Of Spam Urls; New Internet in Africa Attracts Spam Botnets; Soccer World Cup Themed Malware

MESSAGELABS INTELLIGENCE

MESSAGELABS INTELLIGENCE MAY 2010

‘Behind the Scenes’ of Spam URLs; New Internet in Africa Attracts Spam Botnets; Soccer World Cup Themed Malware

Welcome to the May edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends for May 2010 to keep you informed regarding the ongoing fight against viruses, spam, spyware and other unwelcome content.

REPORT HIGHLIGHTS

 Spam – 90.1% in May (an increase of 0.2 percentage points since April)  Viruses – One in 211.6 emails in May contained malware (an increase of 0.18 percentage points since April)  Phishing – One in 237.1 emails comprised a phishing attack (an increase of 0.2 percentage points since April)  Malicious websites – 1,770 websites blocked per day (an increase of 5.6% since April)  32.1% of all malicious domains blocked were new in May (a decrease of 1.5 percentage points since April)

 12.4% of all web-based malware blocked was new in May (an increase of 1.5 percentage points since April)

 ‘Behind the Scenes’ of Spam URLs

 As Africa Welcomes Faster Internet Access, Botnets Move in to Capitalize

 Soccer World Cup Themed Malware

 Moving Endpoint Protection into the Cloud

www.m e ssa gelabs.com in f o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

REPORT ANALYSIS

‘Behind the Scenes of Spam URLs’

The proportion of spam emails that include some form of URL or hyperlink has grown by one percentage point since 2009, from 91% in 2009 to 92% for 2010, to date.

95% 95% 95% 94% 93% 93% 92%

90% 90% 89% 89% 89%

88% 88%

85%

0% ay 09 ay 10 Jul 09 Oct 09 Jun 09 Apr 10 Apr 09 Jan 10 Mar 10 Feb 10 Aug 09 Sep 09 Nov 09 Dec 09 M M Figure 1 - Proportion of spam containing a URL

This may not sound like much of a change, but nine out of 10 spam emails have some form of a hyperlink or URL contained in the message. Those that are left typically have attachments or may be classified as scams, such as advance-fee fraud 419 scams.

Analysis of the domains used to form these hyperlinks show that there are some domains more frequently used than others, many of which are actually legitimate and appear several times. Others are registered and used within a few days for particular short-lived spam runs; these may perhaps be considered as disposable domains.

Of the most frequently occurring domains found in spam URLs, the top four are legitimate and belong to major well-known websites used for social networking, blogging, file-sharing and other forms of user-generated content.

These legitimate services require CAPTCHAs to be solved or broken in order to create large numbers of accounts that are then used by the spammers. These accounts may be created in large volumes using CAPTCHA breaking tools traded on the underground economy.

MESSAGELABS INTELLIGENCE

33% 34%

29% 27% 25% 25% 24%

13% 13% 11% 9% 8% 6% 5% Jul 09 Oct 09 Jun 09 Apr 09 Apr 10 Jan 10 Mar 10 Feb 10 Aug 09 Sep 09 Nov 09 Dec 09 May 10 May 09 Figure 2 - Proportion of spam URLs containing a legitimate domain

In May, between 10% and 30% of spam containing a URL link included at least one legitimate domain.

Further analysis of the domains used in the spam URL links enabled us to identify the IP address hosting the web content to which the URL pointed. Deeper analysis of these IP addresses revealed certain patterns within the Autonomous System Numbers (ASN), which uniquely identify each network on the internet. ASNs are globally unique and identify the routing policies for blocks of IP addresses and the ISPs to which they are allocated.

Where an AS number could be determined for a particular IP address, MessageLabs Intelligence identified that as few as five ASNs were responsible for hosting content for 42% of the disposable spam domains scrutinized during May. These were located in the following countries: United States (17% of all domains), China (13%), Ukraine (8%) and France (4%).

In May, 5% of all domains found in spam URLs belonged to genuine, or legitimate, web sites, whilst 95% were disposable. The legitimate domains tend to be recycled and used again and again, compared with the disposable domains that tend to be used for a very short period of time and then are never seen again.

For all disposable domains analyzed in May, the IP addresses were located in the following countries: United States (27% of disposable domains), Vietnam (16%), China (12%), Rep of Korea (5%) and Ukraine (5%).

This means that 56% of disposable spam domains are mapped to an IP address in one of the top three countries listed.

MESSAGELABS INTELLIGENCE

Which botnets have the largest number of domains?

% Spam % Spam from Botnet from Botnet % All % All using using % All Spam Disposable Legitimate Legitimate Disposable Botnet Domains Domains Domains Domains Domains Rustock 69.2% 69.8% 63.4% 8.0% 92.0% Cutwail 12.2% 12.7% 6.5% 4.7% 95.3% Grum 8.9% 8.4% 13.9% 13.7% 86.3% Lethic 2.6% 2.6% 2.7% 9.0% 91.0% Maazben 2.0% 2.2% 0.0% 0.0% 100.0% Festi 1.6% 1.7% 0.0% 0.0% 100.0% Storm 1.5% 0.6% 11.0% 65.1% 34.9% Bagle 0.9% 1.0% 0.2% 1.9% 98.1% Bobax 0.5% 0.4% 1.4% 26.9% 73.1% Mega-D 0.2% 0.3% 0.2% 7.1% 92.9% DarkMailer 0.2% 0.2% 0.4% 15.4% 84.6% Gheg 0.1% 0.1% 0.2% 20.0% 80.0% DonBot 0.1% 0.1% 0.0% 0.0% 100.0% Xarvester 0.0% 0.0% 0.0% 0.0% 100.0% Figure 3 – Top spam-sending botnets classified by domains used in spam

As can be seen in figure 3, most of the botnets listed use a combination of both legitimate and disposable domains. Rustock uses the greatest number of disposable domains, followed by Cutwail and Grum.

Storm, which has recently returned to the spamming scene, is the only botnet that uses legitimate domains in greater number than it uses disposable domains, with 65% of spam from the Storm botnet using a legitimate domain.

Domain 1 speakclosed.com 2 askdrlemay.com 3 thewapdr.com 4 easyas123meds.com 5 eggpride.ru 6 proveoxygen.ru 7 promedinfo.com 8 plumpduck.ru 9 fishenough.ru 10 loftymother.ru Figure 4 – Top 10 disposable spam domains in May (ranked by frequency)

The table in figure 4 above shows the most frequently identified disposable domains found in spam URLs. For legitimate domains, the most common are free image- hosting sites and shortened URL services.

Based on the results in figure 4 above, MessageLabs Intelligence conducted further analysis on the most frequently identified disposable domain “speakclosed.com.”

MESSAGELABS INTELLIGENCE

This particular domain was registered on 27 April 2010, and spam which contained URLs featuring that domain was already being sent on the same day, accounting for 2.6% of all spam for that day. This highlighted the speed at which the spammers operated and suggested that the spam campaign had already been created before the domain was registered.

12% Date registered

10%

8% m 6% of spa

% 4%

0% 2May 4May 6May 8May 10 Apr 12 Apr 14 Apr 16 Apr 18 Apr 20 Apr 22 Apr 24 Apr 26 Apr 28 Apr 30 Apr 10 May Figure 5 – Frequency of a typical spam URL found in all spam

The short vertical line in figure 5 marks the registration date of the disposable spam domain. It can be seen that the percentage of spam featuring that domain name in URLs increased in the days following its registration.

On the second day, the volume of spam containing URLs associated with this domain rose further, accounting for as much as 10% of all spam; a very large spam run. After the third day, the spam run subsided and disappeared altogether.

In total, spam containing the “speakclosed.com” domain lasted for three days, and unsurprisingly it was a pharmaceutical spam run, as can be seen in figures 6 and 7, below.

Figure 6 – Example of spam run featuring the “speakclosed.com” spam domain

MESSAGELABS INTELLIGENCE

Figure 7 – Speakclosed.com leads to a website selling a male enhancement product

MessageLabs Intelligence also analyzed the IP address to which the “speakclosed.com” domain resolved, and found it to be located in the Republic of Korea. With this IP address, we were also able to identify other disposable spam domains that resolved to the same IP and found many more domains -- as many as 57-- for this period alone.

MessageLabs Intelligence discovered that these domains were registered in batches, several each day, and that spam featuring all of these domains was sent from the Cutwail botnet. An example of some of these domains can be seen in figure 8.

Date of

Botnet Domain Registration

Cutwail bintiger.ru 12/04/2010 Cutwail callcoil.ru 12/04/2010

Cutwail checkstep.ru 12/04/2010 Cutwail chevyrib.ru 12/04/2010

Cutwail chokebake.ru 12/04/2010 Figure 8 – Five examples of spam domains that resolved to the same IP address

For all of the disposable domains analyzed in May, it was also possible to show their lifecycle based on the registration date of each domain. In figure 9 below, the chart shows the average time between registering a disposable domain and that domain being used in spam URLs.

MESSAGELABS INTELLIGENCE

70%

60%

50%

40%

30%

20% cumulative % of domains 10%

0% 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Days Figure 9 –Average time between domain registration and use in spam URLs

Analysis of the age of these disposable spam domains and their use in spam over time revealed the following:

 4.6% of disposable domains were registered and first used on the same day  14.4% used within 1 day  50% used within 9 days

Furthermore, the majority of spam featuring a given domain is sent two days after it was first registered; 11.6% of disposable domains were used the second day following registration.

Generally, any given disposable domain was being used with only one botnet, but occasionally spammers did appear to be using a single domain across multiple botnets. For example, 0.18% of disposable domains were used in spam runs from two or more botnets. Therefore it was unusual for spammers to use one domain in great volumes on multiple botnets.

When spam runs are clearly linked to the same spam gang using multiple botnets, it is more common for different domains to be registered for use by each botnet. In other words, a spam campaign may be sent from more than one botnet, but each botnet is allocated a particular URL for the spam it sends. Perhaps this is used in measurements by the spammers, in order to track the effectiveness of the campaign across each botnet.

As Africa Welcomes Faster Internet Access, Botnets Move in to Capitalize

MessageLabs Intelligence has been tracking spam activity from Africa very closely during the last 12 months, particularly in East Africa.

Background – Africa gets connected

During the first half of 2009, an 8400km length of sub-marine fibre-optic cable was laid along the seabed, stretching from Ras Sidr in Egypt, around the horn of Africa, and down to Mtunzini, a small coastal town in South Africa. Along the way, branches split off into Djibouti, Kenya, Tanzania, Madagascar and Mozambique. It will deliver up to 1.28 terabits per second of bandwidth into these countries at just a tenth of the cost of current capacity.

MESSAGELABS INTELLIGENCE

This new cable plugged the eastern region of Africa into high speed Internet access on 23rd July 2009, providing an alternative to expensive satellite connections.

The new connection will allow this portion of Africa much better connectivity to other countries on the internet. Whilst this will bring many exciting opportunities for users in these countries, it also presents many dangers. With floods of users gaining much faster access to the internet, or accessing the internet for the first time, often with little awareness or protection, there is great potential for malware, including botnets, to take advantage.

From an article by hostexploit.com (link below), Franz-Stefan Gady, an organizer of a major cyber security summit, says “About 80% of the African population lacks even rudimentary knowledge of information technologies, according to a recent World Bank survey. Though Internet cafes are widespread, providers often cannot afford proper antivirus software, making computers very easy targets for skilled botnet operators and hackers.”

History of spam from Africa Since July 2009, we expected to see spam and the growth of bots in countries in the eastern region of Africa and adjacent to the Indian Ocean, as attackers sought to infect new broadband users, and make use of that connection to send spam to unfortunate recipients all over the world. Well, what have we seen?

To answer this question, we divided all African countries into two groups: countries that are in the eastern region of Africa or adjacent to the Indian Ocean and likely customers of the new cable (sample Group A) and countries that are not (sample Group B).

Group A- African countries served by the cable: Botswana, Burundi, Djibouti, Eritrea, Ethiopia, Kenya, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Rwanda, Seychelles, Somalia, South Africa, Sudan, Swaziland, United Republic of Tanzania, Uganda, Zambia and Zimbabwe.

The map of Africa in figure 10 highlights the countries in orange.

Group B- African countries not directly served by the cable: Algeria, Angola, Benin, Burkina Faso, Cameroon, Cape Verde, Central African Republic, Chad, Congo, Cote d’Ivoire, Egypt, Equatorial Guinea, Gabon, Gambia, Ghana, Guinea, Guinea- Bissau, Liberia, Libyan Arab Jamahiriya, Mali, Mauritania, Morocco, Namibia, Niger, Nigeria, Sao Tome and Principe, Senegal, Sierra Leone, Togo and Tunisia.

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

SUDAN

ETHIOPIA

SOMALIA KENYA Group B

TANZANIA

MOZAMBIQUE ZAMBIA

ZIMBABWE MADAGASCAR BOTSWANA

SOUTH AFRICA Group A

Figure 10 – Map showing eastern region countries likely to be customers of the new cable

We have looked at what the contribution of spam sent from Africa has been to global spam over the last 12 months, and of that spam, what proportion can be attributed to each group. At this stage, we are not classifying botnet spam in particular, simply any spam sent from Africa.

3.5%

3.0%

2.5%

2.0%

1.5%

1.0%

0.5%

0% Jul 09 Oct 09 Jun 09 Apr 09 Apr 10 Jan 10 Mar 10 Feb 10 Aug 09 Sep 09 Nov 09 Dec 09 May 09 9

MESSAGELABS INTELLIGENCE

Figure 11 – Spam originating from all African countries as a percentage of all spam

First, the proportion of global spam that comes from Africa has been increasing; in April 2009, it was just under 2% of global spam and by May 2010, Africa contributed to approximately 3% of global spam.

Although this may not sound like a large increase, Symantec estimates1 that approximately 120 billion spam emails are sent each day globally; this volume has fluctuated only marginally over the past 12 months and an increase of 1% would reflect an extra 1.2 billion spam emails being sent from Africa every day, compared with 12 months ago. This represents a significant hike in spam output for Africa, considering the total volume circulating globally hasn’t really changed significantly.

How does the spam output of Group A compare with Group B? By far, Group B produces the majority of spam in Africa (86% in April 2009, mostly from Morocco, Egypt, Algeria – countries that likely benefit from better fiber connections with Europe across the Mediterranean), but over the last 12 months, this output has started to shift eastward, as can be seen in figure 12.

100%

20% Group B

10% Group A

0% ay 09 Jul 09 Oct 09 Jun 09 Apr 09 Apr 10 Jan 10 Mar 10 Feb 10 Aug 09 Sep 09 Nov 09 Dec 09 M Figure 12 – Proportion of spam originating from Group A and Group B

Over the last 12 months, the proportion of spam from Group A has been increasing from approximately 13% of all spam from Africa, to 19% of spam from Africa.

This shift means that the percentage of spam coming from Group B has been decreasing from 86% to about 80%. In terms of actual spam volumes, on average the volume of spam emerging out of Group A is 2.4 times higher than it was 12 months ago. So the volume of spam from this part of the world has at least doubled.

1 http://www.symantec.com/business/security_response/landing/spam/index.jsp 10

MESSAGELABS INTELLIGENCE

Which countries are being used to generate this increase in spam? The continent’s spam output has shown a significant shift to the east, so it was important to identify from where the extra spam was being sent. In addressing this question, MessageLabs Intelligence identified more spam originating from Group A countries, but some countries stood out as having increased their output by more than the overall average for the group, which was 2.4 times. This can be clearly seen in figure 13, below.

Annual Spam Percentage of Percentage of Volume Change: Group A Spam: Group A spam: (April 2010 / April Country April 2009 April 2010 2009) South Africa 47.5% 38.3% 2.0 Sudan 10.2% 13.7% 2.4 Mauritius 7.3% 4.5% 1.1 Kenya 12.9% 21.5% 7.2 Mozambique 3.2% 2.0% 0.7 Ethiopia 3.0% 1.6% 0.9 Tanzania 3.8% 5.0% 3.8 Uganda 2.8% 3.9% 5.7 Zimbabwe 0.8% 0.6% 1.0 Djibouti 0.7% 0.4% 0.6 Rwanda 1.9% 3.4% 6.3 Botswana 1.9% 0.9% 3.0 Zambia 1.4% 1.4% 4.5 Madagascar 0.9% 1.5% 4.8 Malawi 0.5% 0.8% 3.7 Burundi 0.1% 0.0% - Swaziland 0.4% 0.1% - Lesotho 0.3% 0.3% - Eritrea 0.1% 0.1% - Seychelles 0.1% 0.2% - Somalia 0.1% 0.0% - Figure 13 – Comparative growth rates in spam originating from Group A

South Africa is clearly the sender of the most spam in Group A. It has a large population (approximately 50 million), plenty of internet users (about 4 to 5 million in 2008) and is served by a fiber cable which runs on the west coast of Africa and a deep ocean cable connection directly to Europe. During the last 12 months its spam output has doubled, but many other countries have increased their output much more.

Despite doubling its spam output, South Africa has gone from sending 46% of Group A’s spam, to 38%. It still sends a significant proportion of spam from Group A, in fact it is the biggest sender in the group, but clearly other countries must have changed in a big way to steal so much of South Africa’s share.

The real meteoric rise has come from Kenya. Kenya has a population of about 40 million, and had about 3 million internet users in 2008. Twelve months ago, Kenya

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

was the fourth biggest sender of spam in Group A, sending just one-sixth of the volume sent from South Africa, 7% of Group A’s spam. In the last 12 months, Kenya has increased its spam output by an incredible 7.2 times. Although it sends only half the volume that South Africa sends, it now represents a much bigger proportion of spam; responsible for 21% of Group A’s spam.

The table in figure 13, above shows that a number of other Group A countries, in addition to Kenya, most notably Rwanda and Uganda have increased their spam output significantly, to 6.3 times and 5.7 times the amount that was being sent 12 months ago respectively.

So what is producing this widespread increase in spam? Historically, broadband adoption in a particular area triggers an increase in botnets in a particular area.

Accordingly, the new undersea fiber optic cable along the east coast has enabled rapid growth in the number of users obtaining high-speed connections to the internet, with little or no protection or awareness. This is a great opportunity for attackers to infect new machines, create new bots, and increase the overall number of bots in the region. And more bots result in more spam being sent.

Is it possible to identify the spam-sending botnets involved? First, MessageLabs Intelligence analyzed which botnets have a presence in Africa’s eastern region and how that has changed over the last 12 months.

In April 2009, the dominant botnets in that region were Cutwail, Mega-D, Xarvester, Donbot and Bagle. Between them, they sent more than three quarters of spam from East Africa. Spam from a non-botnet source accounted for 15% of spam. So a total of 85% of spam came from a botnet.

By May 2010, the dominant botnets were Grum, Rustock, Bagle, Cutwail, and Bobax - these accounted for three quarters of spam; quite a different picture. Spam from a non-botnet source has also fallen to 10%. So 90% of spam from the eastern region now comes from a botnet.

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

In April 2010, there were 19 different heavyweight spam-sending botnets operating out of the eastern region of Africa, versus 13 from April 2009.

Annual Spam Volume Change: (April 2010 / April Botnet 2009) Grum 94.50 Bobax 65.00 Rustock 18.25 Bagle 8.63 Non-Botnet 1.43 Gheg 1.00 Lethic new Maazben new Festi new Reposin new Mega-D 0.47 Cutwail 0.38 Xarvester 0.17 DonBot 0.05 Figure 14 – Comparative growth rates for botnet spam originating from Group A

Not only are there more botnets, but some botnets have shown a remarkable increase in their presence in the eastern region of Africa. For example, Grum was sending 95 times as much spam from the region in May 2010, as it was in April 2009. Bobax was sending 65 times as much; Rustock 18 times as much and Bagle eight times as much. However, Cutwail, Mega-D, Xarvester and Donbot were all sending less spam than they were one year ago. During the past 12 months, a number of new botnets have also appeared, including: Lethic, Maazben, Festi and Resposin.

It is clear that things have changed: Some botnets have arrived, some have faded, but overall the eastern region countries are sending more spam, and countries such as Kenya, Rwanda and Uganda are sending much, much more. In South Africa, Kenya, Rwanda and Uganda, the number of heavyweight botnets from which we see spam being sent has doubled in each country.

Grum, Bobax, Rustock and Bagle are firmly in charge; it is almost certain they have increased the amount of spam sent from the region, by infecting new broadband users, and creating more bots, rather than just sending more spam with the bots they already had there last year.

Other references of interest on this topic Below are some informative articles on Africa’s new internet connection, and the potential increase in malicious activity that could result from it:

• How to network a continent (wired.co.uk): http://bit.ly/1PDMPY • Cable makes big promises for African Internet (cnn.com): http://bit.ly/dsCONb • Africa's Cyber WMD (foreignpolicy.com): http://bit.ly/bJACkW

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

• Are Computers In Africa Really Weapons Of Mass Destruction? (hostexploit.com): http://bit.ly/bDKzeZ

Soccer World Cup Themed Malware The soccer World Cup competition is due to begin in South Africa in June 2010, and MessageLabs Intelligence has been tracking activity around this topic since the end of 2009. Much of this activity has been related to scams and spam emails, but in May, a malware attack featuring the theme of the competition was discovered.

As can be seen in figure 15, the email was composed in Portuguese and contained the branding of one of the major sponsors of the forthcoming competition.

Figure 15 – Email using the theme of the World Cup

Further analysis identified that although the email attempted to spoof a well-known US soft drink brand, it had actually been sent from an IP address in Macau, a special administrative region of China.

The malware, if downloaded and activated, produced two files and generated a few pop-up messages. In the background it collected information on what other machines were on the same network and were used to steal data and enable a remote attacker further access to the compromised computer.

Figure 16 – Additional files dropped by the malware

MESSAGELABS INTELLIGENCE

Moving Endpoint Protection into the Cloud With the launch of the Symantec Hosted Endpoint Protection Service in May, MessageLabs Intelligence will begin to build a comprehensive source of information relating to a wider range of endpoint security threats including unsecured USB devices, network threats and other attacks against the endpoint that originate from sources other than email, the web and instant messaging. This will enable MessageLabs Intelligence to build an even more detailed picture of the threat landscape.

Web-based attacks are now the most common means of infection. Of the most frequently targeted application vulnerabilities in 2009, four out of the top five that were being exploited were client-side vulnerabilities and these were frequently targeted by web-based attacks.

However, attacks against software applications are not necessarily based on the number of vulnerabilities in a given application, but on its market share and the availability of exploit code that targets these vulnerabilities. In 2009, Symantec2 documented 321 vulnerabilities affecting plug-ins for web browsers. Browser plug- ins also run inside a web browser and extend its features, typically to allow additional multimedia content from the web to be displayed in the browser. They can also enable execution environments that allow other applications to be run inside the browser. Browser plug-in vulnerabilities are also used in a range of client-side attacks.

The most frequently abused web-based attacks in 2009 were associated with malicious PDF activity, and these accounted for 49% of the total number of attacks.

Vulnerabilities are certainly a major concern for many organizations and perhaps more dangerous is the threat from a “zero-day” vulnerability. A zero-day vulnerability is one that appears to have been exploited in the wild prior to being publicly known or patched. It may not have even been known to the affected vendor before being exploited hence there may be a delay before any patch would be made available. In the absence of available patches, zero-day vulnerabilities represent a serious threat and in many cases they are more likely to evade signature-based detection. In 2009, Symantec documented 12 zero-day vulnerabilities, compared with nine zero- day vulnerabilities in 2008. MessageLabs Intelligence reported3 an example of such a threat in its January 2010 Report.

Moreover, the prevalence of USB drives and other portable storage devices means that organizations are still not safe from accidental or intentional internal infection. Malware spreading via USB storage devices is able to infect an entire organization, steal personal data, login details and passwords and other account information before sending it to an attacker. Compounding these issues, organizations must also support a growing mobile workforce with employees working not just from home, but also from wireless hot-spots or other insecure public networks.

2 Symantec Internet Security Threat Report: April 2010 - http://www.symantec.com/business/theme.jsp?themeid=threatreport 3 MessageLabs Intelligence January 2010 - http://www.messagelabs.co.uk/mlireport/MLI_2010_01_Jan_FINAL_EN.pdf 15

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

Once the endpoint moves outside the walls of the corporate network, the additional layers of security provided by the organization are often lost. This leaves the single endpoint agent doing the same job as a wide variety of devices on the corporate network. In this report, MessageLabs Intelligence has for the first time included analysis of the latest endpoint threats blocked for the last month.

For more information on the new Symantec Hosted Endpoint Protection service, please visit www.messagelabs.com/hep.

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

GLOBAL TRENDS & CONTENT ANALYSIS Symantec Hosted Services is focused on identifying, detecting and averting unwanted Internet threats such as viruses, spam, spyware and other inappropriate content. The intelligence collected from the billions of messages and millions of threats processed each day forms one of the most comprehensive and up-to-date knowledge bases of Internet threats in the world.

Skeptic™ Anti-Spam Protection: In May 2010, the global ratio of spam in email traffic increased by 0.3 percentage points since April to 90.2% (1 in 1.11 emails).

Spam Rate 95.4% Hungary 95.1% Engineering 89.7% 1-250 90.1% 251-500 94.7% Italy 93.3% Automotive 90.5% 501-1000 93.5% Luxembourg 91.5% Accom/Catering 90.2% 90.8% 1001-1500 93.4% Denmark 91.4% Marketing/Media 91.6% 1501-2500 Last Month: 89.9% 93.0% Israel 91.1% Manufacturing 90.2% 2501+ Six Month Avg.:87.6% Top 5 Geographies Top 5 Verticals By Horizontal

90.2%

2005 2006 2007 2008 2009 2010

May 2010 The spam level in Hungary rose to 95.4% of email traffic during May, making it the most spammed country. In the US, 90.5% of email was spam and 89.4% in Canada. The spam level in the UK was 89.6%. In The Netherlands, spam accounted for 91.1% of email traffic, 91.8% in Germany and 89.5% in Australia. In Hong Kong, 91.5% of email was blocked as spam and 87.8% in Singapore, compared with 87.7% in Japan and 92.4% in China.

In May, the most spammed industry sector with a spam rate of 95.1% was the Engineering sector. Spam levels for the Education sector reached 91.0% and 90.8% for the Chemical & Pharmaceutical sector; 90.7% for IT Services, 90.7% for Retail, 89.2% for Public Sector and 88.5% for Finance.

Skeptic™ Anti-Virus and Trojan Protection: The global ratio of email-borne viruses in email traffic was 1 in 211.6 emails (0.473%) in May, an increase of 0.18 percentage points since April.

In May, 22.6% of email-borne malware contained links to malicious websites, a decrease of 6.3 percentage points since April.

Gov/Public Virus Rate 1in59.8 Taiwan 1in74.2 1 in 231.5 1-250 Sector 1 in 235.8 251-500 1in114.2 United Kingdom 1in109.2 Education 1 in 137.9 501-1000 1 in 149.3 Austria 1 in 130.0 Prof Services 1in211.6 1 in 273.7 1001-1500 1 in 149.6 China 1 in 130.8 Marketing/Media 1 in 168.3 1501-2500 Last Month: 1 in 340.7 1 in 160.9 Germany 1in187.5 IT Servuces 1 in 206.2 2501+ Six Month Avg.:1 in 295.2 Top 5 Geographies Top 5 Verticals By Horizontal

1in211.6

2005 2006 2007 2008 2009 2010

May 2010 17

MESSAGELABS INTELLIGENCE

In May, 1 in 59.8 emails destined for Taiwan was blocked as malicious, maintaining its position as the most targeted from email-borne malware. The virus levels for email malware in the US were 1 in 339.7 and 1 in 230.9 for Canada. In Germany virus activity reached 1 in 160.9 and in The Netherlands was 1 in 610.5. In Australia, 1 in 343.2 emails were malicious and 1 in 203.4 in Hong Kong; for Japan it was 1 in 218.2, compared with 1 in 464.7 in Singapore.

The Public Sector retained its position as the most targeted industry in May, with 1 in 74.2 emails being blocked as malicious. Virus levels for the Chemical & Pharmaceutical sector were 1 in 262.7 and 1 in 187.5 for the IT Services sector; 1 in 374.2 for Retail, 1 in 109.2 for Education and 1 in 272.9 for Finance.

The table below shows the most frequently blocked email-borne malware for May.

Malware Exploit/MimeBoundary003 9.9% Trojan.Bredolab 6.0% Exploit/Fraud‐AccUpdate 3.4% Trojan.Bredolab!eml 3.1% Exploit/LinkAliasPostcard‐72a5 3.1% Link‐W32/NewMalware‐bc37 3.1% Exploit/LinkAliasPostcard‐74a5 3.0% Gen:Variant.Bredo.4 2.5% W32/Prolaco‐gen‐4b33 2.4% Trojan.Sasf s.dam 2.3%

Phishing: In May, phishing activity rose by 0.2 percentage points since April; 1 in 237.1 emails (0.42%) comprised some form of phishing attack. When judged as a proportion of all email-borne threats intercepted in May, including viruses and Trojans, the proportion of phishing emails rose by 10.3 percentage points to 80.6% of all email-borne malware and phishing threats combined.

Phishing Rate 1in121.8 United Kingdom 1in81.3 Gov/Public Sector 1in236.4 1-250 1in288.2 251-500 1in187.1 Austria 1in129.1 Education 1in158.0 501-1000 1 in 198.4 Germany 1in150.7 Marketing/Media 1 in 237.1 1in344.0 1001-1500 1in201.2 Russia 1in151.6 Prof Services 1in207.9 1501-2500 Last Month: 1 in 455.2 1in208.3 China 1in234.4 IT Services 1in250.3 2501+ Six Month Avg.:1 in 427.8 Top 5 Geographies Top 5 Verticals By Horizontal

1 in 237.1

2005 2006 2007 2008 2009 2010

May 2010 The greatest proportion of phishing attacks were directed at the UK in May, guaranteeing its position at the top of the table with 1 in 121.8 emails comprising a phishing attack. Phishing levels for the US were 1 in 439.0 and 1 in 354.6 for Canada. In Germany phishing levels were 1 in 198.4 and 1 in 908.9 in The Netherlands. In Australia, phishing activity accounted for 1 in 448.1 emails and 1 in 281.7 in Hong Kong; for Japan it was 1 in 266.8 and 1 in 1,200 for Singapore.

MESSAGELABS INTELLIGENCE

The Public Sector continued its reign as the most phished sector in May, with 1 in 81.3 emails comprising a phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 354.1 and 1 in 234.4 for the IT Services sector; 1 in 454.4 for Retail, 1 in 129.1 for Education and 1 in 286.0 for Finance.

Skeptic™ Web Security Version 2.0: In May, MessageLabs Intelligence identified an average of 1,770 websites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 5.6% since April.

Further analysis also reveals that 32.1% of all malicious domains blocked were new in May; a decrease of 1.5 percentage points compared with April. Additionally, 12.4% of all web-based malware blocked was new in May; an increase of 1.5 percentage points since the previous month.

Web Security Services (Version 2.0) Activity: 6,000 New Malware Sites per Day 5,000 New sites with web viruses New sites with spyware 314/day 4,000 New sites with web viruses 1,456/day 3,000 Total 1,770/day 2,000

1,000 New sites with spyware

JFMAMJJASONDJFMAMJJASONDJFMAM

May 2010 The chart above shows the increase in the number of new spyware and adware websites blocked each day on average during May compared with the equivalent number of web-based malware websites blocked each day.

The most common trigger for policy-based filtering applied by the MessageLabs Hosted Web Security Service for its business clients was the “Advertisements & Popups” category, down by 2.9 percentage points since April, to 49.1% in May. The largest increase in policy blocks, of 1.14 percentage points, was for the “Search Engines” category.

Web Security Services (Version 2.0) Activity:

Policy-Based Filtering Web Viruses and Trojans Potentially Unwanted Programs Advertisements & Popups 49.1% Trojan.Win32.VB.aebp 1.3% PUP:Lop 33.4% Streaming Media 10.5% Trojan.Zbot!gen2 0.9% PUP:NetTool.Win32.Proxy.g 25.1% Personals & Dating 4.6% PHP.Backdoor.Trojan 0.7% PUP:ZangoSearch 8.1% Downloads 4.4% Trojan.JS.Pakes.br 0.5% PUP:PSWTool.Win32.IEPassView.l 6.4% Search Engines 4.0% Trojan-Downloader.JS.Gumblar.a 0.5% PUP:Win32.FunWeb.di 4.3% Games 3.7% Backdoor.Trojan 0.4% PUP:Savenow 2.8% Unclassified 3.5% New Unclassified Worm 0.4% PUP:Win32.BHO.lku 2.6% Blogs & Forums 3.2% New Unclassified Trojan 0.4% PUP:Win32.FunWeb.ds 1.7% Computing & Internet 3.0% Exploit/Phishing-hmrc-ee11 0.4% PUP:Win32.FunWeb.cl 0.8% Adult/Sexually Explicit 2.0% Backdoor.Tidserv 0.3% PUP:Win32.FunWeb.cw 0.7%

May 2010 The “Unclassified” category identifies new and previously uncategorized websites. While these websites can be used for disreputable purposes, such as hosting phishing and spam sites, they may also be new sites and domains set up by legitimate organizations in the process of being categorized.

The proportion of websites blocked in the “Unclassified” category decreased by 0.17 percentage points in May, to 3.5%. Customers are able to adopt a more flexible approach to how these websites are treated, since all content downloaded is scanned for malware by a unique combination of commercial anti-virus engines and

MESSAGELABS INTELLIGENCE

Skeptic technology. This ensures that customers do not need to have a default block on these sites to maintain security, as may otherwise be the case.

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

Endpoint Protection: The endpoint is often the last line of defense and analysis. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

Malware may penetrate an organization in many ways, most notably through uncontrolled access to the Internet where employees may become targeted by a drive-by attack from a compromised website. Security countermeasures deployed on the endpoint are designed to block threats that may spread in a variety of ways, including malware such as Trojan horses and worms that spread by copying themselves to removable drives. For example, “AutoRun” is a feature of Windows that allows an executable to be run when a removable drive is connected to a computer. Worms detected as W32.SillyFDC typically use this feature to spread.

MessageLabs Intelligence can now include the threats against endpoint devices following this month’s launch of its Hosted Endpoint Protection service. The table below shows malware most frequently blocked by Endpoint Protection for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Hosted Services Web Security or Email Protect Services.

Malware Trojan Horse 15.03% W32.Sality.AE 9.63% W32.Downadup.B 4.53% Malware blocked generically Downloader 4.29% W32.Mabezat.B 4.28% W32.Virut!html 3.86% W32.SillyFDC 3.67% W32.Virut.CF 3.38% W32.Almanahe.B 2.88% Trojan.FakeAV 2.60% W32.Gammima.AG 2.38% Trojan.Malscript 1.32% Infostealer.Gampass 1.21%

W32.Sality.AE is a virus that spreads by infecting executable files and attempts to download potentially malicious files from the Internet. The most frequently blocked malware for the last month was the Sality.AE virus. The main goal of Sality.AE is to download and install additional malicious software on a victim’s computer. The virus also prevents access to various security-related domains, stops security related services, and deletes security-related files. The virus also infects .EXE and .SCR files on a victim’s local drive as well as on any writable network resource. It spreads by copying itself to attached removable drives.

Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds or thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked.

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

By employing techniques, such as heuristic analysis and generic detection, it is possible to correctly identify and block several variants of the same malware families, as well as identifying new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically. In the table above, malware blocked generically accounts for 23.18% of the most frequently blocked threats against the endpoint in the last month.

www.m e ssa gelabs.com inf o@m e ssa gelabs.com MESSAGELABS INTELLIGENCE

TRAFFIC MANAGEMENT Traffic Management continues to reduce the overall message volume through techniques operating at the protocol level. Unwanted senders are identified and connections to the mail server are slowed down using features embedded in the TCP protocol. Incoming volumes of known spam are significantly slowed, while ensuring legitimate email is expedited.

In May, MessageLabs services processed an average of 12.7 billion SMTP connections per day, of which 60.9% were throttled back as a result of traffic management controls for traffic that was unequivocally malicious or unwanted. The remainder of these connections was subsequently processed by MessageLabs Connection Management controls and Skeptic™.

Dropped at stage 60.8% Traffic management

Known Bad Messages 56.4% Connection management Dropped

7.9% User management

0.5% Skeptic Anti-virus

Malware and Spam 37.9% Skeptic Anti-spam Quarantined

Good Mail Delivered Clean mail delivered to clients

Connection Management Connection Management is particularly effective in stopping directory harvest, brute force and email denial of service attacks, where unwanted senders send high volumes of messages to force spam into an organization or disrupt business communications. Connection Management works at the SMTP level using techniques that verify legitimate connections to the mail server, using SMTP Validation techniques. It is able to identify unwanted email originating from known spam and virus sending sources, where the source can unequivocally be identified as an open proxy or a botnet, and rejects the connection accordingly. In May, an average of 56.4% of inbound messages was intercepted from botnets and other known malicious sources and rejected as a consequence.

User Management User Management uses Registered User Address Validation techniques to reduce the overall volume of emails for registered domains, by discarding connections for which the recipient addresses are identified as invalid or non-existent. In May, an average of 7.9% of inbound messages was identified as invalid; these were attempted directory attacks upon domains that were therefore prevented.

MESSAGELABS INTELLIGENCE

About MessageLabs Intelligence MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence publishes a range of information on global security threats based on live data feeds from more than 14 data centers around the world scanning billions of messages and web pages each week. MessageLabs Team Skeptic™ comprises many world-renowned malware and spam experts, who have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day on behalf of 30,000 clients in more than 100 countries. More information is available at www.messagelabs.com/intelligence.

About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

Symantec, the Symantec Logo and MessageLabs are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

NO WARRANTY. The information contained in this report is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This report may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043.