The October 2011 Symantec Intelligence Report reveals that for the first time, spammers have established a genuine URL shortening service that is publically available and will generate real shortened links. These have so far only been found in spam emails.
2. The Symantec Intelligence Report
The new Symantec Intelligence Report combines the best
research and analysis from Symantec:
• Symantec.cloud MessageLabs Intelligence Report
• Symantec State of Spam & Phishing Report
The Symantec Intelligence Report integrated report provides the
latest analysis of cyber security threats, trends and insights from
the Symantec Intelligence team
Symantec Intelligence 2
3. October 2011 Highlights
• Spam – 74.2 percent in October (a decrease of 0.6 percentage points since September
2011)
• Phishing – One in 343.1 emails identified as phishing (an increase of 0.07 percentage
points since September 2011)
• Malware – One in 235.8 emails in October contained malware (a decrease of 0.11
percentage points since September 2011)
• Malicious Web sites – 3,325 Web sites blocked per day (a decrease of 4.3 percent since
September 2011)
• 43.9 percent of all malicious domains blocked were new in October (a decrease of 0.7
percentage points since September 2011)
• 15.2 percent of all Web-based malware blocked was new in October (an increase of 0.7
percentage points since September 2011)
• Spammers setting up more URL shortening services
• Social engineering example from the East
• New Symantec Research: W32.Duqu - Precursor to the Next Stuxnet
• New Symantec Research: The Motivations of Recent Android Malware
• Best Practices for Enterprises and Users
Symantec Intelligence 3
4. Spammers setting up more URL shortening services
87x domains
YOUR LINK:
http://blah.[...].info
Symantec Intelligence 4
6. W32.Duqu - The Precursor to the next Stuxnet
• Read the blog
• Download the whitepaper
– www.symantec.com/outbreak
• Check with PR for
spokesperson availability...
Symantec Intelligence 6
8. Additional Spam Metrics
Spam Attack Vectors
25%
20% Attachment NDR Malware
15%
10%
5%
0%
10-Sep 15-Sep 20-Sep 25-Sep 30-Sep 5-Oct 10-Oct
• Low NDR rate is indicative that dictionary attacks not in high use
• Attachment spam trends closely correlate with malware rate
Symantec Intelligence 8
9. Additional Spam Metrics
Spam URL TLD Distribution
Change
TLD October September
(% points)
.com 57.3% 59.5% -2.2
.info 8.2% 10.5% -2.3
.ru 8.4% 8.1% +0.3
.net 5.3% 5.8% -0.5
Average Spam Message Size
Change
Message Size October September
(% points)
0Kb – 5Kb 59.0% 48.1% +10.9
5Kb – 10Kb 26.3% 25.6% +0.7
>10Kb 14.7% 26.2% -11.5
Symantec Intelligence 9
10. Spam Subject Line Analysis
October 2011 No. of September 2011 No. of
Rank Total Spam: Top Subject Lines Days Total Spam: Top Subject Lines Days
1 NACHA security nitification 2 UPS notification 6
2 ACH Payroll Cancelled 2 Uniform traffic ticket 4
3 ACH Transfer Review 6 You have notifications pending 22
4 Re: Back to School Software Sale 6 SALE OFF: Pharmacy store! 2
5 0 6 (blank subject line) 31
Facebook Administration has sent you
6 9 Re: Windows 7, Office 2010, Adobe CS5 … 12
a notification
Fw: Fw: Fw: Fw: Windows 7, Office
7 18 Sarah Sent You A Message 11
2010, Adobe CS5 …
Re: Windows 7, Office 2010, Adobe Ed-Meds-Antidepressants-And-Pain Relief-
8 18 25
CS5 … Meds-8O%-OFF
Fw: Fw: Fw: Windows 7, Office 2010, Fw: Fw: Fw: Fw: Windows 7, Office 2010,
9 18 9
Adobe CS5 … Adobe CS5 …
Re: Re: Re: Re: Re: Windows 7, Office
10 18 Fw: Windows 7, Office 2010, Adobe CS5 … 9
2010, Adobe CS5 …
Symantec Intelligence 10
14. Tactics of Phishing Distribution
Automated Toolkits 21.8%
Other Unique Domains 58.7%
IP Address Domains 4.1%
Free Web Hosting Sites 13.3%
Typosquatting 2.0%
Organizations Spoofed in Phishing Attacks, by Industry
Sector
Financial 85.7%
Information Services 11.6%
Others 2.6%
Government 0.2%
Symantec Intelligence 14
16. Most Frequently Blocked Email Malware
Malware Name % Malware
Gen:Trojan.Heur.FU.bqW@a8hiAJoi 6.51%
W32/Generic-0922-13ca-13ca 5.95%
Exploit/Link-generic-ee68 5.86%
Gen:Variant.Ursnif.16 3.91%
Trojan.Bredolab!eml-866c 3.28%
Gen:Trojan.Heur.FU.bqW@aS39a0fi 2.02%
Trojan.Bredolab!eml-4e1b 1.96%
Gen:Trojan.Heur.FU.bqW@a0CDPdfi 1.74%
W32/Generic-703e-4489 1.55%
Exploit/FakeAttach 1.43%
• 45% of email-borne malware was associated with variants
of generic polymorphic malware, including Bredolab,
Sasfis, SpyEye and Zeus variants; (vs 72% in September)
Symantec Intelligence 16
17. New Web Malware and Spyware Sites Per Day
• 43.9% of malicious domains blocked were new in October
(-0.7 percentage points)
• 15.2% of Web-based malware blocked was new in October
(+0.7 percentage points)
Symantec Intelligence 17
19. Most Frequently Blocked Malware at the Endpoint
Malware Name % Malware
W32.Sality.AE 7.19%
W32.Ramnit!html 7.18%
Trojan.Bamital 6.03%
W32.Ramnit.B!inf 5.72%
WS.Trojan.H 5.70%
W32.Downadup.B 3.19%
W32.SillyFDC.BDP!lnk 3.05%
W32.Virut.CF 2.74%
Trojan.ADH.2 2.58%
Trojan.ADH 2.55%
• Approximately 17.6 percent of the most frequently blocked was identified
and blocked using generic detection
[1] For further information on these threats, please visit: http://www.symantec.com/business/security_response/landing/threats.jsp
Symantec Intelligence 19