The September 2011 Symantec Intelligence Report reveals that a deluge of malicious email-borne malware has left a clear mark on the threat landscape for September. Approximately 72% of all email-borne malware in September could be characterized as aggressive strains of generic polymorphic malware, first identified in the July Symantec Intelligence Report. At the end of July, this rate was 23.7%, in August it fell slightly to 18.5% before soaring to 72% in September.
2. The Symantec Intelligence Report
The new Symantec Intelligence Report combines the best
research and analysis from Symantec:
• Symantec.cloud MessageLabs Intelligence Report
• Symantec State of Spam & Phishing Report
The Symantec Intelligence Report integrated report provides the
latest analysis of cyber security threats, trends and insights from
the Symantec Intelligence team
Symantec Intelligence 2
3. September 2011 Highlights
• Spam – 74.8 percent in September (a decrease of 1.1 percentage points since August
2011)
• Phishing – One in 447.9 emails identified as phishing (a decrease of 0.26 percentage points
since August 2011)
• Malware – One in 188.7 emails in September contained malware (an increase of 0.04
percentage points since August 2011)
• Malicious Web sites – 3,474 Web sites blocked per day (an increase of 1.0 percent since
August 2011)
• 44.6 percent of all malicious domains blocked were new in September (an increase of 10.0
percentage points since August 2011)
• 14.5 percent of all Web-based malware blocked was new in September (a decrease of 2.9
percentage points since August 2011)
• Malicious emails masquerade as office printer messages
• Spammers exploit WordPress vulnerability to promote pharmaceutical spam Web sites
• Fake Offers with Fake Trust Seals
• Spammers and malware authors making increasing use of obfuscated JavaScript
• Best Practices for Enterprises and Users
Symantec Intelligence 3
4. Malicious emails masquerade as office printer
messages
Some Other Interesting Subjects Frequency File Name Frequency
Pornographic mail 85 Document_NR727875272_Coll=d4=c7=abcod.exe 410
Company Contract doc 40
photo_W71765413082011_Coll=d4=c7=abgpj.exe 149
Tax debt notification 34
Revenue ( IRS ) Department 25
Printer Scanned doc 21
domain suspension mail 9
NB. 24 hour snapshot, 13 September
pornographic picture 3
Symantec Intelligence 4
5. Spammers exploit WordPress vulnerability to promote
pharmaceutical spam Web sites
Symantec Intelligence 5
8. Additional Spam Metrics
Spam URL TLD Distribution
Change
TLD September August
(% points)
.com 59.5% 57.6% +1.9
.info 10.5% 18.4% -7.9
.ru 8.1% 7.1% +1.0
.net 5.8% 5.8% 0
Average Spam Message Size
Change
Message Size September August
(% points)
0Kb – 5Kb 48.1% 49.7% -1.6
5Kb – 10Kb 25.6% 35.2% -9.6
>10Kb 26.2% 15.0% +11.2
Symantec Intelligence 8
9. Spam Subject Line Analysis
September 2011 No. of August 2011 No. of
Rank Total Spam: Top Subject Lines Days Total Spam: Top Subject Lines Days
1 UPS notification 6 (blank subject line) 31
ED-Meds-Antidepressants-And-Pain Relief-
2 Uniform traffic ticket 4 31
Meds-8O%-OFF
Buy Advanced Penis Enlargement Pill now, it is
3 You have notifications pending 22 31
selling fast.
Made of the most potent clinically proven natural
4 SALE OFF: Pharmacy store! 2 31
herbs.
Permanently increases length and width of your
5 (blank subject line) 31 31
erection. Advanced Penis Enlargement Pill.
Re: Windows 7, Office 2010, Adobe CS5 Advanced Penis Enlargement Pill. Permanently
6 12 31
… increases length and width of your erection.
7 Sarah Sent You A Message 11 my hot pics :) 23
Ed-Meds-Antidepressants-And-Pain Relief-
8 25 found you :) 23
Meds-8O%-OFF
Fw: Fw: Fw: Fw: Windows 7, Office 2010,
9 9 new pics for you.. 24
Adobe CS5 …
Fw: Windows 7, Office 2010, Adobe CS5
10 9 im online now 23
…
Symantec Intelligence 9
12. Phishing Rate & Sources
Phishing Web Sites Locations
2 Country September August
5 United States 50.4% 49.8%
4 3
Germany 6.2% 6.5%
1
United Kingdom 3.8% 3.8%
Canada 3.1% 3.7%
Russia 3.0% 3.0%
China 2.7% 2.5%
France 2.6% 2.7%
Brazil 2.5% 2.6%
Netherlands 2.3% 2.3%
Spain 1.5% <0.5%
September 2011
12
16. Most Frequently Blocked Email Malware
Malware Name % Malware
Gen:Trojan.Heur.FU.bqW@amtJU@oi 5.1%
Gen:Trojan.Heur.BDT.bqW@b8J!Mvci 4.2%
Gen:Trojan.Heur.BDT.bqW@bS6mfcai 4.1%
Exploit/Link-generic-ee68 3.8%
Gen:Trojan.Heur.FU.bqW@a8Y5GDei 3.6%
Gen:Trojan.Heur.BDT.bqW@bC6h06ii 3.4%
Trojan.Zbot 3.1%
Gen:Trojan.Heur.FU.bqW@aiZha1gi 3.0%
Gen:Trojan.Heur.FU.bqW@a4wN11gi 2.9%
Gen:Trojan.Heur.FU.bqW@a0jG0qpi 2.8%
•72% of email-borne malware was associated with variants
of generic polymorphic malware, including Bredolab,
Sasfis, SpyEye and Zeus variants
Symantec Intelligence 16
17. New Malware and Spyware Sites Per Day
Web Security Services Activity:
New Malware Sites per Day
New sites with spyware 70/day
New sites with web viruses 3,404/day
Total 3,474/day
2008 2009 2010 2011
•44.6% of all malicious domains blocked were new in September; an
increase of 10.0 percentage points compared with August
•14.5% of all Web-based malware blocked was new in September; a
decrease of 2.9 percentage points since August
Symantec Intelligence 17
19. Most Frequently Blocked Malware at the Endpoint
Malware Name % Malware
W32.Sality.AE 7.8%
W32.Ramnit!html 7.1%
W32.Ramnit.B!inf 6.2%
Trojan.Bamital 6.1%
W32.Downadup.B 3.9%
W32.SillyFDC.BDP!lnk 3.1%
Trojan.ADH.2 2.8%
Trojan.ADH 2.5%
W32.Virut.CF 2.4%
W32.Almanahe.B!inf 2.2%
•20.8% of the most frequently blocked malware last month was identified and
blocked using generic detection.
[1] For further information on these threats, please visit: http://www.symantec.com/business/security_response/landing/threats.jsp
Symantec Intelligence 19
20. Where to next?
• Web:
– www.symanteccloud.com/intelligence
– www.symantec.com/spam
• Twitter:
– @symanteccloud
Symantec Intelligence 20