MessageLabs

Symantec MessageLabs Intelligence Report Finds Polymorphic and PDF-based Attacks on the Rise

Melisa LaBancz-Bleasdale — Thu, 03 Mar 2011 00:57:51 +0000

In the recently released Symantec February 2011 MessageLabs Intelligence Report, analysis revealed that in February of this year, 1 in 290 emails were malicious, making the month among the most prolific time periods both in terms of simultaneous attacks and malware family integration. Variants of singular attacks are constantly being created and combined with other instances of malware to enhance their ability to slip past existing malware detection engines and security features.

The report found that there were at least 40 variants of malware associated with the Bredolab Trojan in February, accounting for over 10 percent of email-borne malware blocked by MessageLabs Intelligence in February. Although it was thought that Bredolab was extinct, its clear that it’s not, and techniques previously associated with the malware are becoming more common among other major malware families, underscoring the trend in malware variant creation.

“It seems these ongoing attacks alternate between what historically have been different malware families,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “For example, one day would be dedicated to propagating mainly Zeus (aka. Zbot) variants, while another day was dedicated to distributing SpyEye variants. By February 10, these attacks had multiplied further and were being propagated simultaneously with each malware family using its own polymorphic packer to further evade traditional antivirus detection.”

Since the end of January 2011, MessageLabs Intelligence had tracked significant volumes of collaborative attacks that make use of timely and targeted techniques. At the onset of February, the attacks increased malware families were used aggressively to conduct simultaneous attacks via propagation techniques, signaling a criminal interpretation of “reuse and recycle” by exposing a common origin for these infected emails.

Although the vast majority of attacks were related to Zeus and SpyEye, many of the attacks share commonalities with the well-known Bredolab Trojan, indicating some of its features were also being used by Zeus and SpyEye. All of the attacks used a ZIP file attachment containing executable malware code.

“During the first two weeks of February, MessageLabs Intelligence identified at least four different polymorphic engines in use by these server-side packers being used to change the code structure of the Zeus, Bredolab and SpyEye malware and to increase the number of variants of each,” Wood said. “Considering the technical difficulty of maintaining this number of polymorphic engines and that each evolves quickly to generate such a large number of variants across these three families, this is one of the first times that MessageLabs Intelligence has identified malware collaborating on a technical level to this degree and volume.”

Over the past year, malicious executable files have increased in frequency along with PDF files, the most popular file format for malware distribution. PDFs now account for the largest proportion of file types used for attacks. In 2010, 65 percent of targeted attacks used PDF exploits compared to approximately 52.6 percent in 2009. Though there has been a slight downturn recently, the researchers feel that if the trend continues on the same path, by mid-2011, 76 percent of targeted malware could come from PDF-based attacks.

“PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware,” Wood said.

A few other report highlights:

Spam: In February 2011, the global ratio of spam in email traffic from new and previously unknown malicious sources was approximately 83 percent (1 in 1.23 emails), an increase of 2.7 percent since January.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown malicious sources was 1 in 290 emails in February, an increase of .07 percentsince January. In February, 63.5 percent of email-borne malware contained links to malicious websites, a decrease of 1.6 percent since January.

Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

Phishing: In February, phishing activity affected 1 in 216.7 emails, an increase of 0.22 percent since January.

Web security: Analysis of web security activity shows that in February, nearly 40 percent of malicious domains blocked were new, a decrease of 2.2 percent since January. Also in February, 20 percent of all web-based malware blocked was new, a decrease of 2.2 percent since last month. MessageLabs Intelligence also identified an average of 4,098 new web sites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 13.7 percent since January.

Geographical Trends:

China became the most spammed country in February with a spam rate of 86.2 percent.
In the US and Canada, 81.4 percent of email was spam. Spam levels in the UK were 81.1 percent.
In The Netherlands, spam accounted for 82.2 percent of email traffic, while spam levels reached 81.2 percent in Germany, 81.7 percent in Denmark and 81.0 percent in Australia.
Spam levels in Hong Kong reached 82.8 percent and 80.4 percent in Singapore. Spam levels in Japan were 78.5 percent. In South Africa, spam accounted for 81.6 percent of email traffic.
South Africa remained the most targeted by email-borne malware with 1 in 81.8 emails blocked as malicious in February.
In the UK, 1 in 139.0 emails contained malware. In the US virus levels were 1 in 713.6 and 1 in 328.8 for Canada. In Germany, virus levels reached 1 in 393.1, 1 in 451.1 in Denmark and 1 in 910.4 for The Netherlands.
In Australia, 1 in 365.8 emails were malicious and, 1 in 455.3 for Hong Kong, for Japan it was 1 in 1,331.0 compared with 1 in 828.9 for Singapore and 1 in 457.0 for China.

Vertical Trends:

In February, Automotive was the most spammed industry sector with a spam rate of 84.3 percent.
Spam levels for the Education sector were 82.6 percent, 81.7 percent for the Chemical & Pharmaceutical sector, 81.4 percent for IT Services, 80.8 percent for Retail, 80.1 percent for Public Sector and 80.2 percent for Finance.
In February, Government/Public Sector remained the most targeted industry for malware with 1 in 41.1 emails being blocked as malicious.
Virus levels for the Chemical & Pharmaceutical sector were 1 in 458.3, 1 in 394.4 for the IT Services sector, 1 in 514.3 for Retail, 1 in 137.2 for Education and 1 in 436.9 for Finance.

The February 2011 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends.

Nine Out of Ten Spam Emails Now Contain a URL Link

Stephanie Jordan — Thu, 03 Jun 2010 07:29:19 +0000

Last week the May edition of Symantec’s Messagelabs Intelligence monthly report published. The report states that the proportion of spam emails that include some form of URL or hyperlink has grown by one percentage point since 2009, from 91 percent in 2009 to 92 percent for 2010, to date. While that may not sound like much of an increase, the report reveals that it translates to nine out of 10 spam emails.

An interesting data point is about the domains used to form the hyperlinks: many are actually legitimate. The report distinguishes between disposable domains, those that are used within a few days for specific spam tactics and then abandoned, and the legitimate ones.

“Domains belonging to well-known Web sites tend to be recycled and used continuously compared with ‘disposable’ domains which are used for a short period of time and never seen again,” says MessageLabs Intelligence Senior Analyst Paul Wood. “Perhaps this is because there is some work involved in acquiring them: the legitimate domains require CAPTCHAs to be solved to create the large numbers of accounts that are then used by spammers.”

The report states: “Of the most frequently occurring domains found in spam URLs, the top four are legitimate and belong to major well-known Web sites used for social networking, blogging, file-sharing and other forms of user-generated content.” These account for 5 percent of all domains found in spam URLs. The bulk of the spam URLs (95 percent) were of the disposable variety.

Known botnets are serving up the spam, using a combination of the legitimate and disposable with a heavier emphasis on the disposable domains, with the exception of Storm. The Storm botnet, which had been silenced for a time, has returned and is, according to the report, the only botnet that uses legitimate domains in greater number (65 percent) than it uses disposable domains.

MessageLabs’ analysts did some Autonomous System Numbers (ASN) sleuthing. (AS numbers are important because the ASN uniquely identifies each network on the Internet.) According to the report: “Where an AS number could be determined for a particular IP address, MessageLabs Intelligence identified that as few as five ASNs were responsible for hosting content for 42 percent of the disposable spam domains scrutinized during May. These were located in the following countries: United States (17 percent of all domains), China (13 percent), Ukraine (8 percent) and France (4 percent).

The whole report, which offers more information, as well as a variety of other findings, is available for download.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

Olympic Games Attracting Malware Writers

Stephanie Jordan — Fri, 12 Feb 2010 02:12:28 +0000

Along with the upcoming Vancouver 2010 Winter Games, come cyber criminals using the event to spread malware and stage targeted attacks. MessageLabs Intelligence research offers two examples to be on the lookout for:

An email with the subject, “Information and resources to help you travel during the Vancouver 2010 Winter Games. TravelSmart 2010.htm” which includes legitimate links to genuine sites. However, the company says a hidden iframe embedded in the email itself can be used to drop almost anything on the victim’s computer.

MessageLabs Intelligence also detected an Olympic-themed targeted attack with the subject, “How to make Olympics more interesting” While the body of the email is simple, there is an attached presentation program file that is malicious and attempts to use an exploit to install malware on the target machine.

“We have seen three instances of this attack so far in February, which is a very small number in terms of global malware, but by its nature it is not designed to be widespread,” explains Paul Wood, MessageLabs Intelligence senior analyst for Symantec Hosted Services. “As a targeted attack, it is meant to attempt to gain access to a small number of specific users’ machines. If just one gets through, the damage to the victim could be substantial.”

To avoid becoming a victim during the 2010 Games, Symantec recommends the following best practices:

Purchase official Olympic tickets—When buying tickets online, even from an auction site, be sure it is a reputable online source. For instance, Vancouver2010.com is offering fan-to-fan tickets on a first come, first-served basis.
If it sounds too good to be true, it probably is—Many cybercriminals use extravagant promises such as “exclusive” Olympic pins and merchandise to lure victims into clicking through to malicious sites and divulging personal information.
Use caution when clicking links from within emails or IM messages—Links can contain viruses or Trojans, or lead users to infected websites. Never click a link in a suspicious email. Instead, make it a habit to type the full Web site URL, such as http://www.YouTube.com, into your Web browser.
Never fill out forms in messages—Legitimate 2010 Winter Games organizers/sponsors will never ask for personal, financial or password information through an email message.

Mega-D/Ozdok Botnet Take Down

Stephanie Jordan — Thu, 19 Nov 2009 09:03:48 +0000

At the time the McColo ISP went down a year ago, Ozdok a.k.a. Mega-D became the biggest of the spam botnets, and ever since has remained in the top 10 of spam bots. Earlier this month, researchers at FireEye, Inc. decided to attempt a take down of Mega-D.

“Our research team researched this particular botnet and after weeks of data analysis, on November 3 they came out with the information on the command and control locations, the IP addresses, and all the background detail,” explains Phillip Lin, director of marketing for FireEye. Armed with the data and encouraged by the success of its role in the take down of the Srizbi botnet and shut down of McColo, the FireEye researchers reached out into the messaging community.

“We did what we considered to be the right thing,” continues Lin. “Which was to submit it to the abuse departments of various organizations saying, ‘Hey, if you didn’t know, you’re hosting some bad stuff.’ As it turned out, probably because of the coverage we received last year from the Srizbi bot and McColo, the abuse departments responded fairly quickly and made it a more coordinated effort.”

Those actions included taking down domain names, cutting off the command and control servers, and hosting providers actually shutting off machines. “What effectively ended up happening was, as of the 6th, the botnet was turned off.”

According to Lin, FireEye estimates there was about 246,000+ live/active bots in Mega-D. He notes that, “Many bots stay dormant if the cybercriminal operator doesn’t light them up. Based on our stats, the top Geo breakdowns of where the bots were located were Brazil with 11.5 percent; India with 11.0 percent; Viet Nam with 10.9 percent; Russian Federation with 5.2 percent; and Mexico with 3.6 percent.”

In its blog, MessageLabs Intelligence commends FireEye’s work, stating: “It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.” The MessageLabs blog also offers a graph showing a dramatic plummet of Mega-D unique IP addresses on the 4th and the days that follow.

Lin says that FireEye was pleased with the response to their research and to work with others to confirm its findings, “We felt like the community is finally getting to the point where they understand the scale of the problem, and can see the effectiveness of doing a coordinated shut down of a botnet.” Lin also felt it was acknowledged that “FireEye is a reputable player, and that you can trust our data. We have been working back and forth and hopefully we will have an even quicker process in the future, but it takes weeks of research to dig up all the different pieces.”

The latest news on the take down comes from a blog by Todd Rosenberry, FireEye Malware Intelligence Lab, where he writes that the botnet has been contained for over a week, and that moving forward Shadowserver, the all volunteer watchdog group, will take over monitoring the botnet.

To follow the adventures of the FireEye team and learn more, read the researchers’ account.