Post on 18-Nov-2014
description
Internet Threats Trend Report
October 2011
October 2011 Threat Report
The following is a condensed version of the October 2011 Commtouch
Internet Threats Trend Report
You can download the complete report at www.commtouch.com/threat-report-Oct2011
Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.
October 2011 Threat Report
Key Highlights
Trends Malware, Spam, Web Security, Compromised Websites and Zombies
Feature What is behind the huge return of email malware?
1
2
3
Key Highlights for Q3 2011
Key Security Highlights
Average daily spam/phishing emails sent
93 billion
Average daily spam continues to decline
Lowest levels in years
336,000 Zombies
Spam Zombie daily turnover
Key Security Highlights
Q3 saw a slight decline from the 377,000 in Q2
(Zombie turnover is the number of zombies turned off and on daily)
Most popular blog topic on user generated content sites
Streaming media/ downloads (24%)
Key Security Highlights
Streaming media & downloads increased its share to nearly one quarter of all UGC
Includes sites with MP3 files or music related sites such as fan
pages (these might also be categorized as entertainment)
Key Security Highlights
Most popular spam topic
Pharmacy Ads (29%)
After decreasing for 6 consecutive quarters, Pharmacy Ads increased 5% in Q3
Country with the most Zombies
India (18%)
Key Security Highlights
India continues to top the list again in Q3
Website category most likely to be compromised with malware
Parked Domains
Key Security Highlights
“Pornographic and sexually explicit sites” (1st in Q2) was pushed into 3rd spot by “Parked
Domains” and “Portals”
Feature…
What is behind the huge return of email malware?
• In August, Commtouch Labs registered major malware email outbreaks
• The following Chart shows the scale of these attacks
Q3 Malware Trends
Malware email levels – June to Sept 2011
• Campaigns have been successful • Infection rate generally linear
• More malware emailed = more infections • Range of malware families detected in outbreaks
• Variants of Sasfis, SpyEye, Zeus, fake antivirus, and others
• In most cases the malware contacts external servers and downloads additional malware files to run on the infected machine
Q3 Malware Trends
Analysis of August 2011 Outbreaks
At present, no clear reason for the build-up in bots 1. No increase in spam
• A common result of large malware outbreaks 2. Most of the malware seen generally associated
with specific attacks (e.g., Zeus – banking fraud) • So far, no increase in these attacks
Possible reasons for new bot network • Large scale banking fraud • Facebook/Gmail/Yahoo account theft • Distributed denial of service (DDOS) • Other criminal activity
Analysis cont…
Q3 Malware Trends
Q3 Malware Trends
Top 10 Malware of Q3 2011
Rank Malware name Rank Malware name
1 W32/Oficla.FO 6 W32/Patched.G
2 W32/RAHack.A.gen!Eldorado 7 W32/Damaged_File.B.gen!Eldorado
3 W32/Adware.PAP 8 W32/Bredolab.AP.gen!Eldorado
4 W32/Sality.gen2 9 W32/MalwareF.AFPRH
5 JS/Pdfka.BG 10 W32/Heuristic-210!Eldorado
Source: Commtouch
Q3 Malware Trends
For a complete analysis of Malware in Q3 and the specific attacks employed, download the complete
October 2011 Internet Threats Trend Report www.commtouch.com/threat-report-Oct2011
Trends in Q3 2011…
Spam Trends
Q3 Spam Trends • Spam levels remain at their lowest in years
following the Rustock botnet takedown in March • Aug and Sept attacks had no effect on spam levels • Q3 average spam levels near 93 billion email
messages/day
Mar Apr May Jun Jul Aug Sep
• Spam averaged 76% of all emails sent during Q3 (excluding emails with malware attachments)
Q3 Spam Trends
Mar Apr May Jun Jul Aug Sep
Q3 Spam Trends
Top Faked (Spoofed) Spam Sending Domains*
Source: Commtouch
* The domains that are used by spammers in the “from” field of the spam emails.
• Gmail.com once again the most spoofed domain
• 14th place again held by ups.com due to the very large numbers of fake UPS notification emails sent as part of the Q3 outbreaks
Compromised Accounts
• In addition to spoofed emails (shown above), a percentage of emails from Gmail, Hotmail and Yahoo come from genuine accounts – compromised accounts (though some are accounts specifically created by spammers for spamming)
• In the Q2 2011 Trend Report, Commtouch revealed an increased use of compromised accounts to spread spam (Compromised accounts offer several advantages, including the fact that they are difficult to block using IP reputation implemented by many anti-spam solutions)
Compromised Accounts Analysis of spam “from” Gmail & Hotmail – Q2/Q3 2011
• Hotmail: 28-35% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts
• Gmail: Most Gmail Spam (96-97%) comes from zombies that simply forge Gmail addresses
• Q3 saw growth in use of Hotmail & Gmail compromised accounts in comparison to Q2
Source: Commtouch
Compromised Accounts
Compromised Accounts Analysis
• Having observed greater use of compromised accounts, Commtouch undertook primary research into the use of these accounts for sending spam
• The research included the surveying of people whose accounts had been compromised
• Results confirm Commtouch observations with regard to the increased use of compromised accounts for sending spam
Compromised Accounts
• Mort than half of the accounts were used to send spam or scams
• 23% of respondents not sure what their accounts were used for
• Compromised Facebook accounts generally used to further the spread of malware or post links to marketing scam websites
What Compromised Accounts Used For
Compromised Accounts
1. Which accounts were affected 2. How accounts were compromised 3. Activity account was used for – e.g., spam, scam, etc. 4. How account owners found out 5. Action owners took to regain control of their account
Full results of the survey can be found at http://www.commtouch.com/hacked-accounts-
report-Oct2011
Review the full survey report and find out…
Compromised Accounts Survey
Q3 Spam Trends
• Top topic “pharmacy spam” stopped its downward slide of the past six quarters, adding 5% to reach 29% of all spam
• “Enhancers” added 5 points, accounting for > 17% of spam
Source: Commtouch
Spam Topics
Q3 Spam Trends
Find out more about Spam Trends in Q3 by downloading the complete October2011
Internet Threats Trend Report www.commtouch.com/threat-report-Oct2011
Trends in Q3 2011…
Web Security
Q3 Facebook Threats
Exploits in Q3 2011
Facebook continues to draw the attention of malware authors
Q3 Facebook Threats
August 2011 “Friend” malware
• A range of “friend request” emails were sent to draw recipients to download a banking Trojan
Q3 Facebook Threats
September 2011 “Like” Scams
How scams worked The Trap: Offers to get “free” merchandise
“The First 50.000 participants Get an iPhone 4 for free” “The first 25,000 that signup get a free pair of Beats by Dre headphones” “The first 1,000 participants Will Get An Facebook Phone for Free” “The First 25,000 Participants Will Get A Free Facebook Hoodie”
What Facebook users had to do:
Like several pages, provide their shipping addresses and forward the invite on to 100 or so friends (thus ensuring the spread of the scam)
Result: Pages liked by hundreds of thousands of users
Q3 Facebook Threats
Example of “Like” scam
Q3 Facebook Threats
How the Scammers Benefitted
Improved visibility/promotion of the scammer page: • Like appears on the Liker’s Wall and may appear in News Feeds • Liker displayed on the Page that was liked and ads about Page • Liked Facebook Pages can post updates to the Liker’s News Feed
or send them messages • Liker’s connection to the page may also be shared with apps on
the Facebook Platform
Also… • Scammers got people’s shipping addresses (helpful in ID theft) • “Facebook Hoodie” offer linked to external site with further
links to marketing scams brining the scammer per-click revenues
Q3 Web Security Threats
Learn more about other Web Security Threats in Q3:
• PHP Thumbs exploit • Others
Download the complete October 2011 Internet Threats Trend Report for more details
www.commtouch.com/threat-report-Oct2011
Website categories infected with malware
Q3 Compromised Websites
Portals category includes sites offering free homepages, which are abused to host phishing and malware content or redirects to other sites with this content
• Pornographic and sexually explicit sites were pushed down to the 3rd spot by parked domains and portals (As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites)
Rank Category Rank Category
1 Parked Domains 6 Business 2 Portals 7 Computers & Technology
3 Pornography/Sexually Explicit 8 Health & Medicine 4 Education 9 Shopping
5 Entertainment 10 Travel Source: Commtouch
Q3 Compromised Websites
Portals category includes sites offering free homepages, which are abused to host phishing and malware content.
Website categories infected with phishing
Rank Category Rank Category
1 Games 6 Sports 2 Portals 7 Leisure & Recreation
3 Shopping 8 Business 4 Fashion & Beauty 9 Health & Medicine
5 Education 10 Entertainment
Source: Commtouch
• This is an analysis of which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner)
• Games retained ranking as highest, similar to last Q2 2011
Trends in Q3 2011…
Zombie Trends
Q3 Zombie Trends
• Q3 saw an average turnover of 336,000 zombies each day that were newly activated for sending spam
• Slight decrease compared to the 377,000 from Q2
Daily Turnover of Zombies in Q3
Source: Commtouch
Q3 Zombie Trends Worldwide Zombie Distribution in Q2
• India once again claimed the top zombie producer title, increasing its share to over 18%
• Brazil dropped to 3rd position by decreasing its share of global zombie population by nearly 3%
• The US and Iran joined top 15, displacing Poland and Italy
Source: Commtouch
Trends in Q3 2011…
Web 2.0 Trends
Q3 Web 2.0 Trends
• “Streaming media and downloads” was again the most popular blog or page topic in Q3 (up to 24% of all UGC)
Web 2.0 Trends
Source: Commtouch
Rank Category Percentage Rank Category Percentage
1 Streaming Media & Downloads 24%
8 Arts 5%
2 Entertainment 9% 9 Sports 4% 3 Computers & Technology 8% 10 Education 4%
4 Pornography/Sexually Explicit 6%
11 Leisure & Recreation 3%
5 Fashion & Beauty 5% 12 Health & Medicine 3% 6 Religion 5% 13 Games 3%
7 Restaurants & Dining 5% 14 Sex Education 2%
The streaming media & downloads category includes sites with MP3 files or music related sites such as fan pages (these might also be categorized as entertainment).
Review of Q3 2011
Review of Q3 2011
Source: Commtouch
July August September
Spam ratio reaches low of
74%
Email-malware outbreaks
start
25 billion malware emails in one day
Twitter notifications
lead to spam
Gap Athleta
fake order malware
Most spam per day: 120
billion Lowest spam per day: 64 billion
PHP Thumbs Web explot Right-to-Left
override used in
malware
Android malware added
to extended Wildlist
Facebook friend
notifications led to
malware
“map of love” email malware
Facebook “like” scams
Download the complete October 2011 Internet Threats Trend Report
at www.commtouch.com/threat-report-Oct2011
For more information contact: info@commtouch.com
650 864 2000 (Americas) +972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com