Symantec Intelligence Symantec Intelligence Report: July 2012

Attacks use Olympics as bait for spam, and phishing attacks; the state of Web attack toolkits in 2012

Welcome to the July edition of the Symantec Intelligence report, which provides the latest analysis of cyber security threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this report includes data from January through June 2012.

Report highlights • Spam – 67.6 percent (an increase of 0.8 percentage points since June): page 14 • Phishing – One in 475.3 emails identified as phishing (a decrease of 0.003 percentage points since June): page 17 • Malware – One in 340.9 emails contained malware (a decrease of 0.023 percentage points since June): page 19 • Malicious Web sites – 2,189 Web sites blocked per day (an increase of 4.0 percent since June): page 21 • Olympic related scams and threats to keep an eye on: page 2 • Web attack toolkit activity in the first six months of 2012: page 7 • A roundup of the best blogs of the last month: page 11

Introduction In this month’s report we take a look at the various attacks being perpetrated using an Olympic theme. It seems attackers are taking to social networking to spread threats, attempting to compromise mobile devices, and trying a number of different spam and phishing related scams surrounding the Games. We’ll look at each of these areas in detail this month.

We’ll also look at Web attack toolkits and how attackers have been making use of them since we reported about their activity in Volume 17 of the Threat Report1. As predicted in ISTR 17 for 2011, their use has increased since the end of last year, but the ways in which they are being deployed is also changing.

Finally, we take a broader look at some of the more significant and interesting threats that Symantec’s Security Response team has been tracking in recent weeks —from printing-related threats, to the latest Android malware, including the impact of the attempted takedown of Grum, one of the largest spam-sending in the threat landscape.

I hope you enjoy reading this month’s edition of the report, and please feel free to contact me directly with any comments or feedback.

Paul Wood, Cyber Security Intelligence Manager [email protected] @paulowoody

1 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf

Page 1 of 24

Report analysis

Let the Games begin As this month’s report goes to press, the 2012 London Olympics are fully underway. As with other major sporting events, including the soccer World Cup in 2010, attackers attempt to take advantage of people’s interest in the events, more recently launching a variety of attacks and scams with Olympic-based themes.

Similar sporting-themed attacks took place during the 2008 Olympics in Beijing and during the 2010 World Cup2 in South Africa, so this is not a new phenomenon, but the social engineering employed in many of these attacks may be unfamiliar to a new audience. For the most part there may only be a few differences in the attacks; for example, spammers began their Olympic campaigns quite early3, sending out the first span runs clear back in March 2011. Attackers have also tailored their attacks towards mobile devices and social networks as well.

Let’s have a look at some of the Olympic-related threats and scams out there.

Twitter bots Attackers have been actively using Olympic-related trending topics on Twitter recently in order to entice people to click on malicious links. The Tweets appear to be generated by bots, with poorly constructed, ambiguous sentences.

Figure 1 – Example of a Twitter bot Tweet linking to malicious content

The shortened URLs lead to fake pages that appear to cover a variety of topics, including business strategy tips and health-related themes. However, the real purpose of these sites is to spread malware. An attack toolkit is set up on the back end of the pages and will attempt to install trojan back doors or fake security software on vulnerable computers that visit these Web sites. For instance, the attack might play out similar to this video.4

The accounts themselves are generally created the day the Tweets are sent, rarely have any followers, and rapidly post a few Tweets each minute using a wide variety of hash tags linked to trending topics. Twitter has been quick to identify these accounts and suspend them, generally within a few hours of their creation.

2 http://www.2010netthreat.com/ 3 http://www.symantec.com/connect/blogs/spammers-begin-their-games-early 4 http://www.youtube.com/watch?v=Upciy-g_n28

Page 2 of 24

Fake Olympic scandals There also have been a few instances of spammers attempting to trick users into downloading malware. For example, one spam email we’ve recently encountered hints at a doping scandal, and includes a link to a website that mimics YouTube.

The video in question purports to be about the supposed scandal, but instead of playing the video, it tells the user to install a new version of Flash Player. If the user clicks OK and runs the executable, they will infect the computer with a trojan. This threat contacts a large list of malicious domains, attempting to download further malware, thus opening the computer to a variety of threats.

Figure 2 – Fake video website attempting to trick the user into downloading a trojan

Page 3 of 24

Android.Opfake The attackers behind Android.Opfake5, which we discussed back in the May report6, are not ones to let an opportunity such as the Olympics go by without trying to use the topic to spread their malware. Irfan Asrar, a Security Response Manager focused on mobile threats, has been keeping a close eye on this threat. “The authors behind Android.Opfake are now going after apps related to the London 2012 Olympics” says Asrar. He recently noticed the attackers bundling their threat with a copy of a legitimate Olympics application. The legitimate app, a game promoting some of the more popular Olympic sports, was copied and repackaged with the trojan and then distributed on a Russian Android app marketplace.

Figure 3 – Android.Opfake repackaged with Olympic-themed game

If installed, the trojan will send premium-rate SMS messages from the compromised device, leading to profits for the attackers and an increased mobile phone bill for the user. Fortunately Symantec customers are covered. “Users of Norton Mobile Security will be warned upon visiting the site distributing the malware,” says Asrar.

5 http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99 6 http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_05_2012.en-us.pdf

Page 4 of 24

Olympic-themed spam and scams We discussed Olympic spam scams back in May7, highlighting a lottery-style scam in the report. The spammers have continued sending out a wide variety of spam since then. We took a look at an assortment of Olympic-related subject lines that have been in use since May, and the frequency that they appeared each day. While there was an especially busy period for a week in mid-June, the spam rate has increased steadily for the most part, effectively doubling from late May to late July, when the Games began.

120

100

80

60

40

20

0

Figure 4 – Chart showing the increase in Olympic related spam and scams

The scams behind these spam runs are generally focused on gathering personal information from the user. Mathew Maniyara, a Security Response lead in Pune, India, has been monitoring similar Olympic-related scams and has provided the following analysis of two such scams:

Cybercriminals lean on Olympics 2012 By Mathew Maniyara

Even before the Summer Olympic Games began on 27 July 2012, online scammers had already taken the opportunity to target users. Here at Symantec we have kept track of spam and phishing attacks that offered free gifts related to the sporting event, and would like to show you a few scenarios that the attackers are playing out.

In the first example, the phishers masquerade as a MasterCard™ promotion and created an eye-catching phishing site. The phishing pages, hosted in Brazil, included several fake offers such as “Win Free Trips to the 2012 Summer Olympics in London!”, “Participate and win laptops, cameras and many great prizes.”, and “MasterCard and you in the Olympic Games!” The London Olympics logo was placed at the center of the page and below the logo were images involved in the event. The images included the London Olympic Stadium, Wembley Stadium, the North Greenwich

7 http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_05_2012.en-us.pdf

Page 5 of 24

Arena, and the London Underground promoting the London Olympics. Customers were prompted to participate in the offers by clicking a button labeled “Participate now.”

Figure 5 – Example of an Olympic-themed phishing scam

Upon clicking the button, customers would be redirected to the next phishing page that asks for the user’s confidential information. The information includes full name, email address and password, date of birth, credit card number, name on card, and security code. After the required information is entered, the phishing site acknowledges the registration with the message:

your registration was successful! good luck! number of the protocol 1342410522

Spammers have also been targeting customers by using fake gift cards from Visa™, reportedly worth USD $1,000. By clicking a link provided in the spam mail, the user would be redirected to a fake survey page where the user is required to answer questions related to the London Olympics. After the survey is complete, users are prompted to enter their email address to win the exciting gifts.

Page 6 of 24

Figure 6 – Example of spam email offering $1,000 gift card

Internet users are advised to follow best practices to avoid spam and phishing attacks:

• Do not click on suspicious links in email messages • Never enter personal information in a pop-up page or screen • When entering personal or financial information, ensure the website is encrypted with an SSL certificate. Look for a padlock, ‘https’, or a green address bar • Frequently update your security software, which can protect you from online phishing

Web Attack Toolkits in 2012 In volume 17 of the Internet Security Threat Report (ISTR)8, we reported that Web attack toolkits made up almost two- thirds of all threat activity on malicious websites in 2011. A variety of kits were available in 2011, some of which were private and not available in the underground economy. These attack kits were frequently seeking to exploit third-party browser plugins. Let’s revisit this vastly popular web threat and see what has been happening with them in the first half of 2012.

8 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf

Page 7 of 24

As predicted in ISTR 17, the use of Web attack toolkits has been on the rise since the end of 2011. We took a look at the average number of toolkit attacks per day picked up by Symantec sensors during the last six months of 2011, then compared that against the daily rates during the first half of 2012.

Increase x6

Increase x5

Increase x4

Increase x3

Increase x2

Average attacks per day, last 6 months of 2011

01 Jan ‘12 21 Jan ‘12 10 Feb ‘12 01 Mar ‘12 21 Mar ‘12 10 Apr ‘12 30 Apr ‘12 20 May ‘12 09 Jun ‘12 29 Jun ‘12

Figure 7 – Increase in attack toolkit activity between 2011 and 2012

We discovered that, while the average number of attacks varied widely from day to day, there was an unequivocal increase in the number of attempted attacks per day. Based on data gathered in July 2012, there are currently three times as many Web attacks occurring now, as there where on average during the last half of 2011.

The underground marketplace for attack toolkits is also shifting rapidly. While in the past, the attack toolkits are sold with a variety of exploits; they have slowly migrated towards a plug-in style architecture. An attacker can purchase a toolkit framework on an underground forum for a nominal fee, and then purchase various exploit scripts separately. The exploit scripts in many cases can be read by different toolkits.

Figure 8 – Example of a Web attack toolkit marketplace

Page 8 of 24

However, even this type of setup may be changing. Peter Coogan, a Security Response Manager who keeps a close watch on these web threats, says one of the more interesting changes this year is how access to the toolkits are controlled.

“In the past, exploit kits were sold in full to buyers to set-up and run themselves as they wished,” says Coogan. “Once an exploit kit was sold, the code would eventually be leaked for free on underground forums,” which would greatly cut into the developer’s revenue stream; the Blackhole exploit kit is a good example of this. In early 2011 reports surfaced that a free version of the toolkit was making the rounds in certain underground hacker forums. There was some speculation the developers were releasing a pared-down version in the hopes of attracting new business. However, as further releases appeared for free on forums, it became clear that the source code was being leaked.

However, much of this has changed in the last six months, where the exploit kit is offered as a rented software-as-a- service (SaaS) subscription, according to Coogan. “Now it is common for the exploit kits authors to offer a drive-by download infrastructure service using their exploit kit. This allows the exploit kit authors to keep their code base private,” he says.

There are a variety of attack toolkits currently active; Blackhole, Phoenix, Nuclear Pack, Bleeding Life, and Eleonore are some of the more popular ones. While there are slight differences between each toolkit, by and large the toolkits operate in much the same way. The toolkits primarily focus on exploiting third-party browser plugins, such as Adobe Reader, Adobe Flash Player, and Java. Frequently, patches for the vulnerabilities used in these exploit kits are available, but haven’t been applied — in other words: the exploit kits are typically targeting out-of-date software installations where possible, using newer exploits only when necessary.

The advantage here is that these vulnerabilities are often platform-independent and many toolkits will attempt to exploit both Windows and Mac computers. For instance, the Blackhole exploit kit has recently been observed exploiting CVE-2012-17239, a Java vulnerability that was used to compromise 600,000 Macs back in April10.

The latest administration control panels for most attack toolkits even let attackers keep track of which exploits have been the most successful, as well as which browsers and operating systems are being successfully exploited. This gives them the option to tailor future attacks or invest in new areas to maintain or improve their numbers. An example of this can be seen in figure 9, below.

9 http://www.symantec.com/connect/blogs/examination-java-vulnerability-cve-2012-1723 10 http://www.symantec.com/connect/blogs/osxflashback-rises-java-vulnerability

Page 9 of 24

Figure 9 – Example of the Blackhole toolkit administrative control panel

Attackers generally lure unsuspecting users to the Web attack toolkits by using a variety of social engineering tricks, such as spam emails or social networking attacks. Often these contain a link to legitimate Web sites that have been compromised and onto which the attacker has installed a Web attack toolkit. For instance, the widely popular Blackhole attack toolkit has been behind some rather clever spam campaigns as of late. The attackers have sent spam emails purporting to be rejected wire transfers, New York City traffic tickets, or claim that the recipient has been tagged in a photo on a popular social networking site. The goal in these cases is to entice the user into clicking on the malicious link, from which the attacks can be launched.

Let’s briefly go over a scenario of how a toolkit carries out an attack. If a user clicks one of these malicious links, the toolkit will gather any information it can about the visiting computer, such as the browser name and version, operating system, the plug-ins installed and their versions, and the country that the visiting computer is located in. The kit then determines which vulnerabilities may exist and attempts to exploit them. If the attack is successful, the toolkit will download its payload — likely a backdoor trojan or a misleading application, such as fake antivirus applications.

There’s another side to the Web attack toolkit as well — the Web servers that they are often hosted on are not owned by the attackers, but are instead personal or small business websites that haven’t kept their software up-to-date. In many cases an attacker has previously compromised a Web server, and then install the exploit kit deep into the Web site. In most cases the malicious pages that make up the attack toolkit are not even directly accessible from the main website. The owner of the website or Web server may not even be aware that an attacker has installed an attack toolkit on their system, and may require the services of a Web security provider to identify and remove the malicious code and remedy the source of the compromise.

Page 10 of 24

The use of Web attack toolkits has grown significantly in the first half of 2012. The reason for their popularity likely has to do with the versatility it offers attackers for compromising computers. No manual hacking is involved as the attack toolkit automates the exploit process. As toolkits move to an exploit plug-in framework, and even a SaaS model, it becomes easier for an attacker to leverage the latest exploits. We expect to see continued growth in this area of the threat landscape.

Blog Review: July 2012 A number of interesting things appeared in the threat landscape in July, which the analysts in Security Response have blogged about as they were discovered; here are some of the recent highlights.

More threats in the Middle East News broke in mid-July about another threat that appeared to be targeting computers in the Middle East: Trojan.Madi11. So far there is no indication that this trojan is related to other threats found in the region, such as , , and Flamer. Madi doesn’t appear to be nearly as sophisticated as these other threats; it relies on social engineering to compromise a computer, where the others utilized things such as zero-days exploits to spread.

Further reading: The Madi Attacks: Series of Social Engineering Campaigns12

Junk-printing threats There have been not one, but two threats recently that seemingly print garbage to networked printers. These threats don’t compromise printers in-and-of themselves, but rather copy themselves as print spooler .spl files to the %System%\Spool\PRINTERS folder on a compromised computer. In some cases, Windows interprets these threats as print jobs, and attempts to print the binaries — resulting in what looks like garbage being printed.

Both threats contain rather unique behavior in terms of propagation as well. Trojan.Milicenso13 spreads by using .htaccess redirection on a compromised Apache Web server. Meanwhile, W32.Printlove14 attempts to spread by exploiting a known vulnerability in the Windows XP print spooler, patched in 2010. However, it’s only when the compromised system is patched that it will print garbage print jobs, as demonstrated in this video15.

Further reading: • Trojan.Milicenso: A Paper Salesman’s Dream Come True16 • Trojan.Milicenso: Infection through .htaccess Redirection17 • Printer Madness: W32.Printlove Video18

Remote Access Trojan Toolkits Two prominent remote access trojan (RAT) toolkit projects have either been shut down or saw significant contributors leave. In the first case, the FBI carried out a sting operation that resulted in the arrests of 24 people associated with the Blackshades RAT (a.k.a. W32.Shadesrat). In related news, the author of the DarkComet RAT decided to call it quits, perhaps spooked by the previously mentioned Blackshades arrests. It raises the question whether this spells the end for these toolkits? It’s tough to say for sure at the moment, as in many cases other attackers could very well step in and pick up the projects where their authors and contributors had left them.

Further reading: • W32.Shadesrat (Blackshades) Author Arrested?19 • DarkComet RAT - It is the END!20

11 http://www.symantec.com/security_response/writeup.jsp?docid=2012-071723-0755-99 12 http://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns 13 http://www.symantec.com/security_response/writeup.jsp?docid=2010-071503-4247-99 14 http://www.symantec.com/security_response/writeup.jsp?docid=2012-062514-0544-99 15 http://www.symantec.com/tv/allvideos/details.jsp?vid=1717218554001 16 http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true 17 http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection 18 http:\www.symantec.com\connect\blogs\printer-madness-w32printlove-video 19 http:\www.symantec.com\connect\blogs\w32shadesrat-blackshades-author-arrested

Page 11 of 24

Android developments Attackers continue to target the Android operating system. In particular, it appears as though the attackers continue to look for new ways to expose their malicious apps through the Google Play marketplace; for example, some threats are disguised in copies of legitimate, popular games, but only a small portion of the app comprises the actual game; the rest of the app is a trojan called Android.Fakeapp21. It is worth noting that any app that is ostensibly harmless, but contains some hidden code that can expose the user to further risks and reveal personal information without their knowledge, may be considered a trojan.

Figure 10 – Android.Fakeapp component makeup

Once installed, the app requests permission to perform a variety of other actions, including permission to access the devices’ location, such as GPS information and the ability to read and write the user's browsing history and bookmarks. It also downloads additional configuration files used to display advertisements to the user, encouraging them to download further apps. Furthermore, it also collects personal information, such as the device IMEI and phone number, and sends it to a Web site hosted on the Internet.

It seems apparent that the developers of these apps have been trying to find what code they can slip past the Google Play automated screening process.

Further reading: • Android Apps Get Hit with the Evil Twin Routine Part 2: Play It Again Spam22 • Android.Dropdialer Identified on Google Play23

Data breaches in abundance There has been a raft of data breeches in the month of July. Some notable and large enterprises have suffered attacks that resulted in a variety of personal information being released on the Internet. However, in one case the attackers took a different route. Shortly before announcing a data breach at Maplesoft, the company quickly became aware24 that its customers had received emails from what appeared to be a “Maplesoft Security Update Team,” suggesting they should download a patch. The Web site link contained in the email led to an exploit kit and ultimately attempted to install Trojan.Zbot (aka ) on the compromised computer.

20 http://www.symantec.com/connect/blogs/darkcomet-rat-it-end 21 http://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99 22 http://www.symantec.com/connect/blogs/android-apps-get-hit-evil-twin-routine-part-2-play-it-again-spam 23 http://www.symantec.com/connect/blogs/androiddropdialer-identified-google-play 24 http://www.maplesoft.com/security

Page 12 of 24

According to Maplesoft, the database that was breached was not the company’s customer database; rather it was a partial email subscription list. The data taken included older subscription data, which meant a significant portion of the list was outdated and many of the email addresses were no longer valid.

Further reading: Maplesoft Customers Targeted By Attackers Following Data Breach25

Grum takedown Security Researchers successfully disrupted one of the largest spam-sending botnets in the threat landscape in July. The Grum botnet accounted for approximately one third of all spam being sent worldwide, and its disappearance in mid-July led to a significant drop in global spam email volumes, by as much as 15 to 20 percent.

At the time of writing it may be to early to tell what long-term impact this has had on global spam levels, or whether the botnet controllers will be able to recover or rebuild their botnet and return to their spam-sending activities.

80000

70000

60000

50000

40000

30000

20000

10000

0

Figure 11 – Spam emails from Grum botnet

Further reading: Botnet Owners Feeling “Grum” After Takedown26

25 http://www.symantec.com/connect/blogs/maplesoft-customers-targeted-attackers-following-data-breach 26 http://www.symantec.com/connect/blogs/botnet-owners-feeling-grum-after-takedown

Page 13 of 24

Global Trends & Content Analysis Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services and Norton™ consumer products, and other third-party data sources.

In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products.

Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic™, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.

These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future.

Spam Analysis In July, the global ratio of spam in email traffic rose by 0.8 percentage point since June, to 67.6 percent (1 in 1.48 emails). It is perhaps still too early to tell what significant impact the disruption of the Grum botnet has had on the global spam rate, which has been in decline since the end of 2011.

Spam Rate 79.0% Saudi Arabia 70.3% Education 67.8% 1-250 67.9% 251-500 76.2% Hungary 69.5% Engineering 67.7% 501-1000 72.8% Oman 69.4% Non-Profit 67.6% 68.2% 1001-1500 72.5% China 69.0% Automotive 68.5% 1501-2500 Last Month: 66.8% 71.8% Russian Federation 68.9% Marketing/Media 68.1% 2501+ Six Month Avg.: 66.5% Top 5 Geographies Top 5 Verticals By Horizontal

67.6%

2006 2007 2008 2009 2010 2011 2012 Sources India 17.0% Saudi Arabia 13.6% Brazil 5.2% Viet Nam 5.1% Turkey 4.6% Canada 4.4% Pakistan 3.4% United States 3.3% Russian Federa on 2.4% Korea (South) 2.3% July 2012

Page 14 of 24

Saudi Arabia overtook Hungary to become the most spammed geography in July, with a spam rate of 79.0 percent.

In the US, 67.7 percent of email was spam and 67.9 percent in Canada. The spam level in the UK was 68.5 percent. In the Netherlands, spam accounted for 70.7 percent of email traffic, 67.8 percent in Germany, 67.7 percent in Denmark and 66.8 percent in Australia. In Hong Kong, 67.0 percent of email was blocked as spam and 66.6 percent in Singapore compared with 64.1 percent in Japan. Spam accounted for 67.8 percent of email traffic in South Africa and 71.6 percent in Brazil.

The Education sector was the most spammed industry sector in July, with a spam rate of 70.3 percent; the spam rate for the Automotive sector was 69.0 percent. The spam rate for the Chemical & Pharmaceutical sector was 67.9 percent, compared with 67.7 percent for IT Services, 67.7 percent for Retail, 68.8 percent for Public Sector and 67.2 percent for Finance.

The spam rate for small to medium-sized businesses (1-250) was 67.8 percent, compared with 68.1 percent for large enterprises (2500+).

Global Spam Categories The most common category of spam in July is related to the Newsletters category, with 62.20 percent. This is a significant shift from June, when it made up only 0.08 percent of all spam, and likely the result of a campaign by the Festi27 botnet that used the social engineering tactic of spoofing newsletters quite heavily in July.

July June Category Name 2012 2012 Newsletters 57.22% 0.08% Sex/Dating 23.46% 64.28% Pharma 12.87% 18.76% Watches 2.40% 2.94% Software 1.54% 1.67% Jobs 1.52% 4.72% Casino 0.50% 5.24% Degrees 0.18% 0.47% Weight Loss 0.14% <0.01% 419/scam/lotto 0.08% 0.27% Mobile 0.07% 0.09%

Spam URL Distribution based on Top Level Domain Name The proportion of spam that contained URLs registered in the .com top-level domain decreased in July, as highlighted in the table below. This is in line with a slight increase in all other top-level domains this month.

July June TLD 2012 2012 .com 63.9% 74.7% .ru 8.3% 4.1% .net 6.9% 4.6% .br 3.7% 2.9%

27 http://www.symantec.com/security_response/writeup.jsp?docid=2012-051407-0645-99

Page 15 of 24

Average Spam Message Size In July, the proportion of spam emails that were 5Kb in size or less increased by 4.6 percentage points. Furthermore, the proportion of spam messages that were greater than 10Kb in size increased by 3 percent, as can be seen in the following table.

July June Message Size 2012 2012 0Kb – 5Kb 47.7% 43.1% 5Kb – 10Kb 25.8% 33.3% >10Kb 26.6% 23.6%

Spam Attack Vectors July highlights the decrease in spam emails resulting in NDRs (spam related non-delivery reports). In these cases, the recipient email addresses are invalid or bounced by their service provider. The proportion of spam that contained a malicious attachment or link increased, with periodic spikes of spam activity during the period, as shown in the chart below.

14.0%

12.0%

10.0%

8.0%

6.0%

4.0%

2.0%

0.0%

NDR Malware

NDR spam, as shown in the chart above, is often as a result of widespread dictionary attacks during spam campaigns, where spammers make use of databases containing first and last names and combine them to generate random email addresses. A higher-level of activity is indicative of spammers that are seeking to build their distribution lists by ignoring the invalid recipient emails in the bounce-backs. The list can then be used for more targeted spam attacks containing malicious attachments or links. This might indicate a pattern followed by spammers in harvesting the email addresses for some months and using those addresses for targeted attacks in other months.

Page 16 of 24

Phishing Analysis In July, the global phishing rate decreased by 0.003 percentage points, taking the global average rate to one in 475.3 emails (0.21 percent) that comprised some form of phishing attack.

Phishing Rate 1 in 94.4 Netherlands 1 in 113.3 Public Sector 1 in 363.8 1-250 1 in 719.5 251-500 1 in 171.2 South Africa 1 in 285.9 Finance 1 in 926.0 501-1000 1 in 244.9 Canada 1 in 335.8 Education 1 in 475.3 1 in 782.9 1001-1500 1 in 272.5 United Kingdom 1 in 372.7 Accom/Catering 1 in 988.4 1501-2500 Last Month: 1 in 467.6 1 in 679.5 Belgium 1 in 471.0 Marketing/Media 1 in 418.3 2501+ Six MonthAvg.: 1 in 474.1 Top 5 Geographies Top 5 Verticals By Horizontal

1 in 475.3

2006 2007 2008 2009 2010 2011 2012 Sources United States 47.6% United Kingdom 27.0% Australia 10.4% Canada 9.9% South Africa 1.1% Sweden 0.8% Germany 0.7% Netherlands 0.7% Philippines 0.4% Denmark 0.3% July 2012

The Netherlands remained the country most targeted in July, with one in 94.4 emails identified as phishing attacks. South Africa was the second-most targeted country, with one in 171.2 emails identified as phishing attacks.

Phishing levels for the US reached one in 995.5 and one in 244.9 for Canada. In Germany phishing levels were one in 1,091.0, one in 719.6 in Denmark. In Australia, phishing activity accounted for one in 752.1 emails and one in 2,241.4 in Hong Kong; for Japan it was one in 7,448.8 and one in 3,450.6 for Singapore. In Brazil one in 786.2 emails was blocked as phishing.

The Public Sector remained the most targeted by phishing activity in June, with one in 113.3 emails comprising a phishing attack. Phishing levels for the Chemical & Pharmaceutical sector reached one in 1,119.1 and one in 750.9 for the IT Services sector, one in 1,023.0 for Retail, one in 335.8 for Education, one in 285.9 for Finance, and one in 2,068.1 for the Automotive industry.

Phishing attacks targeting small to medium-sized businesses (1-250) accounted for one in 363.8 emails, compared with one in 418.3 for large enterprises (2500+).

Analysis of Phishing Web sites Overall, the number of phishing Web sites decreased by 1.8 percent in June compared with the previous month. The number of phishing Web sites created by automated toolkits increased by approximately 12.9 percent, accounting for approximately 63.8 percent of phishing Web sites, including attacks against well-known social networking Web sites and social networking apps.

Overall, the number of phishing Web sites decreased by 1.8 percent in July, compared with the previous month. The number of phishing websites created by automated toolkits increased by 12.9 percent, accounting for approximately 63.8 percent of phishing attacks. Phishing attacks related to well-known social networking Web sites and social networking apps accounted for 15.9 percent of phishing attacks.

Page 17 of 24

The number of unique phishing domains decreased by 20.1 percent, and phishing websites with IP addresses in place of fully-qualified domain names in the URL, increased by 49.7 percent.

The use of legitimate Web services for hosting phishing sites accounted for approximately 3.6 percent of phishing Web sites, a decrease of 0.3 percentage points since June. The number of non-English language phishing Web sites increased by 174 percent. The most common languages for non-English phishing sites, included: French, Italian, Portuguese and Spanish.

Geographic Location of Phishing Web Sites

Phishing Web Sites Locations Country June* May United States 50.0% 48.8% Germany 6.4% 6.3% United Kingdom 4.4% 3.9% Brazil 3.7% 4.7% France 2.9% 3.0% Canada 2.9% 2.9% Russia 2.9% 2.4% China 2.5% 2.6% Netherlands 2.3% 2.2%

*Note: Data lags one month Poland 1.4% 1.4% July 2011

Page 18 of 24

Tactics of Phishing Distribution

Automated Toolkits 63.8%

Other Unique Domains 27.4%

IP Address Domains 4.3%

Free Web Hosting Sites 3.6%

Typosquatting 0.9%

Organizations Spoofed in Phishing Attacks, by Industry

Information Services 36.3% Banking 33.0% E-Commerce 28.0% Telecommunications 1.4% Communications 0.46% Retail 0.44% Government 0.37% Insurance 0.021% Retail Trade 0.014% Security 0.011% ISP 0.002%

Malware Analysis

Email-borne Threats The global ratio of email-borne viruses in email traffic was one in 340.9 emails (0.293 percent) in July, a decrease of 0.023 percentage points since June.

In July, 26.5 percent of email-borne malware contained links to malicious Web sites, 1.5 percentage points higher than June.

Page 19 of 24

Virus Rate 1 in 82.2 Netherlands 1 in 85.3 Public Sector 1 in 404.4 1-250 1 in 472.0 251-500 1 in 216.6 United Kingdom 1 in 210.6 Education 1 in 367.0 501-1000 1 in 260.9 Luxembourg 1 in 252.5 Marketing/Media 1 in 365.0 1001-1500 1 in 340.9 1 in 275.0 Canada 1 in 301.8 Finance 1 in 470.3 1501-2500 Last Month: 1 in 316.5 1 in 436.6 South Africa 1 in 306.6 Accom/Catering 1 in 214.4 2501+ Six Month Avg.: 1 in 331.4 Top 5 Geographies Top 5 Verticals By Horizontal

1 in 340.9

2006 2007 2008 2009 2010 2011 2012 Sources United Kingdom 40.0% United States 30.8% Canada 6.5% Brazil 3.2% Sweden 3.0% Australia 2.7% Germany 2.3% Hong Kong 2.0% Netherlands 1.6% South Africa 1.3% July 2012

The Netherlands remained the geography with the highest ratio of malicious email activity in July, with one in 82.2 emails identified as malicious.

In the UK, one in 216.6 emails was identified as malicious, compared with South Africa, where one in 436.6 emails was blocked as malicious. The virus rate for email-borne malware in the US was one in 553.3 and one in 275.0 in Canada. In Germany virus activity reached one in 433.3 and one in 486.4 in Denmark. In Australia, one in 634.5 emails was malicious. For Japan the rate was one in 2,083.7, compared with one in 902.3 in Singapore. In Brazil, one in 445.1 emails contained malicious content.

With one in 85.3 emails being blocked as malicious, the Public Sector remained the most targeted industry in July. The virus rate for the Chemical & Pharmaceutical sector reached one in 322.7 and one in 503.3 for the IT Services sector; one in 596.1 for Retail, one in 210.6 for Education and one in 301.8 for Finance.

Malicious email-borne attacks destined for small to medium-sized businesses (1-250) accounted for one in 404.4 emails, compared with one in 214.4 for large enterprises (2500+).

Page 20 of 24

Frequently Blocked Email-borne Malware The table below shows the most frequently blocked email-borne malware for July, many of which relate to generic variants of malicious attachments and malicious hyperlinks distributed in emails. Approximately 42.7 percent of all email-borne malware was identified and blocked using generic detection.

Malware identified generically as aggressive strains of polymorphic malware accounted for 21.7 percent of all email- borne malware blocked in July.

Malware Name % Malware W32/Bredolab.gen!eml.k 15.91% W32/Bredolab.gen!eml.j 9.19% Exploit/Link-generic-ee68 6.81% Suspicious.JIT.a.dam 2.33% Link-Gen:Variant.Barys.1516.dam 1.92% Link-Trojan.Script.BM-2afb 1.56% Exploit/LinkAliasPostcard-b84d 1.51% Packed.Generic-6f41-88f2 1.47% Packed.Modified.UPX-ff98-3ec6 1.39% W32/Netsky.c-mm 1.24%

The top-ten list of most frequently blocked malware accounted for approximately 43.3% of all email-borne malware blocked in June.

Web-based Malware Threats In July, Symantec Intelligence identified an average of 2,189 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 4.0 percent since June. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 53.5 percent of all malicious domains blocked were new in July; a decrease of 9.4 percentage points compared with June. Additionally, 12.1 percent of all Web-based malware blocked was new in July; a decrease of 0.9 percentage points since June.

Web Security Services Activity:

New Malware Sites per Day

New sites with spyware 15/day

New sites with web viruses 2,174/day

Total 2,189/day

2008 2009 2010 2011 2012

The chart above shows the increase in the number of new spyware and adware Web sites blocked each day on average during July compared with the equivalent number of Web-based malware Web sites blocked each day.

Web Policy Risks from Inappropriate Use The most common trigger for policy-based filtering applied by Symantec Web Security.cloud for its business clients was for the “Advertisements & Popups” category, which accounted for 34.5 percent of blocked Web activity in July. Web-based advertisements pose a potential risk though the use of “malvertisements,” or malicious advertisements. These may occur as the result of a legitimate online ad-provider being compromised and a banner ad being used to serve malware on an otherwise harmless Web site.

Page 21 of 24

The second most frequently blocked traffic was categorized as Social Networking, accounting for 20.2 percent of URL- based filtering activity blocked, equivalent to approximately one in every 5 Web sites blocked. Many organizations allow access to social networking Web sites, but facilitate access logging so that usage patterns can be tracked and in some cases implement policies to only permit access at certain times of the day and block access at all other times. This information is often used to address performance management issues, perhaps in the event of lost productivity due to social networking abuse.

Activity related to streaming media policies resulted in 9.2 percent of URL-based filtering blocks in June. Streaming media is increasingly popular when there are major sporting events or high profile international news stories. This activity often results in an increased number of blocks, as businesses seek to preserve valuable bandwidth for other purposes. This rate is equivalent to one in every 11 Web sites blocked.

Web Security Services Activity: Policy-Based Filtering Web Viruses and Trojans Potentially Unwanted Programs Advertisement and Popups 34.5% JS:Trojan.JS.Iframe.BO 17.0% PUP:ActualSpy 0.2% Social Networking 20.2% Trojan.JS.Agent.GLM 8.9% PUP:Keylogger 1.1% Streaming Media 9.2% Trojan.HTML.Redirector.AI 8.3% PUP:Lop 0.2% Chat 4.8% Trojan.JS.Agent.GMZ 7.4% PUP:9231 2.9% Computing and Internet 4.1% Trojan.JS.Agent.GHP 6.8% PUP:PigSearch 0.4% Hosting Sites 3.6% JS.Runfore 6.7% PUP:W32/SuperScan.A 2.5% Peer-To-Peer 3.6% JS:Trojan.Crypt.EM 6.4% PUP:Application.Heur.cmKfbiBPZXoO 1.6% Search 1.8% Trojan.JS.Agent.GHF 2.7% PUP:9746 0.2% Blogs 1.7% Trojan.Script.12023 2.1% PUP:Clkpotato!gen3 5.6% News 1.7% Trojan.Maljava 1.9% PUP:Ardakey 1.4% July 2012

Endpoint Security Threats The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Web Security.cloud or Symantec Email AntiVirus.cloud.

Malware Name28 % Malware W32..AE 6.12% W32.Ramnit!html 4.68% W32.Downadup.B 4.24% W32.Ramnit.B 4.15% W32.Ramnit.B!inf 3.06% W32..CF 1.89% W32.Almanahe.B!inf 1.75% W32.SillyFDC.BDP!lnk 1.71% Trojan.Maljava 1.33% W32.SillyFDC 1.22%

For much of 2012, variants of W32.Sality.AE29 and W32.Ramnit30 had been the most prevalent malicious threats blocked at the endpoint. Variants of W32.Ramnit accounted for approximately 12.1% of all malware blocked at the endpoint in June, compared with 6.8% for all variants of W32.Sality.

28For further information on these threats, please visit: http://www.symantec.com/business/security_response/landing/threats.jsp

Page 22 of 24

Approximately 33.6 percent of the most frequently blocked malware last month was identified and blocked using generic detection. Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked.

By deploying techniques, such as heuristic analysis and generic detection, it’s possible to correctly identify and block several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically.

29 http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99 30 http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99

Page 23 of 24

About Symantec Intelligence Symantec Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. Symantec.cloud Intelligence publishes a range of information on global security threats based on data captured through a variety of sources, including the Symantec Global Intelligence Network, the Symantec Probe Network (a system of more than 5 million decoy accounts), Symantec.cloud and a number of other Symantec security technologies. Skeptic™, the Symantec.cloud proprietary technology uses predictive analysis to detect new and sophisticated targeted threats, protecting more than 11 million end users at more than 55,000 organizations ranging from small businesses to the Fortune 500.

About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

Copyright © 2012 Symantec Corporation. All Rights Reserved.

Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the US and other countries. Other names may be trademarks of their respective owners.

NO WARRANTY. The information contained in this report is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This report may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043.

Page 24 of 24