Symantec

Spam Dips to Lowest Level Since 2008

Stephanie Jordan — Thu, 30 Jun 2011 02:48:49 +0000

Messaging experts expend a great deal of time and energy following trends and offering analysis. The latest report from Symantec states that June spam levels are currently at the lowest level since the November 2008 takedown of McColo, a California based ISP which hosted command and control channels for a number of major botnets. Its June 2011 Symantec Intelligence Report, which is the first Symantec report to combine research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report, reveals spam accounted for 72.9 percent of email in June, returning to the same level as in April earlier this year. According to Symantec Intelligence, 76.6 percent of this spam was sent by botnets, compared with 83.1 percent in March.

“Despite the decrease in botnet spam this month, they should still be considered a dangerous force on the Internet,” believes Paul Wood, senior intelligence analyst, Symantec.cloud. “Cybercriminals continue to use botnets to conduct distributed denial of service attacks (DDoS), carry out fraudulent click-thrus on unsuspecting Web sites for financial gain, host illegal Web site content on infected computers, harvest personal data from infected users and install spyware to track victims’ activities online.”

Wood goes on to say that following the March disruption of Rustock, the largest spam-sending botnet, approximately 36.9 billion spam emails were in circulation each day during April. This number rose to 41.7 billion in May, before falling back to 39.2 billion in June. “Spam remains a huge problem and spam levels continue to be unpredictable,” he states.

Other highlights from the report:

Pharmaceutical Spam: In the latest analysis, spam relating to pharmaceutical products accounted for 40 percent of all spam in June 2011, declining from 64.2 percent at the end of 2010. Symantec Intelligence also reports a new spam tactic in use that introduces the “Wiki” name prefix for the promotion of fake pharmaceutical products relating to a new pharmacy brand, WikiPharmacy. The “Subject:” line in these attacks has a lot of randomization contained in the text. The “From:” header is either fake or a hijacked ISP account that gives a personalized appearance to the email.

Adult Spam: Researchers note that spam subject line analysis shows that adult spam continues to flourish.

Phishing: In June, phishing activity decreased by 0.06 percent since May 2011; one in 286.7 emails (0.349 percent) comprised some form of phishing attack. South Africa remains the most targeted geography for phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. In the UK, phishing accounted for 1 in 130.2 emails, in the U.S. 1 in 1,270 and in Canada 1 in 207.7.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333 percent) in June, a decrease of 0.117 percentage points since May 2011.

Web-based Malware Threats: In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8percent percent since May 2011.

Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit[1], a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions.

Read the June 2011 Symantec Intelligence Report (PDF) for more findings.

UN and ITU team up to fight Cybercrime

Melisa LaBancz-Bleasdale — Tue, 24 May 2011 06:38:57 +0000

On May 19, 2011 the ITU , the United Nations agency for information and communications technologies, cemented new global partnerships designed to make cyberspace a safer, more secure place to be for consumers, businesses, and – most crucially – children and youth.

A Memorandum of Understanding (MoU), signed between ITU and the United Nations Office on Drugs and Crime (UNODC) at this year’s WSIS Forum event in Geneva will see the two organizations collaborate in assisting ITU and UN Member States mitigate the risks posed by cybercrime.

The MoU will enable the two bodies to work together to make available the necessary expertise and resources to establish legal measures and legislative frameworks at national level, for the benefit of all interested countries. It is the first time that two organizations within the UN system have formally agreed to cooperate at the global level on cybersecurity.

“This new alliance with UNODC is a major milestone in implementing a coordinated global approach to an increasingly serious global problem. Together, our two agencies will generate powerful synergies that will help all interested countries fight the scourge of cyberthreats and cybercrime and create a safer online environment for all,” said ITU Secretary-General Dr Hamadoun Touré.

In line with its long tradition of public-private partnership, ITU has also signed an MoU with Symantec, provider of security, storage and systems management solutions. ITU will use Symantec’s security intelligence, in the form of its quarterly Internet Security Threat Reports, to increase understanding of and readiness for cybersecurity risks.

By distributing this report – which captures data from across Symantec’s Global Intelligence Network – to interested Member States, ITU aims to help better prepare governments in developing and developed nations alike to respond to the ever-growing risk from malware, cyber attackers and information thieves. This will facilitate awareness raising and knowledge transfer, complementing the work of ITU and strengthening its effectiveness as a global forum for governments and private sector to build confidence and security in the use of ICTs.

Commenting on the partnership, Enrique Salem, President and Chief Executive Officer of Symantec, said: “Over the past year and a half, the researchers that make up Symantec’s Global Intelligence Network have noted a dramatic increase in the number of cyberattacks, as well as the growing sophistication and impact of threats. The partnership between ITU and Symantec will facilitate an increased understanding of cybersecurity risks and how they can be reduced, increasing confidence in new and emerging technologies and facilitating the evolution of the digital world.”

Further reinforcing ITU’s efforts in this area, ITU’s work and relations with IMPACT continue to gain momentum, with over 130 ITU Member States now part of the ITU-IMPACT coalition.

ITU-IMPACT is the first cooperative global venture to make available cybersecurity expertise and resources to enable interested Member States to detect, analyze and respond effectively to cyberthreats. Of particular benefit to developing countries and smaller states without the capacity and resources to develop their own sophisticated cyber response centres, the coalition also benefits technically advanced nations by providing them with a global snapshot of potential and real online threats.

ITU-IMPACT members enjoy:

· Access to the IMPACT Global Response Centre (GRC), the foremost cyberthreat resource centre in the world for global threat information, at no cost.

· Access to the Electronically Secure Collaboration Application Platform for Experts (ESCAPE), allowing experts across different countries to share their knowledge and best practices with regard to cybersecurity, as well as facilitate the mitigation of cyberattacks, at no cost.

· On-site assessments and elaboration of implementation strategies for the establishment of the Computer Incidents Response Teams (CIRTs). To date 24 countries have been assessed, and work is in progress to move to the implementation phase.

· Specialized cybersecurity capacity building programmes to arm Member States and international agencies with relevant knowledge to face and prevent cyberthreats. To date, more than 200 cybersecurity professionals and 50 law enforcement officers have received specialist training. In addition, 155 training scholarships to 29 partner countries globally have been provided.

ITU-IMPACT also offers Managed Security Services to the UN family of agencies.

Symantec to Acquire Clearwell Systems

Melisa LaBancz-Bleasdale — Tue, 24 May 2011 06:05:18 +0000

Symantec Corp. announced it has signed a definitive agreement to acquire privately-held Clearwell Systems, Inc., a recognized leader in the eDiscovery market. The acquisition of Clearwell enhances Symantec’s position as a leader in security. The move, Symantec says, will provide customers one of the most comprehensive information management solutions available. Under the terms of the agreement, Symantec will acquire Clearwell for a purchase price of approximately $390 million, net of Clearwell’s existing cash balance of approximately $20 million.

“As information continues to grow at unprecedented rates, the biggest challenge for customers is to protect, manage and backup this information as well as have the ability to categorize and discover it efficiently,” said Deepak Mohan, senior vice president, Information Management Group, Symantec. “The acquisition of Clearwell’s market leading electronic discovery solution will further increase Symantec’s ability to get the right information, to the right people, at the right time, while reducing overall legal review costs and limiting risk.”

Clearwell’s eDiscovery solution will complement and enhance Symantec’s Enterprise Vault eDiscovery capabilities and the companies hope the move creates a more complete end-to-end eDiscovery solution. The existing integration of Enterprise Vault with the Clearwell eDiscovery Platform is thought to enable Symantec to quickly help IT and legal users streamline and reduce the cost, time and risk of eDiscovery across the most relevant information sources including email, desktops, file servers, backups and the cloud.

This acquisition will expand Symantec’s addressable market opportunity and the company believes it will position them as a leader in the fast-growing eDiscovery software market, which, according to Gartner, is growing at a compounded annual growth rate of 14 percent and is estimated to reach $1.7 billion by 2014. In addition, this acquisition is expected to provide future cross-sell and product integration synergies across Symantec backup and security, by leveraging Symantec NetBackup, Data Loss Prevention and Data Insight.

“Archiving and eDiscovery are two critical elements of information governance,” said Aaref Hilaly, president and chief executive officer, Clearwell Systems. “By joining forces and combining the industry’s leading archiving solution with the industry’s leading eDiscovery solution, we will be uniquely positioned to deliver a seamless, integrated information governance workflow, benefitting both Symantec and Clearwell customers.”

Organizations are being required to adopt more formal information governance processes to help reduce the costs and risks associated with legal discovery. According to Gartner, through 2012, companies without an information governance strategy and technology for content archiving solutions, will spend a third more on eDiscovery than those with content archiving solutions. Together Symantec and Clearwell are positioned to offer customers the ability to both proactively and reactively manage and discover their information with increased speed, efficiency and scale, both on-premise and in the cloud, while at the same time helping customers reduce costs and risks.

Symantec MessageLabs Intelligence Report Finds Polymorphic and PDF-based Attacks on the Rise

Melisa LaBancz-Bleasdale — Thu, 03 Mar 2011 00:57:51 +0000

In the recently released Symantec February 2011 MessageLabs Intelligence Report, analysis revealed that in February of this year, 1 in 290 emails were malicious, making the month among the most prolific time periods both in terms of simultaneous attacks and malware family integration. Variants of singular attacks are constantly being created and combined with other instances of malware to enhance their ability to slip past existing malware detection engines and security features.

The report found that there were at least 40 variants of malware associated with the Bredolab Trojan in February, accounting for over 10 percent of email-borne malware blocked by MessageLabs Intelligence in February. Although it was thought that Bredolab was extinct, its clear that it’s not, and techniques previously associated with the malware are becoming more common among other major malware families, underscoring the trend in malware variant creation.

“It seems these ongoing attacks alternate between what historically have been different malware families,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “For example, one day would be dedicated to propagating mainly Zeus (aka. Zbot) variants, while another day was dedicated to distributing SpyEye variants. By February 10, these attacks had multiplied further and were being propagated simultaneously with each malware family using its own polymorphic packer to further evade traditional antivirus detection.”

Since the end of January 2011, MessageLabs Intelligence had tracked significant volumes of collaborative attacks that make use of timely and targeted techniques. At the onset of February, the attacks increased malware families were used aggressively to conduct simultaneous attacks via propagation techniques, signaling a criminal interpretation of “reuse and recycle” by exposing a common origin for these infected emails.

Although the vast majority of attacks were related to Zeus and SpyEye, many of the attacks share commonalities with the well-known Bredolab Trojan, indicating some of its features were also being used by Zeus and SpyEye. All of the attacks used a ZIP file attachment containing executable malware code.

“During the first two weeks of February, MessageLabs Intelligence identified at least four different polymorphic engines in use by these server-side packers being used to change the code structure of the Zeus, Bredolab and SpyEye malware and to increase the number of variants of each,” Wood said. “Considering the technical difficulty of maintaining this number of polymorphic engines and that each evolves quickly to generate such a large number of variants across these three families, this is one of the first times that MessageLabs Intelligence has identified malware collaborating on a technical level to this degree and volume.”

Over the past year, malicious executable files have increased in frequency along with PDF files, the most popular file format for malware distribution. PDFs now account for the largest proportion of file types used for attacks. In 2010, 65 percent of targeted attacks used PDF exploits compared to approximately 52.6 percent in 2009. Though there has been a slight downturn recently, the researchers feel that if the trend continues on the same path, by mid-2011, 76 percent of targeted malware could come from PDF-based attacks.

“PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware,” Wood said.

A few other report highlights:

Spam: In February 2011, the global ratio of spam in email traffic from new and previously unknown malicious sources was approximately 83 percent (1 in 1.23 emails), an increase of 2.7 percent since January.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown malicious sources was 1 in 290 emails in February, an increase of .07 percentsince January. In February, 63.5 percent of email-borne malware contained links to malicious websites, a decrease of 1.6 percent since January.

Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

Phishing: In February, phishing activity affected 1 in 216.7 emails, an increase of 0.22 percent since January.

Web security: Analysis of web security activity shows that in February, nearly 40 percent of malicious domains blocked were new, a decrease of 2.2 percent since January. Also in February, 20 percent of all web-based malware blocked was new, a decrease of 2.2 percent since last month. MessageLabs Intelligence also identified an average of 4,098 new web sites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 13.7 percent since January.

Geographical Trends:

China became the most spammed country in February with a spam rate of 86.2 percent.
In the US and Canada, 81.4 percent of email was spam. Spam levels in the UK were 81.1 percent.
In The Netherlands, spam accounted for 82.2 percent of email traffic, while spam levels reached 81.2 percent in Germany, 81.7 percent in Denmark and 81.0 percent in Australia.
Spam levels in Hong Kong reached 82.8 percent and 80.4 percent in Singapore. Spam levels in Japan were 78.5 percent. In South Africa, spam accounted for 81.6 percent of email traffic.
South Africa remained the most targeted by email-borne malware with 1 in 81.8 emails blocked as malicious in February.
In the UK, 1 in 139.0 emails contained malware. In the US virus levels were 1 in 713.6 and 1 in 328.8 for Canada. In Germany, virus levels reached 1 in 393.1, 1 in 451.1 in Denmark and 1 in 910.4 for The Netherlands.
In Australia, 1 in 365.8 emails were malicious and, 1 in 455.3 for Hong Kong, for Japan it was 1 in 1,331.0 compared with 1 in 828.9 for Singapore and 1 in 457.0 for China.

Vertical Trends:

In February, Automotive was the most spammed industry sector with a spam rate of 84.3 percent.
Spam levels for the Education sector were 82.6 percent, 81.7 percent for the Chemical & Pharmaceutical sector, 81.4 percent for IT Services, 80.8 percent for Retail, 80.1 percent for Public Sector and 80.2 percent for Finance.
In February, Government/Public Sector remained the most targeted industry for malware with 1 in 41.1 emails being blocked as malicious.
Virus levels for the Chemical & Pharmaceutical sector were 1 in 458.3, 1 in 394.4 for the IT Services sector, 1 in 514.3 for Retail, 1 in 137.2 for Education and 1 in 436.9 for Finance.

The February 2011 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends.

What's Your Online Risk Today? Norton Will Tell You

Melisa LaBancz-Bleasdale — Mon, 28 Feb 2011 07:44:49 +0000

In an effort to protect and inform the billions of people online, Norton recently introduced the Norton Cybercrime Index, which tracks and warns computer users about daily cybercrime risks around the world. With recent threats like the Here You Have (H-Y-H) virus, which tried to shut down electronic communications worldwide, and the high-profile attacks by Zeus botnets, Norton felt that computer users needed a tool that makes understanding today’s online threats simple and easy. The Norton Cybercrime Index was designed to alert consumers to current online trouble-spots and potential hazards, including the day’s most dangerous websites, the most hijacked search terms by cybercriminals, as well as top scams, identity theft and spam. The free tool includes expert news about the day’s most dangerous threat and advice on how to avoid it to stay safe online.

The company says that at its most basic, the Index answers the question, “What’s your online risk today?,” showing the day’s risk rating and putting it in the context of highs and lows, much like a stock index does. However, with the Norton Cybercrime Index, when the number goes up, consumers are said to be more at risk. The tool is intended to give people a single easy-to-understand visual for their immediate level of online risk. The Index can be viewed online, on a mobile-optimized site, or downloaded onto a PC.

Some Observations and Thoughts from ARMA

Michael Osterman — Tue, 09 Nov 2010 18:11:09 +0000

I attended the American Records Management Association (ARMA) Conference and Expo in San Francisco this week—as always, an interesting show with lots of interesting content. Here are some of my thoughts and observations relative to email archiving and electronic content management, two key focus areas for Osterman Research:

There were several traditional email and content archiving vendors exhibiting on the show floor including EMC, IBM, CommVault, Iron Mountain, Symantec, Autonomy and Daegis (formerly Unify and AXS-One), among others. While it’s not surprising to see email and content archiving vendors at a show focused on records management, my discussions with some of them indicated that they were expanding their traditional focus beyond IT and legal and more towards records management as a whole.
Iron Mountain sponsored an interesting lunch session on the future of records information management. The guest speaker, well-known author Geoffrey Moore, presented an interesting view of the future of records management. The gist of his point is that records management is evolving more into collaboration management, and that defining content that should and should not be preserved will become more difficult over time.
Lots of focus on SharePoint for records management and a lot of exhibitors supporting the iPad.
Not surprisingly, the mood at this year’s ARMA seemed quite optimistic as we seem to be pulling slowly out of recession: lots of show floor traffic, happy exhibitors, growing interest in e-discovery and a general increase in the sophistication of the records management practice.
I was also struck (probably too strong a word) by the seeming convergence of records management and IT. At the excellent MER conference in Chicago a couple of years ago, there was a gulf that seemed to separate records management and IT in how they want to manage information, particularly in the context of archiving—I got much less of that vibe at the ARMA conference, indicating that the disciplines are converging and that companies are focusing more holistically on the practice of retaining and producing electronic content.

All in all, the ARMA conference should be on the short list for those interested in the archiving, information management, content management and related markets.

Word to the Wise: Users Can Identify the Intent of Unsolicited Email by Wording

Stephanie Jordan — Thu, 05 Aug 2010 10:31:20 +0000

Recently Symantec completed an interesting exercise: scrutinize the words most commonly used in the top four spamming techniques and look for distinguishing characteristics. The result? It seems that each technique—general spam, phishing, malware and targeted attacks—has its own distinct pattern of word usage. Here is what Symantec Hosted Service’s MessageLabs Intelligence unit found:

Spam—The goal of general spam is to get recipients to buy something as quickly as possible. As a result, this type of spam messaging relies on words having to do with selling something (“discount”, “price”, “sale!”) and urgency (“today”, “special”, “featured”).
Malware—Malware isn’t about making money, so in order to get a piece of code installed on the victim’s machine for ultimate control, the words used are informational (“update”, “mail”, “attached”) and sound official (“account”, “verify”, “contact”), all in an attempt to lure victims to click a link to a website hosting malicious code.
Phishing—Cybercriminals are trying to access a victim’s bank account, email account, or social network account. Word usage in phishing emails show a pattern geared towards collecting personal information from the victim (“address”, “paypal”, “personal”) and often claims that something has gone wrong (“error”, “apologize”, “suspend”).
Targeted Attacks—This group of emails are crafted to trick specific individuals and groups to open a malicious email. As a result, most words relate to political or current events, organizations or financial matters (“human”, “president”, “nuclear”).

It is interesting to note that the word “please” appears in all four categories. (If nothing else, these are very polite people.)

This exercise brings home the point that users should always try to verify if a source is genuine, and never click a link or open an attachment from an unsolicited email, even if it appears genuine. If you are interested in learning more, read the entire findings

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

Nine Out of Ten Spam Emails Now Contain a URL Link

Stephanie Jordan — Thu, 03 Jun 2010 07:29:19 +0000

Last week the May edition of Symantec’s Messagelabs Intelligence monthly report published. The report states that the proportion of spam emails that include some form of URL or hyperlink has grown by one percentage point since 2009, from 91 percent in 2009 to 92 percent for 2010, to date. While that may not sound like much of an increase, the report reveals that it translates to nine out of 10 spam emails.

An interesting data point is about the domains used to form the hyperlinks: many are actually legitimate. The report distinguishes between disposable domains, those that are used within a few days for specific spam tactics and then abandoned, and the legitimate ones.

“Domains belonging to well-known Web sites tend to be recycled and used continuously compared with ‘disposable’ domains which are used for a short period of time and never seen again,” says MessageLabs Intelligence Senior Analyst Paul Wood. “Perhaps this is because there is some work involved in acquiring them: the legitimate domains require CAPTCHAs to be solved to create the large numbers of accounts that are then used by spammers.”

The report states: “Of the most frequently occurring domains found in spam URLs, the top four are legitimate and belong to major well-known Web sites used for social networking, blogging, file-sharing and other forms of user-generated content.” These account for 5 percent of all domains found in spam URLs. The bulk of the spam URLs (95 percent) were of the disposable variety.

Known botnets are serving up the spam, using a combination of the legitimate and disposable with a heavier emphasis on the disposable domains, with the exception of Storm. The Storm botnet, which had been silenced for a time, has returned and is, according to the report, the only botnet that uses legitimate domains in greater number (65 percent) than it uses disposable domains.

MessageLabs’ analysts did some Autonomous System Numbers (ASN) sleuthing. (AS numbers are important because the ASN uniquely identifies each network on the Internet.) According to the report: “Where an AS number could be determined for a particular IP address, MessageLabs Intelligence identified that as few as five ASNs were responsible for hosting content for 42 percent of the disposable spam domains scrutinized during May. These were located in the following countries: United States (17 percent of all domains), China (13 percent), Ukraine (8 percent) and France (4 percent).

The whole report, which offers more information, as well as a variety of other findings, is available for download.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

A Cybercriminal’s Resolutions

Stephanie Jordan — Tue, 22 Dec 2009 04:24:55 +0000

With New Year’s coming up, our friends at Symantec Hosted Services offered a glimpse into what a cybercriminal’s New Year’s resolution list might look like. Here are possible goals, many of which build upon the successes of 2009.

Control the Strongest Botnet—Botnets ruled the cyber security landscape in 2009, with the 10 major heavyweight spam-sending botnets (including Cutwail, Rustock and Mega-D) now controlling at least 5 million compromised computers. With these compromised computers issuing over 83 percent of the 107 billion spam messages distributed globally, Symantec expects botnets to get bigger, stronger and more intelligent in the year ahead.
Crack the CAPTCHA—CAPTCHA (Completely Automated Public Turing test to tell Computer and Humans Apart) breaking tools have allowed cybercriminals access to an unprecedented number of Webmail, IM and social networking Web sites. With a new crop of more sophisticated CAPTCHAs on the horizon—some involving images and animation—it will be increasingly difficult for the bad guys to solve these puzzles with an automatic computer program.
Brush Up on My Pop Culture—World events, news, and holidays always spark a bad guy’s imagination. In 2009, spammers and malware writers jumped on the news of the H1N1 virus and the death of Michael Jackson. Expect to see more celebrity names in the junk folder next year.
Discover the Next Big Social Network—The popularity of social networking and micro-blogging sites have led spammers to use short URLs in their spam emails. In 2009, over 90 percent of spam contained a URL and there was an upsurge of short URLs in the second half of the year. Short URLs hide the true Web site behind the link, yet are trusted by millions of people who use them to share photos and news online. Symantec believes new social technologies will lead to even more creativity on behalf of the bad guys.
Learn a Foreign Language—Automated translation services allow cybercriminals to target their attacks in local languages. While over 95 percent of spam is in English, the last year has seen significant increases in spam in countries where English was not the primary language. After English, the most common languages for spam (in order) are French, Portuguese, Russian and German. Symantec reports that spam levels in Germany and The Netherlands increased by 13 percent since the beginning of the year, with spam now accounting for an excess of 95 percent of all emails.

While hope springs eternal in a New Year, it seems that we can, in the estimation of Symantec along with many other industry insiders, expect more of the same when it comes to online threats in 2010.