Symantec Announces February 2011 MessageLabs Intelligence Report: -Malware family integration across botnets at higher-than-normal volumes
March 2011 by Symantec
Symantec Corp. announced the publication of its February 2011 MessageLabs Intelligence Report. Analysis reveals that in February, 1 in 290.1 emails (0.345%) was malicious making February among the most prolific time periods both in terms of simultaneous attacks and malware family integration across Zeus (aka Zbot), Bredolab and SpyEye. Also in February, there were at least 40 variants of malware associated with the Bredolab Trojan, accounting for at least 10.3 percent of email-borne malware blocked by MessageLabs Intelligence in February. These latest findings reveal that contrary to recent beliefs, Bredolab is not dead and techniques previously associated with Bredolab malware have now become more common among other major malware families.
Since the end of January, MessageLabs Intelligence has tracked significant volumes of collaborative attacks that make use of well-timed and carefully crafted targeted techniques. As February began, the attacks increased in number and these malware families were used aggressively to conduct simultaneous attacks via propagation techniques, signaling the likelihood of a common origin for these infected emails.
“It seems these ongoing attacks alternate between what historically have been different malware families,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “For example, one day would be dedicated to propagating mainly Zeus (aka. Zbot) variants, while another day was dedicated to distributing SpyEye variants. By February 10, these attacks had multiplied further and were being propagated simultaneously with each malware family using its own polymorphic packer to further evade traditional antivirus detection.”
Although the vast majority of attacks were related to Zeus and SpyEye, many of the attacks share commonalities with the well-known Bredolab Trojan, indicating some of the features associated with Bredolab were being used by Zeus and SpyEye. All of these attacks made use of a ZIP archive attachment that contained an executable comprising the malware code. In February, 1.5% of malware blocked comprised ZIP archive attachments and further analysis revealed that 79.2% of this was connected with the latest wave of Bredolab, Zeus and SpyEye attacks.
“During the first two weeks of February, MessageLabs Intelligence identified at least four different polymorphic engines in use by these server-side packers being used to change the code structure of the Zeus, Bredolab and SpyEye malware and to increase the number of variants of each,” Wood said. “Considering the technical difficulty of maintaining this number of polymorphic engines and that each evolves quickly to generate such a large number of variants across these three families, this is one of the first times that MessageLabs Intelligence has identified malware collaborating on a technical level to this degree and volume.”
Over the past year, malicious executable files have increased in frequency along with PDF files, the most popular file format for malware distribution. PDFs now account for a larger proportion of document file types used as attack vectors. In 2009, approximately, 52.6 percent of targeted attacks used PDF exploits, compared with 65 percent in 2010, an increase of 12.4 percent. Despite a downturn this month, if the trend were to continue as it has over the past year, 76 percent of targeted malware could be used for PDF-based attacks by mid-2011.
“PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware,” Wood said.
Other report highlights:
Spam: In February 2011, the global ratio of spam in email traffic from new and previously unknown bad sources was 81.3 percent (1 in 1.23 emails), an increase of 2.7 percentage points since January.
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 290.1 emails (0.345 percent) in February, an increase of .07 percentage points since
January. In February, 63.5 percent of email-borne malware contained links to malicious websites, a decrease of 1.6 percentage points since January.
Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet.
Phishing: In February, phishing activity was 1 in 216.7 emails (0.462 percent), an increase of 0.22 percentage points since January.
Web security: Analysis of web security activity shows that 38.9 percent of malicious domains blocked were new in February, a decrease of 2.2 percentage points since January.
Additionally, 20.3 percent of all web-based malware blocked was new in February, a decrease of 2.2 percentage points since last month. MessageLabs Intelligence also identified an average of 4,098 new web sites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 13.7 percent since January.
· China became the most spammed in February with a spam rate of 86.2 percent.
· In the US and Canada, 81.4 percent of email was spam. Spam levels in the UK were 81.1 percent.
· In The Netherlands, spam accounted for 82.2 percent of email traffic, while spam levels reached 81.2 percent in Germany, 81.7 percent in Denmark and 81.0 percent in Australia.
· Spam levels in Hong Kong reached 82.8 percent and 80.4 percent in Singapore. Spam levels in Japan were 78.5 percent. In South Africa, spam accounted for 81.6 percent of email traffic.
· South Africa remained the most targeted by email-borne malware with 1 in 81.8 emails blocked as malicious in February.
· In the UK, 1 in 139.0 emails contained malware. In the US virus levels were 1 in 713.6 and 1 in 328.8 for Canada. In Germany, virus levels reached 1 in 393.1, 1 in 451.1 in Denmark and 1 in 910.4 for The Netherlands.
· In Australia, 1 in 365.8 emails were malicious and, 1 in 455.3 for Hong Kong, for Japan it was 1 in 1,331.0 compared with 1 in 828.9 for Singapore and 1 in 457.0 for China. Vertical Trends:
· In February, the most spammed industry sector with a spam rate of 84.3 percent continued to be the Automotive sector.
· Spam levels for the Education sector were 82.6 percent, 81.7 percent for the Chemical & Pharmaceutical sector, 81.4 percent for IT Services, 80.8 percent for Retail, 80.1 percent for Public Sector and 80.2 percent for Finance.
· In February, Government/Public Sector remained the most targeted industry for malware with 1 in 41.1 emails being blocked as malicious.
· Virus levels for the Chemical & Pharmaceutical sector were 1 in 458.3, 1 in 394.4 for the IT Services sector, 1 in 514.3 for Retail, 1 in 137.2 for Education and 1 in 436.9 for Finance.
The February 2011 MessageLabs Intelligence Report provides greater detail on all of the trends and figures
noted above, as well as more detailed geographical and vertical trends.
The full report is available at http://www.messagelabs.com/intellig....
Symantec’s MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.