DOCSLIB.ORG

Advanced Threat Report 2H 2011

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Advanced Threat Report 2H 2011 WHITE PAPER FIREEYE ADVANCED THREAT REPORT 2H 2011 SECURITY REIMAGINED FireEye Advanced Threat Report: 2H 2011 CONTENTS Inside This Report ....................................................................................................................................................................................................................................................................................................................... 3 Finding 1 .......................................................................................................................................................................................................................................................................................................................................................... 3 The fastest growing malware categories in the second half of 2011 were PPI (pay per installs) and information stealers Finding 2 .......................................................................................................................................................................................................................................................................................................................................................... 5 Of the thousands of malware families, the “Top 50” generated 80% of successful malware infections Finding 3 .......................................................................................................................................................................................................................................................................................................................................................... 6 Over 95% of enterprise networks have a security gap despite $20B spent annually on IT security Finding 4 .......................................................................................................................................................................................................................................................................................................................................................... 7 Spear phishing attacks increase when enterprise security operations centers are lightly staffed or understaffed, particularly during holidays Conclusions .............................................................................................................................................................................................................................................................................................................................................. 8 Methodology ............................................................................................................................................................................................................................................................................................................................................ 9 About FireEye ........................................................................................................................................................................................................................................................................................................................................ 9 2 www.fireeye.com FireEye Advanced Threat Report: 2H 2011 Inside This Report Key Findings The FireEye Advanced Threat Report for the 1. The fastest growing malware categories second half of 2011 is based on research and in the second half of 2011 were PPI trend analysis conducted by the FireEye Malware (pay per installs) and information stealers. Intelligence Labs. This report provides an overview of advanced targeted attacks in the second half of 2. Of the thousands of malware families, 2011 and was developed to provide insights into the “Top 50” generated 80% of successful the current threat landscape, evolving advanced malware infections. persistent threat (APT) tactics, and the level of infiltration seen in organizational networks today. 3. Over 95% of enterprise networks have a This is not a typical threat report with just tallies security gap despite $20B spent annually of the millions of well-known malware or billions on IT security. of spam messages. 4. Spear phishing attacks increase when To complete the threat landscape picture, enterprise security operations centers are the FireEye Advanced Threat Report focuses lightly staffed or understaffed, particularly on the threats that have successfully evaded during holidays. traditional defenses. These are the unknown threats and advanced targeted attacks that are Finding 1: The fastest growing dynamic and stealthy. And, we have found that malware categories in the second they are extremely effective at compromising half of 2011 were PPI (pay per installs) organizations’ networks. and information stealers The FireEye research team categorizes malware FireEye is in the unique position to illuminate according to its primary purpose but it is import- this advanced targeted attack activity since our ant to note that advanced malware often offers appliances are deployed in enterprises across a combination of features. For instance, any malware the globe as the last line of network defense behind seen stealing information from a compromised firewalls, IPS, and other security gateways. Given computer falls under the information stealer this unique position, we are able to share our category, while malware programs that bypass findings on the advanced threats that routinely security mechanisms to provide access to compro- bypass signature-, reputation- and basic behav- mised machines are classified as a backdoor. ior-based technologies, the $20B spent on IT defenses each year. In the second half of 2011, pay-per-install (PPI) downloaders, worms, backdoors, and information This report dives into the FireEye Malware steal-ers represented the four most prevalent Intelligence Labs’ analysis of shared threat data categories of malware. PPIs are malware programs from global deployments of FireEye Malware that charge a fee to download or distribute other Protection Systems (MPS). This threat data is malware programs. These programs differ from anonymized, real-time information shared by normal down-loaders/droppers in that a PPI brand-name enterprises, government agencies, malware author gets paid for every successful and educational institutions that subscribe to install of another malware program. Of the top our Malware Protection Cloud (MPC). four malware categories, information stealers and backdoors present the greatest threat to enterprises. 3 www.fireeye.com FireEye Advanced Threat Report: 2H 2011 Figure 1: Breakdown of second half of 2011 malware categories distribution A special category called Bitcoin Miner has also The majority of worm infections that we saw been created since the FireEye Malware Protection were attributed to machines infected with the Cloud (MPC) showed a phenomenal increase Conficker worm. Even after 3 years, since it was in this class of malware. Bitcoins are virtual first detected, Conficker still continues to remain currencies stored in “wallets” on user’s comput- one of the more popular worms infecting ers. This category of malware was seen stealing machines worldwide. these wallets and uploading them to the attack- er’s command and control servers. Although this The graph below shows the most widespread malware can be cat-egorized as an information information stealing malware that we observed stealer, we chose to separate it out to show its during the second half of 2011. prevalence in the second half of 2011. Figure 2: Most popular information stealers in second half of 2011 4 www.fireeye.com FireEye Advanced Threat Report: 2H 2011 Following are descriptions of several of these • Clampi is a Trojan capable of stealing information stealing malware programs: users’ passwords and other sensitive financial information. • Zbot saw an increase in newer variants in 2011. We speculate that the rise in different variants Finding 2: Of the thousands of mal- of Zeus is connected to the leak of its source ware families, the “Top 50” generated code. Primarily a banking trojan, Zbot is a threat 80% of successful malware infections to small, medium, and large enterprises. In the second half of 2011, we saw that the top 50 malware families generated 80% of successful • Sality is a malicious program that has the infections. Reviewing the top 50 malware families, ability to overwrite executable files. It is also we noticed that the more successful code bases known to contain Trojan components. Some have been optimized to be dynamic and deceptive. variants of Sality also contain the ability to steal sensitive personal or financial data. In the We observed that very few malware families FireEye MPC labs we saw that the use of Sality accounted for larger infection rates. 50% of the was almost as widespread as Zbot. cases were attributed to malware families ranked 1 – 13 in the second half of 2011. • LdPinch is a piece of malware that did not make it to the 1H 2011 Advanced Threat Report. How do criminals make their malware and In the latter half of 2011, we saw a tremendous domains dynamic? Point-and-click Toolkits increase in machines infected with LdPinch. This shift could indicate that the top ranked The powerful program is capable of stealing malware programs increasingly use advanced account credentials from various services. techniques to
Load more

Recommended publications
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • Internet Security Threat Report Volume 24 | February 2019
    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
    [Show full text]
  • 1.Computer Virus Reported (1) Summary for This Quarter
    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
    [Show full text]
  • Éric FREYSSINET Lutte Contre Les Botnets
    THÈSE DE DOCTORAT DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Éric FREYSSINET Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Lutte contre les botnets : analyse et stratégie Présentée et soutenue publiquement le 12 novembre 2015 devant le jury composé de : Rapporteurs : M. Jean-Yves Marion Professeur, Université de Lorraine M. Ludovic Mé Enseignant-chercheur, CentraleSupélec Directeurs : M. David Naccache Professeur, École normale supérieure de thèse M. Matthieu Latapy Directeur de recherche, UPMC, LIP6 Examinateurs : Mme Clémence Magnien Directrice de recherche, UPMC, LIP6 Mme Solange Ghernaouti-Hélie Professeure, Université de Lausanne M. Vincent Nicomette Professeur, INSA Toulouse Cette thèse est dédiée à M. Celui qui n’empêche pas un crime alors qu’il le pourrait s’en rend complice. — Sénèque Remerciements Je tiens à remercier mes deux directeurs de thèse. David Naccache, officier de réserve de la gendarmerie, contribue au développement de la recherche au sein de notre institution en poussant des personnels jeunes et un peu moins jeunes à poursuivre leur passion dans le cadre académique qui s’impose. Matthieu Latapy, du LIP6, avec qui nous avions pu échanger autour d’une thèse qu’il encadrait dans le domaine difficile des atteintes aux mineurs sur Internet et qui a accepté de m’accueillir dans son équipe. Je voudrais remercier aussi, l’ensemble de l’équipe Réseaux Complexes du LIP6 et sa responsable d’équipe actuelle, Clémence Magnien, qui m’ont accueilli à bras ouverts, accom- pagné à chaque étape et dont j’ai pu découvrir les thématiques et les méthodes de travail au fil des rencontres et des discussions.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Symantec White Paper
    QUARTERLY REPORT: SYMANTEC ENTERPRISE SECURITY SYMANTEC REPORT: QUARTERLY Symantec Intelligence Quarterly July - September, 2009 Published October 2009 Technical Brief: Symantec Enterprise Security Symantec Intelligence Quarterly July - September, 2009 Contents Introduction . 1 Highlights . 2 Metrics. 2 Meeting the Challenge of Sophisticated Attacks . 8 Timeline of a zero-day event . 8 How secure are security protocols?. 11 Why attackers use packers. 14 Protection and Mitigation . 16 Appendix A—Best Practices . 18 Appendix B—Methodologies. 20 Credits . 24 Symantec Intelligence Quarterly July - September, 2009 Introduction Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network. More than 240,000 sensors in over 200 countries monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services and Norton™ consumer products, as well as additional third-party data sources. Symantec also gathers malicious code intelligence from more than 130 million client, server, and gateway systems that have deployed its antivirus products. Additionally, the Symantec distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks and providing valuable insight into attacker methods. Spam data is captured through the Symantec probe network, a system of more than 2.5 million decoy email accounts, Symantec MessageLabs™ Intelligence, and other Symantec technologies in more than 86 countries from around the globe. Over 8 billion email messages, as well as over 1 billion Web requests, are scanned per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.
    [Show full text]
  • Ilomo Botnet a Study of the Ilomo / Clampi Botnet
    Ilomo A study of the Ilomo / Clampi botnet Ilomo Botnet A study of the Ilomo / Clampi Botnet by Alice Decker: Network Analysis David Sancho: Reverse Engineering Max Goncharov: Network Analysis Robert McArdle: Project Coordinator Release Date: 20 August 2009 Classification: Public Ilomo A study of the Ilomo / Clampi botnet Table of Contents Introduction ........................................................................................................................................................... 3 Ilomo Analysis ....................................................................................................................................................... 4 Stage 1: Dropper ....................................................................................................................................... 4 Stage 2: Main Executable ........................................................................................................................ 7 Stage 3: Injected Code ............................................................................................................................ 12 VMProtect Obfuscator ........................................................................................................................................ 17 Background Information .......................................................................................................................... 17 Technical Information .............................................................................................................................
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]
  • Ronald L. Chichester*
    30990-txb_44-1 Sheet No. 4 Side A 02/01/2012 14:53:16 ZOMBIES (DO NOT DELETE) 10/27/2011 12:39 PM SLAYING ZOMBIES IN THE COURTROOM:TEXAS ENACTS THE FIRST LAW DESIGNED SPECIFICALLY TO COMBAT BOTNETS Ronald L. Chichester* I. INTRODUCTION ............................................................................................... 2 II. WHAT IS A BOTNET? ...................................................................................... 2 III. ZOMBIFICATION—CREATING THE BOTNET ............................................ 3 IV. OTHER CURRENT COMPUTER MISUSE STATUTES ................................. 4 V. A SHORT DESCRIPTION OF THE FIRST ANTI-BOTNET STATUTE ........ 6 VI. UTILIZING S.B. 28—THE CAUSE OF ACTION ............................................ 8 VII. GATHERING THE EVIDENCE ........................................................................ 9 VIII. FINDING THE PERPETRATOR(S) .................................................................. 9 IX. CONCLUSIONS ............................................................................................... 10 X. APPENDIX A ................................................................................................... 10 30990-txb_44-1 Sheet No. 4 Side A 02/01/2012 14:53:16 * Ron Chichester is an attorney, a certified computer forensic examiner, and an Adjunct Professor at the University of Houston Law Center, where he teaches “Digital Transaction” (www.digitaltransactions.info). Ron is admitted to practice in the State of Texas, the U.S. Courts for the Southern District of
    [Show full text]
  • The Customer As a Target Risks of Phishing and Trojans
    The Customer as a Target Risks of Phishing and Trojans Gijs Hollestelle | Deloitte Netherlands January 31, 2012 © 2012 Deloitte Touche Tohmatsu History of Computer Crime (1/2) •1980‟s • First worm: Morris Worm • Phone Phreaking • BBS Hacking boards • Movie: Wargames • Computer hacking was primarily done by people in universities to find out how things worked •1990‟s: • Real start of computer crime, targeting financial institutions • Succesful hacks of various banks, phone companies, etc • Kevin Mitnick convicted • 2000‟s / Today • Early 2000‟s examples of „Hobby‟ projects, everyone can be a hacker. I love You/Kournikova Virus • Late 2000‟s Professionalization of computer crime • Internet banking and online shopping become popular, leading to increased incentive to use computer crime for financial gain • Avanced trojans • Shift of hacking companies to hacking consumers • Sophisticated trojans/virusses such as Zeus and Stuxnet 2 © 2012 Deloitte Touche Tohmatsu History of Computer Crime (2/2) 3 © 2012 Deloitte Touche Tohmatsu The Underground Economy (1/2) Some recent figures • Dutch Association of Banks (NVB) released information that in 2012 Internet banking fraud was 9.8 mln euro. • In first half of 2011 alone, this has increased to 11.2 mln euro. • In Germany Internet banking fraud is estimated at 17mln euro in 2012 • In the UK 60mln pounds in Internet Crime in 2009 4 © 2012 Deloitte Touche Tohmatsu The Underground Economy (2/2) Where are these identities sold? Source: krebsonsecurity.com 5 © 2012 Deloitte Touche Tohmatsu The Logic of the Cyber Criminal • Stricter regulations such as PCI have forced companies have forced companies to further increase their security measures.
    [Show full text]
  • Understanding and Analyzing Malicious Domain Take-Downs
    Cracking the Wall of Confinement: Understanding and Analyzing Malicious Domain Take-downs Eihal Alowaisheq1,2, Peng Wang1, Sumayah Alrwais2, Xiaojing Liao1, XiaoFeng Wang1, Tasneem Alowaisheq1,2, Xianghang Mi1, Siyuan Tang1, and Baojun Liu3 1Indiana University, Bloomington. fealowais, pw7, xliao, xw7, talowais, xm, [email protected] 2King Saud University, Riyadh, Saudi Arabia. [email protected] 3Tsinghua University, [email protected] Abstract—Take-down operations aim to disrupt cybercrime “clean”, i.e., no longer involved in any malicious activities. involving malicious domains. In the past decade, many successful Challenges in understanding domain take-downs. Although take-down operations have been reported, including those against the Conficker worm, and most recently, against VPNFilter. domain seizures are addressed in ICANN guidelines [55] Although it plays an important role in fighting cybercrime, the and in other public articles [14, 31, 38], there is a lack of domain take-down procedure is still surprisingly opaque. There prominent and comprehensive understanding of the process. seems to be no in-depth understanding about how the take-down In-depth exploration is of critical importance for combating operation works and whether there is due diligence to ensure its cybercrime but is by no means trivial. The domain take-down security and reliability. process is rather opaque and quite complicated. In particular, In this paper, we report the first systematic study on domain it involves several steps (complaint submission, take-down takedown. Our study was made possible via a large collection execution, and release, see SectionII). It also involves multiple of data, including various sinkhole feeds and blacklists, passive parties (authorities, registries, and registrars), and multiple DNS data spanning six years, and historical WHOIS informa- domain management elements (DNS, WHOIS, and registry tion.
    [Show full text]
  • Symantec Intelligence Report: June 2011
    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
    [Show full text]