure and customers are
unlikely to receive anything in the post; resulting in stolen credit card and personal details.
Why did global spam volumes decline in December 2010?
In 2010, spam accounted for 89.1% of global email traffic; with approximately 130.5 billion spam emails in circulation
each day, on average. However, following an unusually high peak of spam activity between July and August, a decline
in spam volumes during the second-half of 2010 was beginning to tell a different story. With global spam volumes in
gradual decline, by December 24 there were approximately 80.2 billion spam emails being sent each day.
Unexpectedly, overnight, the spam volumes dropped even more dramatically by a further 58% on Christmas Day. For
the following two weeks, spam accounted for approximately 33.5 billion spam emails each day.
Figure 1 – Rise and fall of daily spam volume (2010-2011)
Historically, the only time that spam had fallen by such a remarkable extent was following the closure of Californiabased ISP, McColo, in 2008. McColo was taken offline by its up-stream internet providers after being implicated in
criminal and botnet activities. Following the closure of McColo, spam volumes fell by as much as 80% and a number
of botnets were severely affected. The Srizbi botnet was obliterated altogether. Srizbi had been responsible for as
much as 50% of botnet spam. With McColo gone, it took several months for global spam volumes to recover and the
loss of Srizbi left a gap in the market later filled by other, smaller botnets. There were also changes made to botnet
technology, making it much harder to disrupt botnets and enabling them to recover much more quickly; in a matter of
days – rather than weeks or months as before.
With such striking similarities to the events of 2008, MessageLabs Intelligence began looking for evidence to find out
what had happened. In 2010, spam-sending botnets were responsible for as much as 88% of the world‟s spam, falling
Page 2 of 15
to 77% by the end of the year. Botnets have long been the air-supply for spammers; and without botnets there could
never be as much spam, which is why the security community and international law enforcement agencies have long
sought to disrupt and dismantle criminal botnets.
During this time, MessageLabs Intelligence discovered not one, but three well-known spam-sending botnets had
stopped sending spam in December 2010. The most notable being Rustock, the single largest spam-sending botnet in
2010, responsible for as much as 47.5% of all spam and comprised of between 1.1 million and 1.7 million computers,
sending approximately 44.1 billion spam emails each day. The two other botnets, Xarvester and Lethic, were much
smaller and accounted for less than 0.5% of all spam each.
It appeared that Rustock had stopped sending spam on December 25, followed by Lethic, which stopped on
December 28 and Xarvester on December 31. Further investigation also revealed no evidence to suggest that any of
these three botnets had been disrupted in any way – by law enforcement or through other action. Rustock‟s command
and control channels appeared to remain intact, but its bots were still active in other ways, particularly for generating
revenue from click-fraud.
Rustock and Xarvester have since resumed their spam-sending operations, but not on the same scale as previously.
Rustock resumed on January 10, and after 24 hours, its spam output accounted for 18.7% of all spam, as seen in
figure 2, below.
Figure 2 – Proportion of global spam sent from Rustock botnet
Since its return, Rustock has accounted for approximately 17.5% of all spam in January while the Bagle botnet has
taken the lion‟s share with 20% of spam. Rustock is still the largest sender of pharmaceutical spam, with 80% of its
output in January related to pharmaceutical products. However, the proportion of spam related to pharmaceutical
products in January 2011 has diminished, and now accounts for approximately 59.1% of all spam; compared with 64%
at the end of 2010. Moreover, pharmaceutical spam accounted for less than 1% of all spam during the two weeks
Rustock was quiet.
Page 3 of 15
Figure 3 – Classification of spam categories in January 2011
While most of the spam from Rustock is pharmaceutical spam, approximately 17.1% is related to Software offers and
2.9% is Sexual/Dating spam. During 2010, much of Rustock‟s pharmaceutical spam was related to the „Canadian
Pharmacy‟ brand, until the closure of the Spamit1 affiliate web site in October 2010.
Further investigation reveals that the most common pharmaceutical spam from Rustock now relates to another spam
operation called „Pharmacy Express,‟ but not yet on the same scale as before. This may change in due course, as the
botnet still has the capacity to send large volumes of spam. „Pharmacy Express‟ isn‟t a new brand and has been
around since at least 2004.
Figure 4 – Example of recent spam from Rustock
The subject line in the above example includes part of the recipient‟s email address, which is also included in the
URLs contained within the email body. The URLs in the email are currently all registered to .ru top-level domains, and
all immediately forward to a .com domain hosting the „Pharmacy Express‟ web site.
1
The MessageLabs Intelligence Report for October 2010 contains more information on the closure of the Spamit website:
http://www.messagelabs.com/mlireport/MLI_2010_10_October_FINAL.PDF
Page 4 of 15
Figure 5 – Example of a Pharmacy Express web site
Botnets like Rustock are flexible, and can be put to other uses, as well as sending large volumes of spam emails. For
example, during the two weeks it was dormant, Rustock was also used for click-fraud. Click-through expenses are
paid when a genuine user is passed as a referrer from one web site to another, and the referrer is paid a small fee.
With click-fraud, the botnet is used to generate fake referrals that may be indistinguishable from genuine visitors, and
while only a small amount is paid for each “visitor,” a large botnet can generate sufficient traffic to increase this stream
of revenue.
At various points during Rustock‟s history, it has sometimes exhibited irregular spamming patterns. For example, it
has sent huge volumes of spam before going quiet for two or three weeks at a time, but during 2010, its pattern of
spamming was more regular and it had been active almost non-stop until December 2010.
It‟s still quite early to tell whether there will be any long-term effects on global spam volumes, but within a few months
we should have a better understanding of how Rustock‟s activity has shifted, perhaps seeking to make money
elsewhere. Rustock has proven that it is very agile and quick to adapt to new pressures. For instance, in early 2010,
for a few months, Rustock employed TLS encryption for its email traffic. While this tactic made it potentially difficult for
certain types of anti-spam technology to block Rustock‟s spam, it also had an overhead which slowed down Rustock‟s
spam-sending ability. As Rustock‟s botnet size diminished, it was then able to send greater volumes of spam with
fewer bots, because TLS was turned off.
While it‟s unlikely that spam has suddenly become economically unviable, spammers have continued to seek new
ways of making money and maximizing their returns by taking advantage of local legislation wherever possible and by
becoming more targeted via exploits of new environments such as social media.
With the growing use of social networking, the information many of us share online is now sought by spammers to
make their spam more targeted, interesting and relevant – even in our own language; as spam is now sent in many
more languages than just English, and translated automatically. A more targeted approach to spamming enables
spammers to send smaller volumes of spam, but at the same time, making spam more difficult to recognize and block.
The balance of power shifts between pharmaceutical spam gangs
There's no denying the important role of spam in the shadow economy. The aim of most pharmaceutical spam is to
encourage recipients to click on a link in the email that leads them to a web site selling a variety of pharmaceutical
products such as pills/drugs for anything from male enhancement, to weight loss and stress relief.
With approximately 58.1 billion spam emails in circulation globally every day in January, the contribution from
pharmaceutical spam equates to enormous volumes sent to recipients around the world -- as much as 34.3 billion
emails per day were classified as pharmaceutical spam in January.
Pharmaceutical spam-sending has considerable money-making potential within the shadow economy, and spammers
line-up to work with affiliate schemes, distributing enormous volumes of rapidly-changing spam and taking commission
for their efforts. In the last two or three years, „Canadian Pharmacy‟ has undoubtedly been the largest and most
prolific pharmaceutical spam brand in the wild, but all that changed in October 2010 with the closure of the spam
affiliate web site Spamit.com.
Page 5 of 15
MessageLabs Intelligence has been closely tracking the shifting patterns of pharmaceutical spam brands over the last
year.
2
In March 2010 MessageLabs Intelligence examined the nature of the spam emails, and the characteristics of the
sites to which their URLs led, as well as the prices of the drugs found on the different web sites to identify
commonality among the brands. At that time, MessageLabs Intelligence found 12 active brands, and similarities
among some of the brands led us to believe that these 12 brands stemmed from just two pharmaceutical operations.
We labeled these operations „Gang 1‟ and „Gang 2‟. In fact when we talk about gangs we effectively mean affiliates.
Each affiliate scheme employs spammers to distribute spam leading to that affiliate‟s pharmaceutical web sites and
brands.
In May 2010, we spotted a new pharmacy brand, „Men‟s Health‟, which we then examined and subsequently
categorized in „Gang 2‟.
By June 2010 more new brands were recognized 3, such as 'Canadian RX Drugs', 'Pharmacy Express' and 'RX
Savers'. By analyzing the characteristics of these various brands and with some help from the spamtrackers.eu web
site, which also collects useful information on pharmaceutical operations, we added two new spam operations,
identified as „Gang 3‟ and „Gang 4‟. The classification of pharmaceutical gangs by the end of 2010 is shown below.
Canadian RX Drugs
Canadian Pharmacy
Canadian Online
Pharmacy
United Pharmacy
HealthRefill
Gang 1
European Pharmacy
Gang 3
Medsleader
Canadian HealthCare
MedrugsPlus
Online Pharmacy
The US Drugs (NOT
Bulker.biz brand US
Drugs)
Indian Pharmacy
Internet Drugs Pedia
Gang 2
Canadian HealthCare
Mall
Trusted Meds Online
Canadian Pharmacy
Network
Men Drugs Shop
My Canadian
Pharmacy
Pharmacy Express
Mexican Pharmacy
Dr.Pills
CVSPharmacy
Men’s Health
RX-Saver
Others
PH Online
Toronto Drug Store
Chinese Local
Pharmacy (in Chinese)
Indicates change of spam templates
in common with another brand
Figure 6 – Relationships among pharmacy brands in 2011
2
3
http://www.symantec.com/connect/blogs/pharmacy-spam-pharmaceutical-websites-fall-two-distinct-operations
http://www.symantec.com/connect/blogs/long-lost-pharmacy-brands-return-and-new-one-appears
Page 6 of 15
„Canadian Pharmacy‟ spam was connected to„Gang1‟ and MessageLabs Intelligence continually monitored the
occurrence of spam linked to „Canadian Pharmacy‟ web sites. By September 2010, the volume of spam relating to
„Gang 1‟ had decreased considerably and in October 2010, spam relating to „Gang 1‟ seemingly disappeared.
As mentioned earlier in this report, in late September 2010, news emerged of the closure of a notorious spam affiliate
4
called Spamit , which was known to be the mainstay of the so-called „Canadian Pharmacy‟ business, and therefore a
mainstay of pharmaceutical spam as a whole.
Many reports at the time recorded a drop in the volume of spam after Spamit closed down and Messagelabs
Intelligence also noted5 a decrease in spam around October 3, 2010. However, this fall in spam volume was not a
sustained decrease, and spam levels soon recovered to normal volumes shortly thereafter. The closure of Spamit was
identified as partially responsible for this disruption to spam output, perhaps catching a number of spammers off guard
as a result. However, there are very likely other factors at work, including the attempted takedowns of the Bredolab
botnet in October, and the Cutwail botnet earlier in August.
Whatever the combined effect of the Spamit closure and the disruption of the Bredolab and Cutwail botnets,
spammers were simply not distributing as much spam as they were in 2009.
Despite the disappearance of the „Canadian Pharmacy‟ brand, the main pharmacy brand in „Gang 1‟, other
pharmaceutical brands are still going strong. Some other pharmacy brands, such as „Canadian RX Drugs‟ and
„Canadian Online Pharmacy‟ have actually dramatically increased their output and became the number one
pharmaceutical spam brands by the end of 2010. Following Rustock‟s two-week hiatus, the „Pharmacy Express‟ brand
became very prominent too. Each of these brands now belongs to the „Gang 3‟ classification.
After comprising a typically low volume of spam, „Canadian RX Drugs‟ and its related brands have been sent in much
larger volumes since May 2010. In our measurements, we expected to find one or two examples of pharmaceutical
spam from „Gang 3‟; however, the vast majority of pharmaceutical spam in circulation was related to „Gang 1‟. By
January 2011, most of the pharmaceutical spam in circulation was related to „Gang 3‟. It seems the power balance
has firmly shifted to „Gang 3‟ as the new dominant pharmaceutical spam operation.
Interestingly though, it‟s not that „Gang 3‟ has become the most dominant gang with the disappearance of „Gang 1‟.
MessageLabs Intelligence has evidence that leads us to believe that much of the activity of „Gang 1‟ has now moved
across to „Gang 3‟. It‟s possible that with the closure of Spamit, unemployed spammers and affiliates quickly
scrambled to find an alternative way to earn their commission, and signed up with the affiliate behind „Gang 3‟,
continuing to send spam as normal.
Spam now sent by „Gang 3‟ looks almost the same as when it was sent by „Gang 1‟, except for subtle changes to the
templates and web site design. The URLs contained in the messages also revealed how they were now connected to
different pharmaceutical brand web sites.
MessageLabs Intelligence previously classified „Online Pharmacy‟ in „Gang 1‟ because we had seen many similarly
designed emails with URLs leading to „Canadian Pharmacy‟ or „Online Pharmacy‟ web sites during 2010. But the
continued activities of the „Online Pharmacy‟ brand indicate that „Gang 1‟ has not ceased all spam activity in the wake
of Spamit‟s closure; it was only the „Canadian Pharmacy‟ brand that ceased activity. The „Online Pharmacy‟ brand still
appears to be going strong.
It is likely that many spammers and affiliates formerly connected with „Gang 1‟ have moved to „Gang 3‟.
4
The MessageLabs Intelligence Report for October 2010 contains more information on the closure of the Spamit website:
http://www.messagelabs.com/mlireport/MLI_2010_10_October_FINAL.PDF
5
http://www.symantec.com/connect/blogs/recent-drop-global-spam-volumes-what-happened
Page 7 of 15
In January 2010, only „Gang 1‟ and „Gang 2‟ have been sending spam emails continuously; however, other
pharmaceutical groups are still active, although their appearance seems rather more irregular. For example, other
spammers will send large volumes of spam in relatively short bursts and seemingly disappear for several days or
weeks, perhaps even months in some cases.
Although in 2011, „Gang 3‟ still seems to be relatively inactive, there are other spam affiliates that have become more
active, using new brand names, or brands that previously haven‟t been seen for some considerable time.


"PH Online" is a pharmaceutical brand which has only been tracked once previously. It now uses the same
template as „Gang 1‟.
"Dr. Pills" may be a new brand and again shares similarities with templates used by „Gang 1‟.
Messagelabs Intelligence will continue to monitor pharmaceutical brands and pharmaceutical spam in 2011, and we
can be certain that we will see further changes in the near future that will refine our view of the various pharmaceutical
spam operations even more.
Blog: Targeted attack reveals new social engineering twist
A great deal of email-borne malware is sent as .exe files within a .zip archive. Often these are masquerading as
greeting cards, invitations, parcel non-delivery reports or spoofed instructions from social networking websites. The
fact that vast numbers of these types of malware are sent means that they are relatively easy to detect. Nevertheless
19.5% of the malware that was blocked last month was only detected using Skeptic™.
Targeted Trojans are bespoke pieces of malware sent in only a handful of copies to well-researched and carefully
selected individuals. The low copy number of targeted Trojans, and the sophisticated nature of the malware, often
taking advantage of software vulnerabilities in various file formats, makes detection of these malware particularly
difficult. To achieve our 100% malware detection SLA we need to understand how sophisticated malware functions
and how to detect attempts at exploiting vulnerabilities.
In a blog post, Senior Software Engineer, Martin Lee, dissects a targeted Trojan analyzing both the social engineering
attack that attempts to convince a user to open a malicious attachment, and the exploit code that installs the malicious
payload on a machine.
For more information on this latest social engineering attack, please visit the MessageLabs Intelligence blog at:
http://www.symantec.com/connect/blogs/analysis-targeted-trojan
Page 8 of 15
Global Trends & Content Analysis
Symantec.cloud is focused on identifying, detecting and averting unwanted Internet threats such as viruses, spam,
spyware and other inappropriate content. The intelligence collected from the billions of messages and millions of
threats processed each day forms one of the most comprehensive and up-to-date knowledge bases of Internet threats
in the world.
Symantec MessageLabs Email AntiSpam.cloud: In January 2011, the global ratio of spam in email traffic
decreased by 3.1% percentage points since December 2010 to 78.6% (1 in 1.3 emails).
As the overall spam level declined in December 2010 and January 2011, Oman became the most spammed country,
with a spam rate of 88.8%.
In the US, 78.8% of email was spam and 78.3% in Canada. The spam level in the UK was 78.7%. In The
Netherlands, spam accounted for 79.4% of email traffic, 77.8% in Germany, 79.8% in Denmark and 77.3% in
Australia. In Hong Kong, 79.2% of email was blocked as spam and 77.2% in Singapore, compared with 75.2% in
Japan and 84.6% in China. Spam accounted for 80.0% of email traffic in South Africa.
In January, the Automotive industry remained the most spammed sector, with a spam rate of 82.8%. Spam levels for
the Education sector reached 80.6% and 79.1% for the Chemical & Pharmaceutical sector; 78.8% for IT Services,
77.9% for Retail, 77.2% for Public Sector and 77.4% for Finance.
Page 9 of 15
Symantec MessageLabs Email AntiVirus.cloud: The global ratio of email-borne viruses in email traffic was 1 in
364.8 emails (0.274%) in January, a decrease of 0.03 percentage points since December 2010.
In January, 65.1% of email-borne malware contained links to malicious websites, a decrease of 2.5 percentage points
since December 2010.
South Africa remained the most targeted geography as 1 in 132.2 emails were blocked as malicious in January. In the
UK, 1 in 178.2 emails contained malware. In the US, virus levels for email-borne malware were 1 in 771.0 and 1 in
212.3 for Canada. In Germany virus activity reached 1 in 501.1, 1 in 1,215 in Denmark and in The Netherlands 1 in
858.7. In Australia, 1 in 667.4 emails were malicious and 1 in 549.9 in Hong Kong; for Japan it was 1 in 1,233,
compared with 1 in 733.3 in Singapore and 1 in 644.6 for China.
With 1 in 40.9 emails being blocked as malicious, the Public Sector was the most targeted industry in January. Virus
levels for the Chemical & Pharmaceutical sector were 1 in 439.0 and 1 in 497.8 for the IT Services sector; 1 in 714.9
for Retail, 1 in 194.3 for Education and 1 in 676.4 for Finance.
The table below shows the most frequently blocked email-borne malware for January, many of which take advantage
of malicious hyperlinks.
Virus
Exploit/SuspLink-acfb
JS/Trojan-redir.gen
Exploit/Link-ZhelHost
Exploit/SuspLink-718f
Exploit/SuspLink-7db9
Exploit/Link-10df
Exploit/LinkAliasPostcar-6cce5
Exploit/MimeBoundary003
W32/Delf-Generic-ad9e
Exploit/LinkAliasPostcard-074c
Page 10 of 15
% of virus
11.2%
7.7%
6.4%
4.4%
3.2%
2.5%
2.2%
2.2%
1.9%
1.5%
Phishing Analysis: In January, phishing activity increased by 0.004 percentage points since December 2010; 1 in
409.7 emails (0.244%) comprised some form of phishing attack.
South Africa continued to be the most targeted by phishing emails in January, with 1 in 51.7 emails blocked as a
phishing attack. In the UK, phishing accounted for 1 in 188.6 emails. Phishing levels for the US were 1 in 892.8 and 1
in 204.6 for Canada. In Germany phishing levels were 1 in 1,457, 1 in 1,953 in Denmark and 1 in 1,098 in The
Netherlands. In Australia, phishing activity accounted for 1 in 821.7 emails and 1 in 790.2 in Hong Kong and 1 in
1,190 in China; for Japan it was 1 in 8,095 and 1 in 1,924 for Singapore.
The Public Sector remained the most targeted by phishing activity in January, with 1 in 52.6 emails comprising a
phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 498.3 and 1 in 768.0 for the IT
Services sector; 1 in 788.9 for Retail, 1 in 218.9 for Education and 1 in 417.1 for Finance.
Symantec MessageLabs Web Security.cloud: In January, MessageLabs Intelligence identified an average of 2,751
web sites each day harboring malware and other potentially unwanted programs including spyware and adware; a
decrease of 21.5% since December 2010.
Further analysis also reveals that 44.1% of all malicious domains blocked were new in January; an increase of 7.9
percentage points compared with December 2010. Additionally, 21.8% of all web-based malware blocked was new in
January; a decrease of 3.1 percentage points since the previous month. An increase in malicious domains may be
related to the high proportion of email malware that also contained malicious hyperlinks; 65.1% of email malware in
January contained malicious links.
The chart above shows the increase in the number of new spyware and adware web sites blocked each day on
average during January compared with the equivalent number of web-based malware web sites blocked each day.
Page 11 of 15
The most common trigger for policy-based filtering applied by Symantec MessageLabs Web Security.cloud for its
business clients was for the “Advertisements & Popups” category, which accounted for 46.8% of blocked web activity
in January. The second most frequently blocked traffic was categorized as Social Networking, and accounted for
13.4% of URL-based filtering activity blocked.
Activity related to Streaming Media policies resulted in 9.6% of URL-based filtering blocks in January.
Symantec Endpoint Protection.cloud: The endpoint is often the last line of defense and analysis. The threats found
here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks
reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed,
such as gateway filtering.
The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This
includes data from endpoint devices protected by Symantec technology around the world, including data from clients
which may not be using other layers of protection, such as Symantec MessageLabs Web Security.cloud or Symantec
MessageLabs Email AntiVirus.cloud.
Malware6
Trojan Horse*
19.11%
W32.Sality.AE
10.65%
W32.Downadup.B
8.05%
Downloader*
6.10%
W32.SillyFDC
4.33%
W32.Almanahe.B!inf
2.95%
W32.Mabezat.B
2.85%
Backdoor.Trojan*
2.50%
W32.Gammima.AG
2.33%
W32.Changeup
2.12%
The most frequently blocked malware for the last month was the W32.Sality.AE virus. W32.Sality.AE is a virus that
spreads by infecting executable files and attempts to download potentially malicious files from the Internet. The main
goal of Sality.AE is to download and install additional malicious software on a victim‟s computer. The virus also
prevents access to various security-related domains, stops security related services, and deletes security-related files.
The virus also infects .EXE and .SCR files on a victim‟s local drive as well as on any writable network resource. It
spreads by copying itself to attached removable drives.
*Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new
strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created
6
For further information on these threats, please visit: http://www.symantec.com/business/security_response/landing/threats.js p
Page 12 of 15
from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each
variant would traditionally need its own signature to be correctly identified and blocked.
By employing techniques, such as heuristic analysis and generic detection, it is possible to correctly identify and block
several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit
certain vulnerabilities that can be identified generically. Approximately 32.8% of the most frequently blocked malware
was identified and blocked in this way, using endpoint security protection.
Symantec MessageLabs Instant Messaging Security.cloud: Wednesday, February 16 2011 will mark the six year
anniversary of the first US arrest for the sending of unsolicited “SpIM” (Spam for Instant Messaging). In 2005, a New
York teenager was arrested and charged with sending more than 1.5 million pieces of spim, advertising pornography
and mortgages, to instant messenger (IM) users on a major well-known social network. Moreover, malware was
already able to spread via IM. For example, ten years ago in April 2001, W32/Hello was one of the first examples of
malware targeting users of one major public IM network. Today, it is malicious hyperlinks that are often shared over IM
to unsuspecting users. Once the victim clicks these links, the resulting URLs may install malware on the victims‟
computers.
Businesses and consumers alike make wide use of Instant Messaging (IM) at work and home to keep in touch with
clients, colleagues and friends. However, while IM use has increased during 2010, few users are conscious of the
dangers IM presents not only to a single computer, but potentially to an entire network. While spam is now a term that
is widely recognized among computer users, many are still unaware of SpIM, and that clicking on links shared over IM
from an unknown contact comes with the same risks as opening attachments or emails from unknown senders.
At the end of 2010, 1 in 384 (0.26%) IM messages were found on average to contain some form of URL (excluding
disclaimers and other legal requirements appropriate for some organizations). This represents an increase of 0.01%
compared with 2009, when 1 in 405 IMs contained a URL.
However, in order to quantify the level of risk presented by these URLs, MessageLabs Intelligence compared these
URLs with those blocked by Symantec MessageLabs Web Security.cloud. In other words, we identified URLs shared
over IM where the same web site had already been identified as malicious and blocked within 30 days of the IM being
shared.
By the end of 2010, MessageLabs Intelligence identified that 1 in 11.3 (8.85%) URLs shared over IM were connected
to web sites that were known to contain malicious content. This represents an increase of 7.6% when compared with
the 1 in 78 (1.28%) URLs shared over IM that were linked to malicious web sites at the end of 2009.
Over the course of the last year, many more legitimate domains were compromised more frequently and used to host
malicious content. More than 90% of malicious web traffic in 2010 was blocked for well-established legitimate
websites. Since many of these domains have been recently used to host malicious content, 1 in 11.3 URLs shared
over IM represents a clear level of risk to IM users, as opposed to a direct threat. For some legitimate domains, the
threat may have been removed, but cannot be guaranteed to be safe.
In addition, it has become commonplace for cyber criminals to bypass the CAPTCHA technology on public IM
networks and major well-known social networking sites to establish fake accounts from which they send out their
spam or malicious messages. CAPTCHAs are small online puzzles that must be solved to prove to a web site that the
user is not a computer, but a real person. People will be able to recognize this from having to re-type a word or a
combination of swirling letters and numbers when completing an online request, such as when creating a new account
for social media web sites and public IM networks. They are essentially designed to make it difficult for computers to
automatically register accounts, but cyber criminals are always looking for new ways to exploit CAPTCHA systems.
IM attacks have grown in popularity over the last year, especially attacks aimed at compromising legitimate IM
accounts, perhaps as a result of an earlier phishing attack. Problems often arise from the fact that IM has been very
difficult to regulate and control, so many organizations, particularly those in regulated sectors, have simply chosen to
block its use, even though it‟s clearly a useful tool that is becoming more widely used. Technically this can become
problematic as IM clients can be very flexible and even tunneled over other protocols, including HTTP. With many
Page 13 of 15
popular social networking web sites now including a built-in IM facility, it is becoming even more difficult to regulate
and control.
Organizations that simply ban IM use may risk frustrating employees and potentially damaging the business by
hindering productivity. To effectively combat the threats posed by IM, businesses need to adopt a policy-based
security model, which carefully monitors all potential threats before they hit an individual user‟s machine. The same
policies across an organization can be applied to remote workers as well as those who are office-bound.
Traffic Management
Traffic Management continues to reduce the overall message volume through techniques operating at the protocol
level. Unwanted senders are identified and connections to the mail server are slowed down using features embedded
in the TCP protocol. Incoming volumes of known spam are significantly slowed, while ensuring legitimate email is
expedited.
In January, MessageLabs services processed an average of 2.1 billion SMTP connections per day, of which 78.4%
were throttled back as a result of traffic management controls for traffic that was unequivocally malicious or unwanted.
The remainder of these connections was subsequently processed by MessageLabs Connection Management controls
and Skeptic™.
Connection Management
Connection Management is particularly effective in stopping directory harvest, brute force and email denial of service
attacks, where unwanted senders send high volumes of messages to force spam into an organization or disrupt
business communications. Connection Management works at the SMTP level using techniques that verify legitimate
connections to the mail server, using SMTP Validation techniques. It is able to identify unwanted email originating
from known spam and virus-sending sources, where the source can unequivocally be identified as an open proxy or a
botnet, and rejects the connection accordingly. In January, an average of 30.4% of inbound messages was
intercepted from botnets and other known malicious sources and rejected as a consequence.
User Management
User Management uses Registered User Address Validation techniques to reduce the overall volume of emails for
registered domains, by discarding connections for which the recipient addresses are identified as invalid or nonexistent. In January, an average of 5.8% of inbound messages was identified as invalid by User Management.
Page 14 of 15
About MessageLabs Intelligence
MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and
statistics. MessageLabs Intelligence publishes a range of information on global security threats based on live data
feeds from more than 14 data centers around the world scanning billions of messages and web pages each week.
MessageLabs Team Skeptic™ comprises many world-renowned malware and spam experts, who have a global view
of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they
monitor each day on behalf of 31,000 clients in more than 100 countries. More information is available at
www.messagelabs.com/intelligence.
About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and
organizations secure and manage their information-driven world. Our software and services protect against more
risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored.
More information is available at www.symantec.com.
Copyright © 2011 Symantec Corporation. All Rights Reserved.
Symantec, the Symantec Logo and MessageLabs are trademarks or registered trademarks of Symantec Corporation
or its affiliates in the US and other countries. Other names may be trademarks of their respective owners.
NO WARRANTY. The information contained in this report is being delivered to you AS-IS, and Symantec Corporation
makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user.
This report may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make
changes without prior notice. No part of this publication may be copied without the express written permission of
Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043.
Page 15 of 15