Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Symantec Announces February 2011 MessageLabs Intelligence Report: -Malware family integration across botnets at higher-than-normal volumes

March 2011 by Symantec

Symantec Corp. announced the
publication of its February 2011 MessageLabs Intelligence Report. Analysis reveals that in February, 1 in
290.1 emails (0.345%) was malicious making February among the most prolific time periods both in terms of
simultaneous attacks and malware family integration across Zeus (aka Zbot), Bredolab and SpyEye. Also in
February, there were at least 40 variants of malware associated with the Bredolab Trojan, accounting for at
least 10.3 percent of email-borne malware blocked by MessageLabs Intelligence in February. These latest
findings reveal that contrary to recent beliefs, Bredolab is not dead and techniques previously associated with
Bredolab malware have now become more common among other major malware families.

Since the end of January, MessageLabs Intelligence has tracked significant volumes of collaborative attacks
that make use of well-timed and carefully crafted targeted techniques. As February began, the attacks increased
in number and these malware families were used aggressively to conduct simultaneous attacks via propagation
techniques, signaling the likelihood of a common origin for these infected emails.

“It seems these ongoing attacks alternate between what historically have been different malware families,” said
MessageLabs Intelligence Senior Analyst, Paul Wood. “For example, one day would be dedicated to
propagating mainly Zeus (aka. Zbot) variants, while another day was dedicated to distributing SpyEye variants.
By February 10, these attacks had multiplied further and were being propagated simultaneously with each
malware family using its own polymorphic packer to further evade traditional antivirus detection.”

Although the vast majority of attacks were related to Zeus and SpyEye, many of the attacks share
commonalities with the well-known Bredolab Trojan, indicating some of the features associated with Bredolab were being used by Zeus and SpyEye. All of these attacks made use of a ZIP archive attachment that contained
an executable comprising the malware code. In February, 1.5% of malware blocked comprised ZIP archive
attachments and further analysis revealed that 79.2% of this was connected with the latest wave of Bredolab,
Zeus and SpyEye attacks.

“During the first two weeks of February, MessageLabs Intelligence identified at least four different
polymorphic engines in use by these server-side packers being used to change the code structure of the Zeus,
Bredolab and SpyEye malware and to increase the number of variants of each,” Wood said. “Considering the
technical difficulty of maintaining this number of polymorphic engines and that each evolves quickly to
generate such a large number of variants across these three families, this is one of the first times that
MessageLabs Intelligence has identified malware collaborating on a technical level to this degree and volume.”

Over the past year, malicious executable files have increased in frequency along with PDF files, the most
popular file format for malware distribution. PDFs now account for a larger proportion of document file types
used as attack vectors. In 2009, approximately, 52.6 percent of targeted attacks used PDF exploits, compared
with 65 percent in 2010, an increase of 12.4 percent. Despite a downturn this month, if the trend were to
continue as it has over the past year, 76 percent of targeted malware could be used for PDF-based attacks by
mid-2011.

“PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to
innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware,”
Wood said.

Other report highlights:

Spam: In February 2011, the global ratio of spam in email traffic from new and previously unknown bad
sources was 81.3 percent (1 in 1.23 emails), an increase of 2.7 percentage points since January.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad
sources was one in 290.1 emails (0.345 percent) in February, an increase of .07 percentage points since

January. In February, 63.5 percent of email-borne malware contained links to malicious websites, a decrease of
1.6 percentage points since January.

Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an
organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and
worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked
malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by
infecting executable files and attempts to download potentially malicious files from the Internet.

Phishing: In February, phishing activity was 1 in 216.7 emails (0.462 percent), an increase of 0.22 percentage
points since January.

Web security: Analysis of web security activity shows that 38.9 percent of malicious domains blocked were
new in February, a decrease of 2.2 percentage points since January.

Additionally, 20.3 percent of all web-based
malware blocked was new in February, a decrease of 2.2 percentage points since last month. MessageLabs
Intelligence also identified an average of 4,098 new web sites per day harboring malware and other potentially
unwanted programs such as spyware and adware, a decrease of 13.7 percent since January.

Geographical Trends:

· China became the most spammed in February with a spam rate of 86.2 percent.

· In the US and Canada, 81.4 percent of email was spam. Spam levels in the UK were 81.1 percent.

· In The Netherlands, spam accounted for 82.2 percent of email traffic, while spam levels reached 81.2
percent in Germany, 81.7 percent in Denmark and 81.0 percent in Australia.

· Spam levels in Hong Kong reached 82.8 percent and 80.4 percent in Singapore. Spam levels in Japan were
78.5 percent. In South Africa, spam accounted for 81.6 percent of email traffic.

· South Africa remained the most targeted by email-borne malware with 1 in 81.8 emails blocked as
malicious in February.

· In the UK, 1 in 139.0 emails contained malware. In the US virus levels were 1 in 713.6 and 1 in 328.8 for
Canada. In Germany, virus levels reached 1 in 393.1, 1 in 451.1 in Denmark and 1 in 910.4 for The
Netherlands.

· In Australia, 1 in 365.8 emails were malicious and, 1 in 455.3 for Hong Kong, for Japan it was 1 in
1,331.0 compared with 1 in 828.9 for Singapore and 1 in 457.0 for China.
Vertical Trends:

· In February, the most spammed industry sector with a spam rate of 84.3 percent continued to be the
Automotive sector.

· Spam levels for the Education sector were 82.6 percent, 81.7 percent for the Chemical &
Pharmaceutical sector, 81.4 percent for IT Services, 80.8 percent for Retail, 80.1 percent for Public Sector and 80.2 percent for Finance.

· In February, Government/Public Sector remained the most targeted industry for malware with 1 in
41.1 emails being blocked as malicious.

· Virus levels for the Chemical & Pharmaceutical sector were 1 in 458.3, 1 in 394.4 for the IT Services
sector, 1 in 514.3 for Retail, 1 in 137.2 for Education and 1 in 436.9 for Finance.

The February 2011 MessageLabs Intelligence Report provides greater detail on all of the trends and figures
noted above, as well as more detailed geographical and vertical trends.
The full report is available at
http://www.messagelabs.com/intelligence.aspx.

Symantec’s MessageLabs Intelligence is a respected source of data and analysis for messaging security issues,
trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based
on live data feeds from our control towers around the world scanning billions of messages each week.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts